Companies are gathering an increasing amount of information about their customers, storing that data for longer periods and analyzing it to glean greater insight about their clientele. But the rise in big data analytics comes at a time when those companies face a higher risk of cyber breaches from hackers looking to access that same information.
That troubling pair of trends has prompted industry groups, corporate heavyweights and lawmakers to weigh what security practices should be put in place to better protect consumers’ information, such as names and credit card numbers, as well as the projections companies make about their consumers based on that information.
“Everybody, especially in the large enterprise space, is seeing big data analytics as something you have to do,” said Anup Ghosh, chief executive at cybersecurity company Invincea. “They’re collecting more data, and they’re going into a large, single repository. That also makes it more at risk.”
Every time consumers interact with a business — a deposit at the bank, a prescription at the pharmacy, a purchase at the department store — they leave a trail of data about their identity and habits that those companies then keep and analyze to learn more about them.
A big-box retailer, for example, might track a customer’s regular purchases of beauty products, children’s toys and snack foods to determine she’s a mother of young children, then serve up coupons for products that might appeal to that demographic. In a similar way, big data analytics is becoming a mainstay of industries as varied as insurance, financial services, health care and education.
“You can think about the whole range of issues that are important to people, and in all of these situations, people are trying to employ the insights of big data,” said Ronald D. Lee, a partner in Arnold and Porter’s Washington office.
“Who is to say for a particular person that their financial information is the most sensitive? For other people, it may be their health information or what particular books they shop for,” Lee continued.
Companies are also housing that information in the cloud — a term used for communal data servers and other IT infrastructure that are often accessed via the Internet. Storing data in the cloud allows companies to access the information from different places and devices, and thus more easily mix and match data to gain insight into business operations and patrons.
“There’s a lot of cost efficiencies for doing that, and there’s a lot of business intelligence that can be derived from data that were previously stored in different systems,” Ghosh said.
But the practice may also make the impact of a cybersecurity breach all the more devastating. Storing information in the cloud gives hackers a single target to attack; imagine a bank that stores all its money in a single vault.
The single location raises the stakes, but it also gives guards just one vault to protect.
“For the same reason it’s vulnerable, which is the concentration of data, it’s also more securable,” Ghosh said.
The volumes of data being collected by businesses has attracted the interest of lawmakers who want to ensure consumer’s data is secure, as well as industry groups who realize their reputations will suffer if data is breached.
Just last week, Target chief executive Gregg Steinhafel resigned after a weeks-long attack on the company’s network left millions of customer credit card numbers vulnerable. The University of Maryland suffered its own breach in February when 300,000 records containing information about faculty, staff, students and alumni were exposed.
“The extra public attention to the issue has certainly created greater awareness among a broad range of entities ... of not only the technological vulnerabilities of their networked systems, but also the operational, financial and reputational harm from suffering a security breach,” said Paul Martino, partner and co-chair of Alston & Bird’s privacy and data security practice.
Lawyers and security advocates say regulation to date has been a patchwork of state and federal laws, many of which address data privacy and security concerns in specific industries, such as health care or banking. As a result, companies face varying degrees of liability for inadequate cybersecurity protections depending on their industry and location.
“Over the past half century, the United States has essentially taken a sector-specific approach to data privacy, [including] data security requirements, and our current legal framework reflects this,” Martino said.
The law is even less clear about analytics — which can also be sensitive in nature — that companies derive from customer data. Target famously predicted a teenager’s pregnancy based on her buying patterns and sent her advertisements for maternity items before her father was made aware of the baby to be.
Though this data is often separated from the customer’s name to maintain his or her privacy, as the Target anecdote demonstrates, in many cases the information could be attached to a specific person if the right technology is applied.
“At least at first blush, the results aren’t really tied to [individuals]. That may be true in a snapshot in time, but the technology and algorithms are always moving forward,” Lee said. “At some point in the future, maybe there will be a way to tie it back to [an individual].”