“On the Internet, nobody knows you’re a dog.”
Written in The New Yorker in 1993, this famous quip hints at how online life once held the promise of allowing people to exist anonymously—in total control of what information they share and how they might be perceived.
After 30 years, the reality of living in a digital world looks a lot different. Instead of making our lives increasingly anonymous, the internet has fed our personal information into an ever-growing open book. As we live more online than ever, our personally identifiable information (PII) is instantly accessible to third parties, tied into each click, like and swipe or passively aggregated by devices that track our every movement.
Even as individuals are becoming more aware of this general trend (and lowering their privacy expectations), privacy erosion is accelerating. In less than a decade, biometric data has gone from a marketing edge case to a powerful targeting resource. Thanks to AI and wearable tech developments, companies like Meta may soon read people’s emotions in real time.
With privacy and security often an afterthought, the backlog of data collected by marketers, data brokers, political researchers and public institutions has been steadily finding its way into the public domain. Whether leaked by data breaches or scraped, repackaged and sold by third-party companies, personal information is detailed and available to anyone, for any reason, requiring almost no effort to attain. Between 2019 and 2021 alone, the amount of PII exposed online has increased by over 150%, driven by an increasingly online remote workforce.
For individuals, businesses and our society, the results of snowballing personal information exposure are getting harder to ignore. Losses from online fraud are growing at record levels. As trust in institutions declines, the rapid dissolution of privacy is changing how we relate to organizations, governments and even each other.
Privacy’s decline is driving real business risks, too. Weaponized by threat actors, exposed PII like email addresses combined with job titles or phone numbers can lead to multimillion-dollar ransomware attacks or business compromise scams. For individuals who are sometimes only a tweet away from having their careers destroyed, PII can become a lever for blackmail and a drain on human resources for their employers.
Three Ways Privacy Risk Hurts Businesses
Rather than a single point of risk, like falling foul of laws such as the GDPR or the CPRA, the business risk posed by privacy is more diverse and constantly changing. When privacy is absent, threats keep popping up, often in areas far from where information was exposed.
Cutting off the root cause of privacy risk starts with having a framework for understanding the damages it causes. After more than a decade of helping corporations reduce their information exposure, we see three places where privacy hurts businesses the most:
1. Corporate Cybersecurity
As long as people use computers, cybersecurity will be as much of a human as a technological problem. IBM has found that 95% of breaches involve human error. As more employee PII is exposed, the “human firewall” protecting your organization is getting weaker.
Pretending to be your employees, clients and even your boss, threat actors use spear phishing to turn PII into a weapon. As demonstrated by leaked chat logs from the Conti ransomware gang, cybercriminals see data like names and job titles as important ingredients for powerful social engineering scams.
Unlike comically easy-to-spot phishing attempts that barrage our inboxes daily, these attacks are far more nefarious and almost impossible to train someone to avoid. In truth, no organization is truly safe from this kind of threat, even well-defended critical infrastructure.
2. Corporate Reputational Risk
In a world where nothing digital ever goes away, privacy can create a risk of compounding reputational damage.
Minor lapses in privacy by employees can silently amplify, coming back to haunt companies during sensitive times like an IPO or merger event. A stream of exposed detail about Uber employees’ private lives and the negative media attention that followed cut an estimated 30% from the ride-hailing company’s IPO value.
Lack of privacy hurts businesses by taking away their control over information exposure. When Amazon faced criticism about its treatment of employees during the pandemic, leaked meeting notes hurt its public image even more.
In these kinds of scenarios, deficient privacy gives a company’s detractors control of the narrative, erasing years of PR effort in a moment.
3. Individual Risk
Privacy also poses a risk to employees. Losing control of how and where your PII is shared can be dangerous for the millions of people who work in public-facing roles.
When someone is “doxed” (i.e., their personal information is leaked online), the risk of threats ranging from harassment to stalking and even physical violence become very real. A study conducted in 2022 reported that 36% of doxing victims received physical threats after being doxed.
For employers, the stress doxing puts upon employees can cause immense operational damage. The cost of replacing an employee who quits can be over 50% of their salary. Overall, lost productivity from online harassment, including doxing, costs U.S. businesses over $3 billion each year.
To Protect Privacy, Take A Broad View
Privacy was never just a personal issue. For as long as people have been doing business, a lack of privacy has created some level of business risk. What’s changed in the last couple of decades is that, as digital technology transformed our world, the amount of information available online has exploded, and the tools to help exploit it have become mainstream, shrinking the feedback loop between information exposure and risk.
Today, the classical conception of privacy (i.e., the right to complete control over how your personal information is collected and used) is, by default, absent. Restoring it and mitigating business privacy risks means taking proactive steps to control where information like employee PII ends up.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?