In the eyes of privacy watchdogs, all data is relative.
When regulators calculate data privacy-related fines they must determine whether negligent or intentional behavior caused violations.
A violation's duration and an entity's actions taken before, during and after an incident are also considered for penalties. But the type of data caught in the middle of a data privacy infringement is seldom a key determinant in cases.
"Essentially, there should be no difference in penalty or worry based on the level of sensitivity of the personal data of others that was lost," Jerry Ray, COO of SecureAge, told CIO Dive. "It’s all sensitive."
Last month Equifax and Facebook received fines from the Federal Trade Commission for two cases of data privacy infringements. And while Capital One's data breach is under the jurisdiction of the Consumer Financial Protection Bureau, the bank could face regulatory scrutiny from other agencies.
While the conditions around data privacy transgressions are not created equal, the data involved, more or less, is.
"To define some data as sensitive and other as less sensitive or even innocuous is ingenuous and a fatal flaw in security policy," said Ray.
Types of data involved in data privacy misuse cases
|Company||Type of misuse||Compromised data|
|Equifax||Negligent||Social Security numbers, birth dates, address, driver's license numbers, credit card numbers|
|Intentional||User demographics, post likes, friend connections, messages|
|Marriott||Negligent||Passport numbers, addresses, credit cards, gender, arrival/departure information, reservation dates, communication preferences, Starwood Preferred Guest account information|
|Quest Diagnostics||Negligent||Medical records, Social Security numbers, credit card numbers, bank account information|
|Capital One||Negligent||Social Security numbers, names, postal codes, birth dates, self-reported income, credit scores, credit limits, transactions, bank account numbers|
Predicting use cases
Social Security numbers and financial records are key ingredients to identity theft.
When more intimate details are revealed, like medical records or travel patterns, cyberattacks can become more personal and lead to custom phishing schemes.
In Facebook's case, user data was supplied to the now-defunct consulting firm Cambridge Analytica to create personality models for user politics.
Intentional collections of data, which are primarily based on consumer behaviors, are used for non-criminal targeting, Jeff Wilbur, director of the Online Trust Alliance Initiative at the Internet Society, told CIO Dive. While the marketing acts crafted by these behavioral profiles are legal, it still abuse of data privacy.
But there's no way of knowing for sure how bad actors will use stolen information.
From the standpoint of the individuals who have collected data, either through a breach or business deal, there are "tiers" of data that have more value, according to Wilbur. Regulators, however, do not explicitly organize personal data by tiers or importance.
"The harm to the consumers who had their personal information exposed should be the measuring stick for damages and compensation," said Ray.