Posted by Paul Paetz on Thu, Jun 10, 2010
Darryl Green is Chief Governance Officer (Co-Founder) and Executive Director at Ethoca
|
Beyond legal compliance: what it takes to be worthy of trust
I can’t stand privacy law.
Not for the reasons you might think are obvious for someone in my position (i.e. we can’t do what we want with impunity). I dislike it for what it represents and what it could, and in some cases appears to, be evolving into.
The fact is, I’m very much against doing what we want with impunity. At Ethoca, we are experts at fraud detection involving card-not-present transactions. We ask our partners, members and, ultimately, consumers to trust us with something very valuable (their credit card transaction data). We have a responsibility to earn that trust every single day. The concept of respecting and securing that data has to, and does, permeate every decision we make and every action we perform. The gravity of that trust lives in every employee of Ethoca and is deeply ingrained in the culture of our organization. Replacing these obligations with a regulatory compliance regime is both inefficient and distorting.
Taking responsibility
First, some brief background so you know my personal bias: I’ve studied law and worked briefly as a lawyer before finding the joy of entrepreneurship. I have, over the years, come to the conclusion that nearly all law can be summarized as, “Don’t be a dick.”
Of course, you need a little more granularity than that. If I ever ran for public office on a platform of legal simplification, I would suggest that there be laws against dickness in the first, second and third degree, and against unintentional dickness for those who have not thought about the consequences of their actions. Any more granular than that and you start to run into problems. (I may be exaggerating to make a point, but stay with me.)
Trying to create a regulatory regime to deal with an issue replaces, “I shouldn’t be a dick” with, “do I comply with regulations.” And since it’s impossible to draft regulations that contemplate all current contingencies, let alone contingencies arising from future innovation, it leaves individuals and corporations the ability to be dicks as long as they are regulatory compliant.
In fact, they may not even think about the consequences of their actions anymore, assuming that either the regulators will have contemplated the outcomes, or the outcomes don’t matter so long as I follow the rules. This is particularly problematic where those who work in the regulated industry are more informed and less conflicted than those drafting the regulation. There are examples of that all over the recent financial crisis, but that is not the subject of this discussion.
Now, back to Ethoca and privacy regulation:
In our first drafts of how we would develop the Ethoca architecture and operate the Ethoca service, we did not call legal counsel. We knew that caring for the data we were being entrusted with meant that we would have to respect it, secure it, and provide access to it in a way that wouldn’t allow it to be abused. We knew that we would have to watch over the data to ensure its quality. We knew that we would need a mechanism for members and consumers to dispute the data in the event of a misunderstanding.
We found codes of practice that helped us to define what that meant, specifically, the AICPA Privacy Framework, now called the AICPA Generally Accepted Privacy Principles. We engaged top-tier consultants to help us develop and implement the practices befitting the responsibility we expected to take on. In short, we took our responsibility extremely seriously. This was in part driven by our internal ethics, but was also required by anyone we wanted to add as members. We held ourselves accountable, and those we were doing business with were holding us accountable. Ah, if only the world could work this way in all contexts.
Enter the lawyers
The time came to get the regulatory analyses for the jurisdictions in which we contemplated doing business. These included most significantly the US, the UK, Ireland and Canada. This cost us hundreds of thousands of dollars in legal fees. (I wish I were exaggerating here to make a point.) I’m happy to say that it didn’t result in our having to change much of anything in relation to our operation. The work we had done just trying to be responsible took us well beyond what was required simply from a regulatory compliance standpoint. In a follow-up blog post I will summarize our findings from each jurisdiction and more detailed discussion is available from us for anyone contemplating joining Ethoca’s Global Fraud Alliance.
In general though, if you know nothing more than this about privacy law, as it relates to private enterprise, you are 90 percent of the way there: People have to be given the opportunity to agree to and know how their data is being used, they have to have the ability to inquire about and correct any mistakes in the data, and those holding the data have to safeguard the data with due care.
