The Privacy Risk Most Data Scientists Are Missing

The Privacy Risk Most Data Scientists Are Missing

Facebook privacy issues

Data breaches are becoming increasingly common, and the risks of being involved in one are going up. A Ponemon Institute report (an IBM-backed think tank), found that the average cost of a data breach in 2018 was $148 per record, up nearly 5% from 2017.

Privacy regulations and compliance teams are using methods like masking and tokenization to protect their data — but these methods come at a cost.
Businesses often find that these solutions prevent data from being leveraged for analytics and on top of that, they also leave your data exposed.

Many data scientists and compliance departments protect and secure direct identifiers. They hide an individual’s name, or their social security number, and move on. The assumption is that by removing unique values from a user, the dataset has been de-identified. Unfortunately, that is not the case.

In 2010, Netflix announced a $1 million competition to whoever could build them the best movie-recommendation engine. To facilitate this, they released large volumes of subscriber data with redacted direct identifiers, so engineers could use Netflix’s actual data, without compromising consumer privacy. The available information included users’ age, gender, and zip code. However, when these indirect identifiers (also known as quasi-identifiers) were taken in combination, they could re-identify a user with over 90% accuracy. That’s exactly what happened, resulting in the exposure of millions of Netflix’s consumers. Within a few months, the competition had been called off, and a lawsuit was filed against Netflix.

When it comes to the risk exposure of indirect identifiers, it’s not a question of if, but a question of when. That’s a lesson companies have continuously found out the hard way. Marriott, the hotel chain, faced a data breach of 500 million consumer records and faced $72 million in damages due to a failure to protect indirect identifiers.

Businesses are faced with a dilemma. Do they redact all their data and leave it barren for analysis? Or do you leave indirect identifiers unprotected, and create an avenue for exposure that will lead to an eventual leak of your customers’ private data?

Either option causes problems. That can be changed!

That’s why we founded CryptoNumerics. Our software is able to autonomously classify your datasets into direct, indirect, sensitive, and insensitive identifiers, using AI. We then use cutting-edge data science technologies like differential privacy, k-anonymization, and secure multi-party computation to anonymize your data while preserving its analytical value. Your datasets are comprehensively protected and de-identified, while still being enabled for machine learning, and data analysis.

Data is the new oil. Artificial intelligence and machine learning represent the future of technology-value, and any company that does not keep up will be left behind and disrupted. Businesses cannot afford to leave data siloed, or uncollected.

Likewise, Data privacy is no longer an issue that can be ignored. Scandals like Cambridge Analytica, and policies like GDPR, prove that, but the industry is still not knowledgeable on key risks, like indirect identifiers. Companies that use their data irresponsibly will feel the damage, but those that don’t use their data at all will be left behind. Choose instead, not to fall into either category.

Join our newsletter



Weekly News #6

Weekly News #6

Facebook privacy issues

Smart homes are not so smart when it comes to protecting privacy. WhatsApp gets hacked by Israeli spies. Intel notifies customers about security flaws with chipNew regulations hint companies toward having better data management. Australian data breach affects 10 million civilians.

Smart Homes: Not so Smart

Smart homes definitely reduce effort and make life easier, but it comes at a cost. You and your family’s privacy is put at risk because of the trade-off between productivity and safety.

One of the most popular forms of a smart home is the digital assistant. Google Home and Alexa are the major players in this area. These devices are continuously listening for “activation” words or phrases and thus, your entire conversation history is saved in their server. As a result, many scary and embarrassing stories have surfaced, and yes, even from Amazon and Google products. 

If consumers do their part and take the necessary security steps, they should be able to enjoy the benefits of their smart home without paying a price. Here are some ways you can secure your smart home:

  • Review and delete your voice history from time to time.
  • Secure your network.
  • Change your wake or activation word or phrase.
  • Delete old recordings.
  • Strengthen your passwords.

Do everything you can to secure your home from being vulnerable to attacks.

WhatsApp Gets Hacked

WhatsApp, an app used by millions of people worldwide, has been compromised. On Tuesday, an Israeli spy firm injected malware into targeted phones to steal data, by simply placing a call. Recipients did not even need to answer the call. What’s worse, the call could not be traced in the log. The company states that only a select few have been affected, as they don’t know the exact number.

Intel Chip Suffers Security Flaws

In other news, Intel, also known as the worldwide computer chip maker, has just notified the world about a security flaw that can essentially prove to be harmful to millions of PCs. Attackers are able to get their hands on any data that a victim’s processor touches. Not scary at all.

New Regulations Call for Better Data Management

With privacy laws such as the GDPR and CCPA in place, businesses now need to allow for firmer data privacy enforcement. 

