Privacy Ethics and Wrongful Collection of Data

Posted by Mark Greisiger

A Q&A with Andy Sambandam of Clarip, Inc.

Wrongful collection of private data often occurs unwittingly on the part of both consumers and the companies tracking them. I talked to Andy Sambandam, founder and CEO of Clarip, Inc., a software as a service data privacy platform, about how individuals and organizations can be more savvy about the data collection in every day internet usage and the risks associated with it.

What is the difference between a cookie, a beacon and a super cookie?How do companies collect private data from internet users?
Hundreds of companies collect our data on a daily basis and we’re not even aware of it happening. It’s not nefarious—in many cases, they are trying to track behaviors to understand more about you to sell you products or services and tailor the messages accordingly. But what is more concerning are the companies that are not consumer facing. You may not even have a direct relationship with them but they are quietly tracking you across multiple websites and building a profile on you.

Cookies are a simple piece of information in a text file that can be placed on a browser. They have been around since the early days of the web. Any time you use a browser these files are captured to identify you as the person online—think of your remembered email and password when you log on to a familiar site. They also help the company track you as you click through to other pages on the site. You can clear your cookies from your cache on your browser at any time. Beacons are a transparent GIF image, or single pixel image that could be present on any page, and used by a third or fourth party to track behaviors, for instance how long you stayed on a page. Super cookies, also called persistent cookies, are more difficult for users to detect—they track you and though they will appear to disappear when you clear your cache but they still know your IP address. When you shop for a pair of shoes and then start seeing banner ads for the product on another site you know that those are cookies at work, so it’s not necessarily problematic until they’re hacked and used for identity theft or a phishing attack.

Data collection is not just a consumer problem—it’s a business problem…It’s critical to have policies and procedures in place to protect data and demonstrate clarity and transparency.

How can a user get rid of tracking software?
It’s a good rule of thumb to never click on any link you don’t recognize up front. Use common sense when searching online. Google itself has malware phishing websites and you don’t want to click on those links. Always try to use your browser in private mode so that everything you search for is valid for that session but disappears when you close out. Always update your browsers to the latest version to stay current with security patches. Make sure you clean your cache periodically. I recommend against saving your passwords in the browser—it’s very convenient but it’s not a safe practice. If you use your phone to go online to a store like Best Buy or Target you are interacting with hundreds of brands who are collecting your information. You can use a product like Clarip to find out what companies are tracking your data and who has access to it. From a consumer standpoint, the more information you put out there online the riskier it becomes. Don’t share your location, your full name or your phone number, and only use strong passwords or your browsing behavior will open up the risk for identity theft.

How can a risk manager better understand their collection and sharing practices? Is there any way to map this?
Data collection is not just a consumer problem—it’s a business problem. We’ve seen companies run into class action suits and fines from state attorneys general and international regulators, so it’s very important that risk managers understand the potential risks faced, especially if it’s a B to C company. It’s critical to have policies and procedures in place to protect data and demonstrate clarity and transparency. If customers know you are using best practices for data security and privacy, they will feel more comfortable sharing their data and trust is extremely important. However, executives don’t understand the gap that often exists between policy and what is really happening. For example, most software is no longer built from the ground up. A developer will often use third-party code which puts them at risk for inheriting data tracking code—for instance, from a third-party beacon—that they may not even be aware of having. A risk manager needs to look at any public-facing assets and understand the data that’s being collected. A common scenario we see is a large company acquiring other companies. Once they scan, they might find that acquired company used hundreds of beacons and third-party technologies, many with vulnerabilities. They had no idea it was happening until they did this assessment. It’s also important for risk managers to understand that privacy risk is as important as security risk. Insurers want to know what kind of data you’re collecting and what kind of risks you’re exposed to. Eliminating the data collection you don’t need to be doing is a proactive way to manage that risk.

In summary… 
We want to thank Andy for his expertise and insights into this risk management topic. Privacy ethics, including wrongful data collection and sharing, is a significant growing liability exposure facing many organizations that are custodians of sensitive customer data. Moreover, class-action trial lawyers are especially focused on this (see Junto article here and here). Our insurance carrier partners that underwrite cyber risk want reassurance that a customer’s enterprise is paying attention equally to both cybersecurity controls as well as privacy policy enforcement.