Wednesday, April 24, 2013

Under-Punishment Isn't Much of a Deterrent to Bad Behavior

In a perfect world, we would all do the right thing because it was the right thing to do, not because we were afraid of getting caught doing the wrong thing.

Last time I checked, we weren't living in a perfect world.

So if I pass you on the highway doing speeds only slightly in excess of posted limits -- because I'm afraid of the cost of a ticket and the inevitable effect said ticket will have on my insurance rates -- I expect you won't complain that I should be driving at posted limits because they're, well, the posted limits.

But what if the ticket would cost me, say, less than a dollar? And it would be emailed to me, rather than costing me time while the officer writes me up? And my insurance company would say, Eh, don't worry about it?

What are the chances that I would still be driving at anything even remotely resembling the posted limits?

Exactly: Slim to none.

We talk about "the punishment should fit the crime", and by that, we usually mean that you shouldn't over-punish: we wouldn't send someone away to a supermax for 10 years for driving 35 in a 25 m.p.h. zone.

But it's just as important that we not under-punish.

What got me thinking about under-punishment? Claire Cain Miller's article in yesterday's New York Times, reporting on Germany's imposition of "the largest fine ever assessed by European regulators" on Google, for privacy violations relating to personal information collected in the course of its Street View mapping.

How big was the fine? $189,225. As Miller noted drily, "that's how much Google made every two minutes last year, or roughly 0.002 percent of its $10.7 billion in net profit."

How much of a deterrent do you think that is?

The fine was actually close to the legal maximum that could be imposed. Johannes Caspar, the German data protection supervisor who led the Street View investigation, said, "As long as violations of data protection law are penalized with such insignificant sums, the ability of existing laws to protect personal privacy in the digital world, with its high potential to abuse, is barely possible."

Google has paid far larger fines in recent years: $22.5 million to the Federal Trade Commission for a privacy violation related to its Safari browser ("the largest civil penalty [the FTC] had ever levied, though Google did not admit any wrongdoing."); $7 million to settle a lawsuit brought by 38 states; 100,000 Euros to France for data illegally collected, and so on.

But, when your profit is measured in billions of dollars, even $22.5 million can seem like chump change, like the cost of doing business.

As Miller notes in her article, this is not a Silicon Valley problem alone. Many have questioned the effect of large fines on the largest banks: "Even when Goldman Sachs paid a record $550 million fine to the [Securities and Exchange Commission] in 2010, it amounted to less than 10 percent of the bank's profit that year."

Some have argued that companies shouldn't be fined too severely, as a too-big fine "hurts shareholders if the stock price suffers, and consumers if the company has to raise prices to pay the fine."

But is that true? There is research to suggest that the opposite is the case. John Nugent, a professor at Texas Women's University, said that "even large fines had little long-term effect on companies' stock prices," and that, in fact,

Management will often choose to take actions they may know are improper because they realize the long-term consequences will not affect them.

It is true that the public-relations effect of a major fine can be significant, but it too is likely to be short-lived.

What's needed? Real teeth, that take a real bite.


No comments:

Post a Comment