top of page
sensible security

Valuing Secrets: Personal Details

This article is part of the Handling Secrets series. In the first part, Valuing Secrets, we describe how to rate the likelihood of theft for common types of secrets. In the second, Protecting Secrets, we describe the easiest ways to prevent their theft.


Fifteen years ago, several Big Tech companies achieved eye-popping profits and valuations by storing, analyzing, and sometimes selling every detail they can discover about their customers or users. This has prompted many CEOs and CROs in other companies to put big investments toward duplicating that model. While most of their projects have failed, the money they poured in has birthed an entire industry that procures, aggregates, and sells personal data. You can buy personal and professional emails, social accounts, and cell phone numbers on most people for a couple pennies apiece. If you spend a little more, you can buy information on spending habits, favorite retailers, social media history, “brand engagement” details, and legal records, all neatly packaged together. Even location data is up for sale.


A comic with a caption below. dialogue: First pig: "Isn't it great? We have to pay nothing for the barn" Second Pig: "Yeah! and even the food is free" caption: Facebook and you. If you're not paying for it, you're not the customer. you're the product being sold.
It's not just Facebook, folks. The barn door is open.

For example, in the US, if you google “best toaster oven,” ads from major toaster retailers will follow you around the internet for a month. Most people find this creepy, along with the supporting industries of detailed consumer profiles, data brokers, personalized ads, and identity fraud. Even if they do not have a consumer data-mining strategy, most businesses have some personal data about their customers, and it can be valuable to thieves.


Government Responses


There have been two waves of legislation designed to address this problem: Breach notification and General Data Protection Regulation (GDPR).


Breach Notification

Starting in 2002, governments created laws requiring companies that lose personal information to notify the affected people. At the time, the core goal was to reduce identity theft, and these laws created a term for this type of information: Personally Identifiable Information (PII). While good-intentioned, these laws have been a joke:

  • They only protect semi-public information. Such laws mostly cover passwords and contact details, such as name, address, and phone number. By now, contact details for most consumers are available in bulk for pennies, and passwords are often available for free.

  • Getting notified is useless: there is nothing you can do to help yourself after someone loses your data. Protecting yourself looks exactly the same.

  • They have not protected consumers from identity theft. The best way to prevent credit-based identity theft in the US is a credit freeze at each bureau. It works very well, is free, and takes almost no time.

  • Frequently, companies who lose consumer data buy them a free subscription to identity protection services. Such services are also worthless compared to the top alternative, freezing your credit.

  • They have not reduced how much data is sold. Data sales are mostly governed by fine print in a click-through contract. Even privacy-minded consumers do not care because they figure the information is already out there. Further, there is no meaningful choice: if all major credit card companies reserve the right to “share your purchase history with marketing partners” (i.e., sell it to whoever they want), going with another card company will not help.


GDPR: Europeans, Californians, and Qataris, Oh My!


Five years ago, the European Union, slightly grumpy at Facebook and Google for being creepy, dropped a bombshell: no more storing personal data on people unless they give you the OK, and gave them the right to rescind that OK at any time. It was called the GDPR, and it rocked the privacy compliance world.


Several years later, California copied it, and many other countries are copying it as well, including Bahrain, Israel, Qatar, Turkey, Egypt, Kenya, Nigeria, South Africa, Japan, New Zealand, China, Switzerland, Canada, Argentina, Uruguay, and many more.


There are two reasons why GDPR was big: first, violators could be fined up to 4 percent of annual revenue. For some business models, that can be the difference between a healthy profit and being in trouble.


Second, it restricted storage of EU citizen data to other countries with equivalently strong privacy protection laws. This means that there is an economic advantage for a country to have such a law—companies within that country can sell services to EU companies that warrant access to EU citizen data. Even better, such services are usually high-skill and high-margin: outsourced HR benefits administration, business management consulting, IT support, and selling tech solutions all depend on access to personal information. There is money for other countries to be GDPR compliant.


The law appears effective at preventing widespread resale of personal information. The EU has applied almost a billion euros in fines against Facebook, and a couple hundred thousand against Google. There are hundreds of other cases being processed. Companies take the requirements seriously.


How valuable are these secrets?


See here for a review of how these factors contribute to the overall chance that someone will steal them.

Basic contact information for most people is available for several cents. Detailed purchasing history can be worth up to $100.

Many, and not limited to the black market. The consumer data industry is still strong, and many brokers have little regard for whether data they buy was acquired legally.

Damage from losing people’s personal information depends on the kinds of information, where you do business, and the importance of privacy to your customers.


Notifying people usually costs several dollars per person. It has happened so often that a cottage industry of breach notification has sprung up. Several companies offer turn-key solutions where you give them the contact details, the text of the “Whoops” letter, and they compliantly send out the mail for a low price.


Accidental data loss rarely warrants substantial fines for the GDPR—they care more about intentional misuse. Other geographies may differ; consult a local privacy attorney to learn more about the regulations that apply to you.


Reputational damage is possible, depending on your geography and customer expectations. In the US, companies have rarely suffered meaningful damage.


Next Steps


Depending on the kinds of personal details you retain and the countries in which you do business, there may be some risk to losing it. Companies known to have unique and deep profiles and purchasing history for many consumers are attractive targets for criminals.


Need to protect personal consumer data? We can help.

Comments


Subscribe for more:

  • RSS
  • LinkedIn
  • Twitter
  • YouTube
bottom of page