Do not track

By Kevin Manne

What you’ll find are hundreds of results, likely with your address, the size of your property, value of your home and more.

This sensitive personal data is all public record — legally shared and nearly impossible to scrub from the web, according to Kevin Cleary, clinical assistant professor of management science and systems.

“The average person has lost complete control over where this information comes from and how it flows,” he says. “I’ve written to my congressman, even going so far as to look up all his personal information online and include that in my message — intentionally being provocative about it — and all I got back was a form letter. I don’t think he even understood the problem.”

Cleary says the issue stems from government transparency laws that were written in a different time with a different mindset.

“The ecosystem where our data exists is really violated,” he says. “It’s so complex that blanket laws aren’t going to do a whole lot to move the needle.”

As we navigate the internet — and our daily lives — we increasingly leave a trail of information in our wake. We’re generating so much data that scientists have had to create new units of measurement just to keep pace. Last fall, the 27th General Conference on Weights and Measures added four new prefixes to the metric system — the first such expansion since 1991. (One of them is the “quetta” — a 1 with a mind-boggling 30 zeros after it.)

For individuals, data privacy has implications for our security, finances, health care and more.

For organizations, the proper collection, storage, management and sharing of data is critical for compliance with regulations and building customer trust.

But along with the privacy challenges that come with big data, the growing world of information provides opportunities for businesses and value for customers, too.

Businesses and organizations grapple with two main data privacy issues, according to Cleary: What ethical decisions should they be making with the data they collect, and what does the law say they need to do to protect that data?

These are the things that Clair Bauman, BS ’98, MBA ’00, thinks about every day as director of the Financial Services Regulatory Office at Kyndryl, the world’s largest IT infrastructure provider.

The company, which began as a spinoff of IBM’s infrastructure services business, is now a separate company with annual revenue of more than $18 billion.

“One breach, one incident and the reputational harm could be enormous,” she says. “Cyberattacks on corporations are the new normal and are extremely costly, not just financially but also because of the impact they have on people’s lives. Cybercriminals will always focus on high-value targets and low-hanging fruit.”

She says hackers are most likely to attack IT systems that are easy to exploit because they have vulnerable systems connected to the internet, a lack of multifactor authentication or other basic security issues.

“With the threat and frequency of cybercrime rising and the ever-increasing cost of data breaches, cybersecurity is increasingly important, especially in the context of moving services to the cloud,” she says. “Thankfully there are many great frameworks and methodologies to help ensure good digital hygiene, as well as some great companies like ours that can do that heavy lifting for you.”

Ananth Iyer, professor and dean of the School of Management, says data security is critical for businesses because it’s the foundation of trust.

“As an organization, if you assure customers that you have the processes in place to protect their data but fail to do so, you should expect to get into a lot of trouble because you didn’t meet their expectations,” he says. “That’s why the data privacy question becomes paramount, because as more data is collected, there is a built-in expectation: How do your processes ensure those expectations are met?”

Even as governments pass laws like the California Consumer Privacy Act or the European Union’s General Data Protection Regulation, consumers continue to bear a large burden to protect their information, according to Joana Gaia, clinical assistant professor of management science and systems.

“The California law gives you the right to tell any business, ‘I don’t want you to keep my information,’ but the onus is on you to ask what information they have and to request they delete it,” says Gaia. “And then a year later they can start collecting it again and you have to restart the whole process.”

But why are people willing to give up so much personal information in the first place? Gaia says there are a number of factors in play, from convenience to a lack of understanding.

“It’s a huge burden to think about our own data and what we can do to protect ourselves,” she says. “Whether I use my Starbucks app to pay for my coffee or I use my Fitbit to track my walk, the information is out there and I don’t own it anymore.

“It’s also a lot easier to put something on Facebook than it is to call 100 people and give them a family update. We tend to ignore the negatives and focus on the connections we’re making, all while the companies make money selling our information.”

Gaia says that while your personal information may be valuable to a hacker who might want to steal your credit card, the real value for organizations is in aggregated data — and that’s where issues can arise.

“The problem comes when the aggregation of data can be used for financial gain in unethical ways,” she says. “We saw some of that following the overturning of Roe v. Wade and the passing of laws in states about gender-affirming health care. Now there are basically bounty hunters out there finding information about people and selling it for their own personal gain, with no regard for the consequences.”

Kevin Cleary says aggregation is a trap that organizations can easily fall into when they start using data for a purpose different than the original stated intent.

“It’s a slippery slope,” he says. Far too often, organizations will ask ‘How can I mine my data for this new purpose?’ rather than ‘Should I mine my data for this new purpose?’”

And that’s where regulations come in, but so far federal laws have been an ineffective patchwork, according to Cleary.

“There are now nearly 200 pieces of legislation across 35 states, yet somehow we’re not much better off now than we were 10 years ago when it comes to legislating privacy requirements for personal data,” he says. “In many ways, the regulatory landscape is far more complex without the tangible results we would expect and have demanded.”

From his home in Buffalo, Jeremy Walczak, BS ’99, leads data security efforts for GenesisCare, a global cancer radiation oncology organization.

As chief information security officer, Walczak safeguards patient information at nearly 400 GenesisCare locations around the world. And while he agrees that privacy is a must for building trust in his company, he says there are additional concerns that elevate the significance of data security in the health care industry.

“The moment your information is compromised, you’re less likely to do business with that organization. But if you’re going through a health event, the last thing you want to deal with is a privacy breach that’s going to distract you from your treatment regimen,” he says.

Along with the challenges of securing patient data, Walczak says all that information holds vast opportunities, too.

“The value arises when you can synthesize all this data and look for repeatable outcomes,” he says. “If you have a disease you can cure by doing X, Y and Z, the more examples you can find of that happening will help lead to greater patient outcomes. And you can only do that by combing through large amounts of data.”

From customized music and TV recommendations, to simulated rocket flights, there’s potential for the secure use of data across industries and throughout all aspects of our lives.

Logistics companies can benefit from anonymized big data, too. Dean Iyer collaborated on a study that analyzed ways shipping companies can optimize routes by sharing pick-up and delivery tasks without revealing any information.

“It’s illegal for competitors to share details, because that’d be collusion,” says Iyer. “But our algorithm would allow shipping companies to swap loads on overlapping routes, thus saving time, money and gas and lowering their carbon footprint, all while keeping customer data anonymous. It sounds like magic, but that’s the benefit of cryptography.”

As the School of Management prepares the next generation of leaders, Iyer has big plans for big data in the classroom, from marketing to management information systems.

“Cybersecurity is something that we need to expose our students to so they have an understanding of what it means to protect data,” says Iyer. “We will also teach students to think about fair data sharing — there will be a big opportunity once they’re out in the working world to educate consumers so their willingness to share is respected and trust is built.”

Today, he says students have access to huge data sets that can bring their schoolwork to life.

“Through COVID, each time there were shutdowns or new rules implemented, students were able to use data sets to see the impact by state or municipality,” says Iyer. “That’s the kind of data that makes an impact in the classroom — because you can write a bunch of formulas on a board, but when students see it manifest and what actually happens, it’s a completely different ballgame.”

In the years ahead, Iyer envisions a learning environment where students can access digital replicas of companies and their products in virtual reality, or immerse themselves in data with special glasses.

“Historically, when you think about data you think about spreadsheets,” he says. “But with special glasses you can be put in front of a wall where you can click on a data point and then walk through and analyze everything. Or in virtual reality, you can analyze high fidelity ‘digital twins’ of, say, a jet engine to figure out where a repair should be. Those are the kinds of things that make learning incredibly exciting.”