Want to share this?

Discovering the ROI in Privacy Incident Management.

By Lauren Wallace, Chief Privacy Officer and General Counsel at RadarFirst.

Lauren Wallace Headshot Lauren Wallace Chief Privacy Officer & General Counsel

Lauren Wallace is a tech and privacy attorney and business executive, with both in-house and large law firm experience, and specializations in technology transactions and global privacy law.

I was digging through the blog attic the other day and came across this chestnut from 2014. Some of the specific breaches that are discussed now seem quaint in comparison to what’s come since, and some of the promising privacy tech companies have crossed the rainbow bridge – but the fundamental promise of Privacy ROI is stronger than ever. Check in at the end of the post for some updates and where-are-they-now reports – VCs take note! 

Editor’s Note: This is the original version from 2014, with some links updated for currency.


Privacy Is So Money

For technology companies, privacy and security investment isn’t just about protecting against the downside anymore — new products and venture money mean it’s finally possible to deliver on the upside by developing privacy-enhancing technologies.

I attended a cyber security seminar last week, where a panel of distinguished security experts succeeded in scaring the bejeesus out of a group of business owners about the dangers of being underprepared for the inevitable breach headed their way.

No doubt, the costs of recovering from a breach can be staggering. 

A company doesn’t even need to have a breach to suffer the harsh consequences of having an inadequate or inauthentic privacy policy.

Here’s how Home Depot described the realized and anticipated costs of dealing with its breach earlier this year:

“Cost(s) to investigate the data breach, provide credit monitoring services to customers, increase call center staffing, and pay legal and professional services…liabilities to payment card networks for reimbursements of payment card fraud and card re-issuance costs; liabilities related to the company’s private label credit card fraud and card re-issuance; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities.”

A company doesn’t even need to have a breach to suffer the harsh consequences of having an inadequate or inauthentic privacy policy. Safe to bet that the managers and investors in Whisper aren’t too pleased about Senator Rockefeller’s looming Congressional investigation; or that the people running TinyCo aren’t excited about the prospect of 20 years’ oversight by the FTC

The $16.5 million fine that Positive Singles is staring down for revealing the “confidential” STD status of its subscribers will probably put a significant ding in its quarterly results. And do we really need to talk about the social capital costs of Uber’s latest revelations?

Certainly, companies can and should take steps to avoid the kind of negative ROI associated with breach, and should examine their internal policies and behaviors to avoid the embarrassment and brand damage that can accompany even non-breach privacy mishaps. 

Many traditional insurers are now offering comprehensive breach management as part of their cyber policies, which can protect against both the economic and reputational costs of a breach. And it’s never a bad time to make sure that your company’s customer-facing policy notices are compliant with California’s notice requirement, and that you are actually making good on the promises that notice contains.

But it’s more fun to talk about companies that are targeting positive ROI by embracing privacy as a core value, and by developing tools and products that put privacy control in the hands of mainstream consumers.

These are companies like Abine, whose Blur and DeleteMe* tools offer subscription-based programs for reclaiming your online identity; Wickr, Threema, and Sicher*, each offering different flavors of secure private messaging; Xpire* and Ello, private non-ad-supported social networks; SurfEasy and ZenMate’s private browsing solutions; private search from DuckDuckGo; and Avatron, whose upcoming Everydisk software is a private alternative to third-party cloud storage. [*see the table below for a where-are-they-now of the companies listed above.]

It remains to be seen how these companies will turn their virtuous goals into gold – but it’s a fair bet that the big venture money behind some of them (Mark Cuban, in the case of Xpire; T-Ventures with ZenMate; Atlas and General Catalyst behind Abine) is looking for more than social capital in return.

This month’s Pew report on perceptions of data privacy shows that consumers are well aware of the excess collection and disclosure of their private information, so the market should be ripe for easy-to-use tools that deliver control back to the data owners. 

While work continues at the FTC and elsewhere to drive legislative change that will force organizations to treat private data with transparency, care, and accountability, companies like these can move faster to deliver data control back to consumers and make some money at the same time.


Flash-forward to 2023, and I’m so excited to be working at a company that is delivering on Privacy ROI every day, along with some of the most forward-thinking and responsible customers in the world. For more about RadarFirst and achieving Privacy ROI in your organization, use our free ROI calculator.

Calculate your Privacy ROI with RadarFirst. Use our free tool.

Calculate Now

Resources to learn more about Privacy ROI:

Cisco Study Finds 90% Of Professionals Consider Privacy A Business Imperative

Privacy ROI: Benefits from data privacy averaging 2.7 times the investment

2022 referenced companies update:

Out of the 10 companies:

3 were acquired (30%)

6 are going concerns (60%)

1 was shut down (10%)

referenced companies update - privacy roi

How to Fix an Inconsistent, Manual, & Painful Incident Response Process