Print
It has become clear that a data breach of personal information protected by a statute or other legal framework, or “regulated data,” can have significant consequences if the proper safegaurds are not put in place. However, with cybersecurity threats constantly evolving, it is important to remember the courts and the legislature cannot always keep up to fully address this threat. Consequently, it is important to remember there is a substantial amount of data that may not be subject to notification requirements. And, a breach of this “unregulated data” can cause as much damage as a breach of “regulated data.”
The October 29, 2015 Wall Street Journal’s Risk & Compliance Journal article, “Hacking of ‘Unregulated Data’ Poses Big Risk to Firms,” addresses the often overlooked risk “unregulated data” breaches. Many of the largest breaches involved data not directly subject to any notification laws. One example was seen in the Sony Pictures breach when movie scripts and e-mails containing scandalous gossip were compromised. Additionally, the Anthem breach resulted from China’s attempts to learn how U.S. companies set up health insurance coverage. Storage and breach notification requirements did not expressly apply to this unregulated data.
While the laws governing data breaches have developed at rapid pace, these laws may not be able to evolve fast enough to include all sensitive data and information. One example of laws not keeping pace are seen when “Data Brokers,” or companies that collect and sell consumer’s personal information from the Internet, collect a significant amount of information that arguably may not be subject to state and federal breach notification laws. The Federal Trade Commission’s (FTC) 2014 Report, “Data Brokers: A Call For Transparency And Accountability,” discusses the information collected by Data Brokers may include “intimate details such as whether you own a dog, are a single parent, play the lottery, are a low-income African-American living in the city, or a rural homeowner with high cholesterol.” Data Brokers compile and sell this information to allow online advertisers to target their marketing. Another example is when the sexual preferences of Ashley Madison’s customers were involved in a breach. It is not difficult to see how this personal information, which may not be regulated by any state or federal notification laws, could be used to cause harm if improperly disclosed.
While unregulated data may not be subject to state or federal notification requirements, this data still poses a significant danger if not properly handled. Specifically, allegations of improper storage of both regulated and unregulated data could give rise to claims of unfair trade practices. Indeed, the FTC provides the following warning to any entity storing regulated or unregulated data:
The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information. In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. In addition to the FTC Act, the agency also enforces other federal laws relating to consumers’ privacy and security.
Ultimately, the best advice may come from the lawyer quoted in the Risk & Compliance Journal article who advises that, “a company needs lawyers at the forefront of its data security strategies, because it is lawyers – judges, regulators or class-action attorneys – who will judge a company on its cybersecurity.” Consequently, the most prudent strategy ends up having the same safeguards in place to handle unregulated data as the safeguards in place to handle regulated data. In the end, a common sense approach is the best strategy to protect all sensitive data.