Big Data, Collected and Shared
The recent announcement from the Federal Emergency Management Agency (FEMA)—about accidentally revealing banking and other personal information on over 2 million people—is yet another example of insecure data sharing, and how different groups might respond differently to the risks of big data.
Many survivors of the various major hurricanes and the California wildfires over the last few years use FEMA’s Transitional Sheltering Assistance. The service provides temporary lodging assistance for evacuees. In doing so, sensitive information naturally comes to into play. But in sharing that information with a third-party contractor, FEMA admits it shared “more information than was necessary.” Doing so has put the victims at risk or identity theft or other types of fraud.
This is a key point when it comes to privacy incidents of this nature. One of the most crucial discussions for an organization to have, as we covered recently, involves what data is collected, how it is used, and how it stays protected when it leaves your enterprise. This is due to the risk inherent in any collection of information, and the trend of gathering more and more of it. FEMA’s response to the incident has been “aggressive measures to correct this error,” such as no more unnecessary information sharing, and working with the contractor to purge the data from its system.
In contrast, banks can’t get enough of consumer data, and are now employing Equifax and Fair Isaac (FICO) to purchase it. To take advantage of Equifax’s hordes of personal data and FICO’s software and use them to “stitch together all the different data about their customers.” Of course, Equifax is most famous these days for its notorious 2017 data breach. Despite new CEO Mark Begor’s belief that the incident is now ‘behind them’, they should still be kept on a short leash of public perception. Even now, it doesn’t seem like they have much interest in parsing through data that might be unnecessary to store, and would rather just consume it all.
In reaction to this sort of trend, states are taking legislative action to limit what kind of personal data can be collected. Colorado, expanding on California’s comprehensive data breach laws, has recently increased oversight of third party partners. Oregon is giving patients more control over their medical data. Virginia has focused on proper data management and disposal by businesses. And Utah is now requiring law enforcement to get a warrant before accessing electronic user data held by a third party. The message is clear. The risks of big data should be mitigated wherever possible, and the true owners of the data—the users—should be protected from mismanagement on the company side.