By Eva Velasquez, Identity Theft Resource Center CEO and President
Do you? Currently and depending on who is speaking, there are varying and frequently opposing answers – even among experts – leaving consumers grasping for a better understanding of what it means for them. This is a significant problem that creates some serious issues that need to be addressed as an industry. Perhaps a discussion about the current definitions and categorizations doesn’t t go far enough in addressing these issues, but there has to be starting point. It’s a beginning but not the end.
According to the United States Justice Department , “The term “breach” is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to information, whether physical or electronic” and “includes both intrusions (from outside the organization) and misuse (from within the organization). [1]
Historically, the Identity Theft Resource Center has viewed data breaches and their categorization using this definition, always keeping a watchful eye on any data that can increase the risk of identity theft for the data creator (note: not the data owner, as that is different, and I’ll get to that in a moment). And those data sets are changing from the traditional name, date of birth, social security number, driver’s license, etc. that we’re used to seeing. With new technologies, come new access into consumers’ personal information – your first pet’s name, where you went to school, the street you live on, your hometown and more. And every keystroke and pen-swipe has intrinsic value to a would-be thief.
The Identity Theft Resource Center engages in the process of identifying and classifying the compromised data with the end goal of providing individuals with meaningful information on how they can remediate an immediate identity compromise issue, as well as minimization techniques to lower their risk in general when it comes to protecting their personal data. This task has become more and more challenging as data capture and use has evolved over the years and it may be time for an overhaul in the process, as well as in the national consciousness of how data is managed.
Many individuals make the mistake of believing that the data they create belongs to them since it’s about them. As consumers, it feels like it should be the case, but in practice it truly isn’t. In many situations, just by virtue of when, where and how the data about “you” is created, consumers acquiesce – knowingly or unknowingly – to transfer ownership of that data to a third party. Many make the mistake of believing that when they create and use social media platforms, they ARE the customer of that platform. Unequivocally: if you are not paying for the service (and in some cases even if you are), you are not the customer but the product. Or even more still, the data that you provided is the product. It’s the tradeoff for using a free service and generally consumers don’t think twice when agreeing to this as they check that terms and conditions box.
In the current technology- and app-driven world, we are connecting devices to the internet at an extraordinary rate. This activity is at the very core of the question above. As we connect more devices, we create more data points about ourselves
Because of this, there is now a much larger body of data available about each and every one of us in this age of information. Of course, with the growth of available information, the types of nefarious activities that are possible have grown as well. As these activities evolve, so must our understanding of them in an effort to minimize the damage they can cause. From the perspective of someone who engages in analyzing data breaches nearly every day, the recent Facebook/Cambridge Analytica incident is a perfect example of why industry needs a change in how we approach the categorization and understanding of data compromises. This event was a perfect example of the changing value of different types of personal information and why changes in our data breach categorization may be necessary.
This data is created, stored, shared and mined for a variety of purposes – sometimes with the permission of the creator or not. It all has one thing in common. It can (and very likely will at some point) be compromised. As consumers’ data creation becomes more complex and refined, so too does the ability for it to be compromised and misused.
Categorizing and defining these events has not kept pace with technological reality.
Wishy-washy categorization hasn’t helped the situation as many Facebook users are up in arms about the situation, and rightfully so. Their information was harvested beyond their granted permission and shared in ways that they had not been notified about, which even Facebook has stated violates its terms of service. So, in this time when even non-sensitive personal information holds an incredible value, how do we begin to create a framework which assesses the violation and improper use of data as well as acknowledging that there are far greater risks of identity theft from the loss of sensitive personal information? By the DOJ’s definition, this wasn’t a breach. So, what was it then?
One potential solution is through a better classification of information compromises. Reassessing how we classify data mismanagement could help create better responses which are more applicable to each type of data exposure. Furthermore, more specific classification could help determine what the level of responsibility is for the entity that had custody of the data in any particular situation. Looking again at the recent Facebook case, Facebook wasn’t hacked; its employees didn’t leave unsecured servers open or expose user data to a faceless stranger. Instead, a known client of Facebook’s misused data with which it was entrusted and exploited its access to user profiles. The users had no knowledge that the company had access to the additional information, although the terms and conditions say it’s a possibility. So, who’s at fault? Does the blame lie solely with the companies who used information they weren’t given permission to have (in this case third parties who brokered it) or does the company who scraped that data in the first place shoulder the bulk of the blame? And what is the responsibility of the social media platform that provided access? What responsibility do the data creators, the ones who granted the limited permissions have? This is an important classification that needs to be recognized as an industry as consumers move toward the ever greater availability of information about any given individual. There will continue to be a growing number of data aggregators and collectors who will then sell that information to other parties. Therefore, the structure on how to engage when things go wrong clearly needs to exist.
The bottom line here is that as the world continues to be driven by the sharing, collection and analysis of data, we must adapt to create frameworks which recognize this. If we fail to adapt, the risk of personal information being used nefariously without repercussion is great. Furthermore, without guidelines in place, the value of personal information will continue to go unrecognized.
As the recognized leader in data breaches and their repercussions, I’m challenging my colleagues to join me in creating that new dialogue. Let’s sit down and have that standard-setting conversation. That’s my invitation – I’m providing the table for us to gather ‘round and have the hard discussions on how do we create those new categories, what are the levels of responsibility and how to we better serve those that are impacted by these situations.