Every company we interact with uses our data-from The Weather Network to IBM. “The companies used the data to calibrate advertising campaigns to potential customers’ preferences, a type of personalization 90 percent of consumers say they find appealing,” says, Eric Archer-Smith, from BETA News. Although it helps with preferences and marketing, if found in the wrong hands, it could prove to be dangerous. Thus, companies today must find the perfect balance between personalization and privacy when collecting consumer data for analysis.

Australian Data Breach Affects 10 Million Civilians

The Office of the Australian Information Commissioner (OAIC) recently reported over 10 million people were hit in a single Australian data breach. Although the report did not specify the origin of the breach that affected these people, the breach was disclosed to be between January 1, 2019, and March 31, 2019. Furthermore, private health was yet again the most affected sector.

 

Join our newsletter



Weekly News #2

Weekly News #2

Facebook privacy issues

New information on Facebook’s user data misuse causes a $30 billion market-value loss. US senators propose the Data Care Act to regulate privacy across the 50 states. Reporting data breaches is now mandatory in Canada. The Department of Health and Human Services wants to modify HIPAA.

Facebook lost $30 billion in market value after the New York Times published on December 18 documents detailing different agreements that Facebook had with companies like Microsoft, Netflix, Spotify, Amazon, and Yahoo to access Facebook users’ data. For example, Netflix and Spotify could read users’ private messages. However, that was not everything. On December 14, Facebook notified its users of a bug in the Photo API that gave developers access to non-shared photos of 5.6 million users.

Pushed by the recent data breaches, 15 senators in the US proposed the Data Care Act on Wednesday to regulate privacy across the 50 states. The Data Care Act main guidelines are:

  • Duty of Care – Must reasonably secure individual-identifying data and promptly inform users of data breaches that involve sensitive information;
  • Duty of Loyalty – May not use individual-identifying data in ways that harm users;
  • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual-identifying data;
  • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene;
  • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

On November 1st, it became mandatory to notify data breaches in Canada. This is an important step for Canadian privacy regulation and is something that will require a shift in the operation of Canadian businesses because according to Statistics Canada only 10% of the businesses affected by a cyber attack reports it.

The Department of Health and Human Services (HHS) issued a Request For Information (RFI) for input on how to modify HIPAA on the following issues:

  • Encouraging information-sharing for treatment and care coordination;
  • Facilitating parental involvement in care;
  • Addressing the opioid crisis and serious mental illness;
  • Accounting for disclosures of protected health information for treatment, payment, and health care operations;
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices;

After having a 2018 plagued with data breaches and important privacy regulation (GDPR), we can expect that 2019 will be a year in which protecting privacy becomes a must for public and private organizations. SC magazine has eight privacy predictions for 2019, most of them revolve around regulations and their impact on the behavior of organizations and consumers.

Join our newsletter



Weekly News #1

Weekly News #1

Marriot and Quora Data breach

US legislators are proposing fines and jail for CEO’s of breached companies after the data breach of Marriot and QuoraThe US Census Bureau is using differential privacy to protect data privacy while allowing data analysis. FTI Consulting is offering a Data-Protection-Officer-as-a-service.

In just one week, we learned about two major data breaches, at Marriott and Quora, compromising the data of 600 million people. In 2018, there have been 15 data breaches, 8 more than in 2017.

Marriott has lost $4.08 billion in market value since November 29th, when the breach was reported; however, this loss could potentially worsen because of fines and lawsuits. Under GDPR, Marriott could be fined with $912 million, and there is a $12.5 billion damages lawsuit in the process.

Quora reported on Monday that hackers had gained access to the data of 100 million users. The information comprised names, email addresses, passwords, and data from social networks.

All these breaches have pushed legislators in the US to propose bills that would fine not only the affected companies but also the CEOs. Senator Ron Wyden’s proposal includes up to 20 years of jail for chief execs and $5 million fines for CEOs.

However, there are processes and technologies that can help organizations protect their customers’ data privacy.

One solution is to designate a Data Protection Officer (DPO), a role that was introduced by the GDPR. While not every company is required to have a DPO, having someone in charge of data privacy and protection is a must. FTI Consulting is now offering DPO-as-a-service to help companies satisfy regulatory requirements.

Another solution is to use technologies, such as differential privacy, to keep the data private. Differential privacy is already used by companies like Apple and Google, but one of the earliest adopters is the Census Bureau. By mandate, the Bureau has to keep each person’s information private and to provide useful data, and Differential Privacy allows it to do so.

No single solution is a silver bullet, but a combination of privacy-preserving technologies and processes will help organizations protect their customers’ data privacy.

Join our newsletter