What the Exactis Data Breach of 340 Million Records Tells Us About Privacy.
Part 1 of 2
Former Oracle CEO Larry Ellison once famously said, “Privacy is Dead.” However, privacy had been resurrected and killed more times than a Tyrannosaurus Rex in a Spielberg movie. A recent data breach involving more than 340 million records of U.S. citizens demonstrates why privacy is dead. Again. It’s dead because you never heard of the Exactis data breach. It’s dead because you have become enured to reports of massive breaches of personal data. It’s dead because there’s little if anything you can do about a breach. It’s dead because, as long as you get a new credit card number or a credit freeze or credit watch, you long ago stopped caring about the breach. It’s dead because merchants and credit card companies find it cheaper to not go after those using stolen credit card numbers and because these investigations are too costly or too difficult to pursue. But it may come back.
Privacy is dead is that we can’t agree on what we mean by “privacy” generally, and “private information” in particular. We can’t agree on who “owns” that information, and what rights individuals and entities have to collect, store, process or use that information. On the flip side, we don’t agree on what is “public” information. You saunter to the local shopping mall and buy a pair of faded denim jeans at the local Gap — in full view of dozens of other customers and security cameras. Private? Public? When you parked in the mall lot, with your vanity license plate (GO CAPS) prominently displayed on the back of your car – public? The window stickers which advertise your life membership in the NRA or Sierra Club — private information?
With this ambiguity in mind, we turn to the Exactis data breach, first reported by Andy Greenberg at Wired. I know your first question. What the hell is Exactis and why do they have 340 million records? I’ve never heard of Exactis. I’ve never given them my information.
Exactis claims to be a Florida based market research firm with “triple validated” information about consumers. What do they know about me? Turns out, quite a bit. And really intimate information. But is this information “private?”
Moneyball for Consumers
The raison d’existence for market research companies like Exactis is to provide sellers with information about purchases so that the seller can target the correct market. The more the seller knows about the purchaser, the more they can target. If you know the purchaser likes luxury brands — voila. You either market a luxury brand to them, or make your ordinary brand seem like a luxury brand by — well, raising the price. So a market research firm wants to know your name, your address, your contact information. They want to layer over that your income, your politics, your brand preferences. Add to that a sconce of politics, race, class, religion, sexual orientation. Mix in age, education, interests, hobbies, health and activities. It’s moneyball for marketing. Combine liberally (or conservatively — see what I did there?) with friends, relatives, contacts, acquaintances. Maybe a bit of physical characteristics added to the mixture — height, weight, hair and eye color. Languages? Tastes? Travel?
In simple terms. Everything. A market research firm ideally wants to know everything about you. Because any of it may be useful or predictive of future purchasing activities. You like bananas, and you like them green before they ripen? Statistics say that people who like green bananas are 16.4 percent more likely to purchase toupe panty-hose in the Northeast on rainy Thursdays after 4PM when the Red Sox are in town. Moneyball for people.
Getting back to my question, though — is this information “private?” Is any of it private? Is all of it private? Is it “private” as aggregated? Is it private as analyzed? Is it private as attributed?
Magic 8 ball says — situation murky. Ask again later.
Once More Into the (Data) Breach
The nation’s first “data breach disclosure” law was passed in California and was introduced by state senator Peace as SB 1386 in 2003. You know, when Bruce Almighty hit the box office. The law responded to a data breach at the California public employees retirement fund (which included state senators) which was not disclosed to the retirees. As a result, the thieves and hackers had access to these employees accounts and account information for months without the retirees knowledge. If the retiree had known, they could have monitored their own accounts for fraud, changed their passwords, or taken some other remedial efforts to prevent harm.
The California law — which has since been amended and expanded — has what is actually an extraordinarily narrow definition of the kinds of “personal information” about which a breach disclosure must be made. And it is the template upon which almost all US state breach disclosure laws have been crafted. It defines “personal information” as:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(F) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
(2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
(i) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
Now compare that definition against the data which may have been in the Exactis database. According to Wired, the database did not include any credit card information, and there’s no indication that it included either driver’s license data or social security numbers. So the bulk of the marketing information I described above – what you eat, where you live, what you buy, who your friends are, your sexual orientation, etc., is not — at least under the data breach disclosure law — “personal information.” Even what is called “medical information” is ambiguous. Sure, the fact that you have been treated for AIDS, or the fact that you have diabetes is medical information, and deserves protection, either under a data breach law, or a law like HIPAA. But if you come to the movie theater in an arm brace or crutches — is that fact “private?” Or if I see you at the CVS buying glucose test strips — do I now have a duty not to disclose that as personal information (assuming I don’t work for or with CVS?) What if you post questions on a message board about treatments for cervical cancer or mental illness? What if I see you at the library taking out books about treatment for depression? What about your Google searches for medical information? Is that “information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional?”
If a list of social security numbers is stolen? Not personal information. A list of credit card numbers? Nope – not without access codes, PINs or passwords – and names of cardholders. A few million bank account numbers with account balances and names and addresses of customers? Not technically a reportable breach under the California law (but I pity the fool who did not report that to their customer.) A list of email addresses of people who were members of Adult Friend Finder or Ashley Madison? Not reportable unless it includes their passwords. Add to that their profiles, preferences and activity? Sorry – not “private” under the breach disclosure statute. Now recognize that data breach laws and data privacy laws may take different approaches to deciding what information is private and what is public, and other laws, like GLBA, FTC Act, HIPAA, FCRA, and others pay protect (or not protect) specific categories of information is specific contexts, but at best we have swiss cheese approach to privacy. Maybe that’s why SalesForce’s CEO recently called for the U.S. to adopt a comprehensive national privacy law rather than the crazy quilt of laws we have.
We got here because US privacy laws are inherently reactive. We see a problem — a break in at a retirement fund — and we craft a solution – tell people when their user accounts are potentially compromised. We see another problem — misuse of automated licence plate reader information — we craft a solution – disclosure of such misuse. What we lack — particularly in the United States — is a comprehensive approach to defining what privacy is – and what it means.
Compare this to the EU approach as delineated in the GDPR. Article 4 of the GDPR defines personal information as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In shorthand — stuff about you.
Check back next week for Part 2 where I will explain how and why we should expect privacy to return.