Skip to content

Internet Explorer is no longer supported by this website.

For optimal browsing we recommend using Chrome, Firefox or Safari.


MYOB(D): Mining your own business (data)

Data mining, once considered the new frontier in technology, is now fiercely criticized due to the risk of breach, manipulation, and misuse. So does this mark the beginning of the end for data mining? Probably not. In an era in which data is often a company’s most valuable asset, it is unlikely that these risks will deter companies. However, as more companies come under fire for data mining practices that violate their customers’ privacy rights, it is crucial that your company’s data use complies not only with both federal and state laws (as well as international laws, where applicable), but also your company’s privacy policy. Here are some of the biggest lessons social media and other online applications have taught us about data mining:

Data Breach vs. Data Misuse: A data breach is characterized by the active and unauthorized penetration by a third party into a company’s digital systems. Data misuse or manipulation is described as a more passive but legitimate sharing of information. Typically, the wrongful act occurs when the company receiving the data uses it in an unauthorized manner. The difference is nuanced, but the difference matters—at least as data breach laws are currently written. A true data breach triggers statutory notification requirements and subjects companies to penalties and liability if not properly followed. The obligations triggered after discovering data misuse are not as clear, but are likely to be addressed by courts and Congress in the near future. Nevertheless, companies should avoid falling victim to either type of “breach,” since both can damage consumer trust and negatively impact a company’s bottom line.

Comply With the Company’s Privacy Policy: Section 5 of the FTC Act authorizes the FTC to investigate and initiate enforcement actions against private companies for “unfair and deceptive” practices in commerce. If a company promises a certain level of privacy or security on its website or elsewhere, but then fails to fulfill those promises, the FTC can file a charge against the company for engaging in an unfair and deceptive practice. For example, if Acme Corporation promised customers to securely protect their personal information but instead allowed employees to easily gain access to this data with the stroke of a button, the FTC could file charges for deceptive practices. In fact, the FTC has filed many charges as a result of practices like this, and companies have been required to enter into consent decrees and agree to implement comprehensive privacy programs and obtain regular, independent audits.

Most states have also enacted similar statutes that permit the attorney general to investigate and institute penalties against noncompliant companies. In New York, Attorney General Eric Schneiderman recently settled charges with three mobile health application developers, after the developers misled consumers about the capabilities of the apps and endorsements the apps had received.

In the end, even if your company’s data use complies with state and federal laws, it still must strictly adhere to your company’s policy to avoid penalties from government agencies. Companies should review their privacy policies and review current practices to ensure absolute compliance.

Control the Human Factor: Technology is not always the problem. Frequently, the breach or misuse is a result of human error, and a mistake by an individual employee subjects a company to the same obligations and penalties described above. Therefore, companies should track employee access to personal data, limit access to private data to individuals who need to access it, and provide ongoing training and education for the employees that process it.

As the dust settles on recent events in data security, data mining will likely undergo intensified regulation that accounts for both breach and misuse or manipulation. As a result, it is critical—now more than ever—that companies track how they receive, store, and share data, both now and in the future, to avoid any potential illegal or unethical practices.

Special thanks to Emily Knight for her assistance in preparing this article.

Category: Compliance & Ethics, Cybersecurity, Disclosure