Why Protecting “Non-Sensitive” Information Is A Sensitive Subject.

A recent data breach demonstrates some relevant concerns.  Last week a large marketing firm announced that numerous email addresses and possibly names and addresses of customers of some of its large clients (including banks) were compromised.  Some might say email addresses: “No big deal.”  Certainly, in and of themselves, email addresses probably don’t qualify as protected personal data under most, if not all, state data breach laws.  However, the fallout from the breach has proven somewhat concerning, at least on a reputational front.  Numerous articles, blogs, and comments have shown up citing the potential for increased phishing attacks.  More importantly, this breach may increase the potential that “spear-phishing” attacks will be successful.  Spear-phishing occurs when the bad guys have accurate personal data that they know is attributable to a specific business; thus, they can send a customer an email with specific information engendering a much higher likelihood of confidence that the email is genuine, allowing the bad guys to potentially gain additional information needed to do some damage.

From a larger standpoint, this breach demonstrates why businesses must approach privacy and security from an overall information governance standpoint, and internalize privacy decisions in their business offerings.  Artificial acronyms or descriptions about the type of data and its perceived sensitivity, without proper thought and analysis can lead to poor results.  Broad assumptions (i.e. email addresses don’t so much matter) don’t work.  Privacy must be an internalized function embedded within organizational strategic decisions.    A customer name and email address about a bank or brokerage client might be much more sensitive than that of an ordinary retailer providing only brick-and-mortar sales, without offering branded store credit card accounts.  This doesn’t mean that ordinary email addresses don’t need protection, they do (particularly if you say you will protect them in your privacy policy).  It means that businesses must understand the risk behind the information and the way it is managed, without arbitrarily attaching significance or insignificance to it.

Blindly reading laws, rules, or written industry standards and designing programs solely to meet defined requirements won’t always get a business where it needs to be.  Obviously, legal requirements must be interpreted and followed.  However, more than that, a thoughtful approach by those who think about privacy and security implications is desirable.

For that matter, the same ideas apply to the way in which a business deals with a breach.  For example, if email addresses, street addresses, and names are stolen, and there is a concern surrounding “spear-phishing,” it might not be such a great idea for the compromised business to send out notifications via email asking someone to “click-here” for more information (Note: The author has no information that this was, or was not, done in the actual case).  In such a scenario, the business might want to discourage customers from replying to email messages (the exact vector of the phishing attack).

Moral: Be careful about making arbitrary decisions based upon the perceived sensitivity attributed to the type of information without thinking it through.