The final word
I’ve been a little glib here. Unfortunately, regulation is required where there is an imbalance of power as there is with respect to data. Consumers tend not to band together in a cohesive group, and the ability to abuse data that a company has been entrusted with would tempt some to make use of it for purely self-serving ends. However, the regulation should be minimal to meet the objectives highlighted above. In some jurisdictions I’m starting to see regulation that seems more like empire-building-through-bureaucracy than a regime meant to serve the needs of individuals. Clearly, any regulation that would make it unworkable or uneconomical to help consumers and merchants avoid being victimized by fraud would have slipped over that line.
Darryl Green is one of the co-founders in Ethoca. He has degrees in Law, Engineering and a Masters in Business Administration from the University of Western Ontario/Ivey School of Business. He started in the internet industry in 1999 with Tucows Inc. where he participated primarily in Business and Corporate Development activities. He worked there until co-founding Ethoca in 2005. Darryl is responsible for financial and regulatory compliance for Ethoca and, as with all the founders, is active in Ethoca’s Business Development. He tends to prefer free market solutions over government regulation and is big big fan of transparency and candor.
Posted by Andre Edelbrock on Tue, Jun 08, 2010
The U.S. Federal Trade Commission estimates that six times as much revenue is lost to "fear of fraud" as to actual fraud
|
How making online shopping safer means a more profitable online environment for all
Beyond the total cost of fraud you may face today, there is an even bigger challenge: many potential customers are afraid to buy online. They don’t think it’s safe.
In fact, six times as much revenue is lost each year to fear of fraud than to actual fraud, according to the U.S. Federal Trade Commission.
That number is consistent with surveys and research by other organizations as well. VeriSign says half of Internet users avoid buying online, for fear of their financial information being stolen. And of those who have been victims of fraud:
- 12% don’t shop online any longer
- 25% shop less frequently
- 19% spend less when they do shop online
And according to figures from a CyberSource 2009 survey:
- 71% of consumers are concerned with the level of risk when shopping over the web, an increase of 5% over 2008
- 24% of consumers (the largest grouping of answers) say it is merchants’ responsibility to make online shopping safe
Making online shopping safer -- It's within your control
Trust seals can and do increase the perception of safe shopping for many. They, however, can only go so far, and with constant media attention paid to massive data security breaches such as those perpetrated against Heartland Payment Systems, TJ Maxx, Hannaford Supermarkets and many others, not to mention the myriad tales of unscrubbed and unprotected data on used hard drives, archival tapes full of social security numbers and other personally identifiable information falling off the back of trucks, consumers are rightly fearful that no matter what they or merchants do to protect their data, there are weak links in the security chain that put them at risk.
In fact, there are 3 elements to making Internet shopping not only as safe as it can be, but truly the safest form of shopping. First, merchants need to implement proper security precautions, especially PCI compliance. Second, compliance needs to be regulated and certified (and advertised by the accompanying trust marks). Finally, merchants need to ensure that in the event security is breached, that minimal harm comes to the consumer. The best way to do that is through collaboration with other merchants, as well as card issuers, fraud vendors, payment service providers - in fact, all the stakeholders in ecommerce.
The Global Fraud Alliance is that third and critical piece in making internet shopping safer. It provides a shield against misuse of breached and compromised data, by enabling merchants to gain insight into each other's payment experiences in real time, without compromising the privacy or security of their data.
Ethoca has recently made a very important contribution to safe shopping by making Ethoca360 Negative Signals freely available to any merchant that signs up for service during the introductory period. And, not just free to sign up, but free forever. Merchants need only apply and start actively using the service during the introductory period to ensure this lifetime benefit. This service is also being made available through partners such as 41st Parameter's FraudNet technology, GB Group's URU identity service, and the IMRG ISIS (Internet Shopping Is Safe) program. This network is rapidly growing to include other payment service providers and fraud merchants, and in the very near future will include many other in the U.S., Canada, U.K., and throughout Europe.
A safer online environment means a more profitable online environment
The more merchants collaborating against fraud, the safer the Internet will be, and the more customers will shop online.
Doing your part is simple, and most importantly, it will start saving you money right away, no matter what fraud tools or services you already use. That's because Ethoca360 Negative Signals is designed to be an additive service, compatible with all 3rd party offerings. This is simply smart business for members of the Global Fraud Alliance. Increasing the consumers willingness to shop online means more business for everyone.
We invite you to join.
