Bloomberg News Breach

My fascination with the information available on Bloomberg began in January 1999, the first time I had ever seen a Bloomberg terminal (also my first day on a trading floor). I remember someone running over to tell us the Brazilian real was depreciating and typing something on the computer keyboard (BRL <Crncy> GIP, I later learned). And I remember being captivated as I watched the axes of the intraday graph recalibrate in real-time as the currency went into freefall.

Thus began my interest in the role the media plays in shaping financial market perception. In the interest of full disclosure, I have an unpublished working paper, “What the Market Watched: Bloomberg News Stories and Bank Returns as the Financial Crisis Unfolded,” that considers whether it was possible to glean information about market participants’ perceptions using Bloomberg’s readership statistics. So I was naturally drawn to recent stories (e.g., like this Washington Post article) on the access Bloomberg reporters had to information on subscribers’ activity and how that information was used.

Firms using customers’ information to benefit/enhance/promote their business is nothing new; on the contrary it is something we regularly agree to whenever we check that “I have read and agree to the Terms and Conditions” box on virtually everything we sign up for. The concept of targeted marketing is based on this practice. Sure there are differences between activity monitored via computer algorithm versus via actual person. But the fact is (and I am hardly the first to point it out) that we have become rather lax about our privacy…in a wide variety of contexts. Yet whenever a story hits about a firm using information they collect for specific business purposes (see, for example, this CNN article on retailers’ use of price discrimination), some amount of outrage often ensues.

Concerns over a firms’ ability to track and use information about online activity arise with any browser or website. And while a browser enables identification of an organization’s use (via the IP address), any site requiring a login potentially enables identification of a specific user.

This is not just about ethics but about cybersecurity. While some work is being done to strengthen disclosures regarding what firms do with information they collect and how it might be shared outside the firm, there is comparatively little effort spent on who inside a firm has access, how the information is stored, and what the shelf-life of such information might be. And the more these incidents are viewed as isolated to a specific “rogue” individual or groups of individuals at the organization, rather than a systemic reflection of the strength of a firm’s information security protocols, the greater the operational risk.

Outrage is a natural reaction to some of the more egregious uses of information. But until we become more proactive rather than reactive about safeguarding information, the risk that such information will be used inappropriately remains.