A recent data breach demonstrates some relevant concerns. Last week a large marketing firm announced that numerous email addresses and possibly names and addresses of customers of some of its large clients (including banks) were compromised. Some might say email addresses: “No big deal.” Certainly, in and of themselves, email addresses probably don’t qualify as protected personal data under most, if not all, state data breach laws. However, the fallout from the breach has proven somewhat concerning, at least on a reputational front. Numerous articles, blogs, and comments have shown up citing the potential for increased phishing attacks. More importantly, this breach may increase the potential that “spear-phishing” attacks will be successful. Spear-phishing occurs when the bad guys have accurate personal data that they know is attributable to a specific business; thus, they can send a customer an email with specific information engendering a much higher likelihood of confidence that the email is genuine, allowing the bad guys to potentially gain additional information needed to do some damage.
Blindly reading laws, rules, or written industry standards and designing programs solely to meet defined requirements won’t always get a business where it needs to be. Obviously, legal requirements must be interpreted and followed. However, more than that, a thoughtful approach by those who think about privacy and security implications is desirable.
For that matter, the same ideas apply to the way in which a business deals with a breach. For example, if email addresses, street addresses, and names are stolen, and there is a concern surrounding “spear-phishing,” it might not be such a great idea for the compromised business to send out notifications via email asking someone to “click-here” for more information (Note: The author has no information that this was, or was not, done in the actual case). In such a scenario, the business might want to discourage customers from replying to email messages (the exact vector of the phishing attack).
Moral: Be careful about making arbitrary decisions based upon the perceived sensitivity attributed to the type of information without thinking it through.