A new competitor has entered the ring to dethrone Cambridge Analytica as the biggest privacy scandal of recent times: Clearview AI. In case you missed it, Clearview AI is a facial-recognition app that scraped millions of photos from the web to help law enforcement identify unknown people. Not long after The New York Times exposed it as the company that might end privacy as we know it, the plot thickened. The company was breached.
In response to the incident, Clearview AI observed that “data breaches are a part of life in 21st century.” But, more broadly speaking, what happened was more than just a breach of data. It was also a breach of trust. It is fundamentally similar and potentially worse than Cambridge Analytica.
Breaches are not limited to backdoors
All companies are at risk of becoming a victim of a backdoor breach. Examples include the Target and Equifax incidents that were a result of hackers breaking into the company’s systems. However, the Cambridge Analytica and Clearview AI breaches were not a result of a company’s systems being infiltrated. In the case of Clearview AI, the breach disclosed data about its customers, but the company indicated there was no compromise of its systems or network containing consumer information. Similarly, Facebook’s initial response to Cambridge Analytica was that no systems were infiltrated in a breach that involved the use of Facebook profile data to target users in political campaigns.
Instead, what happened was a result of the systems working as designed. They both involved amassing and using data perceived as assets in a way that proved to be a liability. But the more nuanced similarity is that the liability did not result from the data getting hacked or disclosed to unauthorized users; rather, it was the authorized sharing of the data itself that became the liability. They are examples of modern data breaches that are no longer limited to backdoor exploits but are instead happening at our front doors. They result from poorly navigated data protection risks and ignoring privacy commitments and obligations. And that should be a cause of far greater concern for us.
Why we should pay attention
The front door created by Facebook cost the company 500,000 GBP. The maximum fine if that incident happened today could be up to 1.4 billion GBP. In the case of Clearview AI, the breach is about sharing consumer personal data with undeclared third parties without explicit consumer consent. The timing of the breach makes Clearview AI potentially worse than Cambridge Analytica because there are data privacy laws that now exist to prohibit this type of data misuse. Legal action has already been filed under Illinois’ Biometric Information Protection Act prior to the breach, as well as under the California Consumer Privacy Act immediately after the breach. Most recently, the company has been sued by the state of Vermont for violating its data privacy laws.
What can we learn
The risks and consequences of front door breaches are very different and often ignored compared to backdoor breaches. Here is what we must keep in mind with this type of breach.
Identify your unique footprint
Not all data protection risks are created equal. We have to focus on what matters most. For example, what type of data can you collect, process and store? What type of controls is adequate or reasonable? What type of obligations should you accept or enforce? The answer to these questions is rarely one-size-fits-all but rather based on the company’s unique footprint. Privacy tools, such as data mapping and privacy impact assessments, are good starting points to identify that.
Right-size the risk profile
The next step is to right-size the risk profile. The path to navigating data protection risks is often filled with uncertainty. Overestimating the risks stifles growth and underestimating them can derail the business. To bring clarity to uncertain risk scenarios, we need to view them from both a technical and legal lens. These scenarios often center around the purpose of use. Doing this can help identify controls correlated with reducing data protection risks and consequently the liability exposure of the organization.
For example, the results of data mapping and PIAs should be shared with stakeholders, such as security and legal teams. Security teams can use the results to identify the additional controls necessary to safeguard processes that touch sensitive data (particularly when data sharing is involved). These controls could include a strict code review for modules that allow data to be shared with third parties for a legitimate purpose. It should include unit tests for making sure the ability to share data, such as via an application programming interface endpoint, is enabled or disabled only for the specified purpose.
Similarly, legal teams can use the input to ensure compatibility between the business objectives and its data protection obligations and putting necessary legal protections in place in the contracts. These protections could include an opt-in requirement to authorize the use or sharing of consumer data for a commercial purpose not covered as a legitimate business concern.
Be prepared to respond
Because breaches at the backdoor or front door are a reality, businesses must be prepared to respond. A demonstrably operational cybersecurity program can be the last line of defense in case of accidental breaches. Businesses often view compliance as a burden and question the value it brings to put the effort into a compliance framework. But governance activities, such as documentation of security procedures and practices, as well as certification of adherence to an established security standard, such as ISO 27001, the NIST Cybersecurity Framework or SOC 2, are helpful to demonstrate the reasonableness of your security program that can, in turn, help mitigate legal consequences for the business.
The emerging data privacy landscape has created a perfect storm in which data protection risks must be connected to the security agenda to protect the business from the legal consequences of front door breaches. The lesson we can learn is simple: Don’t ignore the data leaving your front door.
Photo by Beto Galetto on Unsplash