The CEOs and Director’s Cheat Sheet to the Risks of Big Data – Part 2: Legal Risks

In the last article we surveyed some of the technical and reputational risks presented by companies trying to extract value from a key intangible asset: their data. Now we look at some key legal risks.

While the big data gold rush may be on, there are some potent legal risks involved when trying to unlock the value of big data.

Under both New Zealand privacy law (the Privacy Act 1993) and Australian privacy law (the Privacy Act 1988), there are restrictions on the use of “personal information” which means any information about an identifiable individual.

For ease of analysis, most commercial data can be divided into one of four types:

1.        “meta data” – data about your data

2.        “B2B data” – data about individual businesses which are your clients, suppliers or contractors

3.        “anonymised B2C data” – data about individual consumers, but for which identifiers such as address, date of birth or name have been removed

4.        “personal information” – data about individual consumers which has not been anonymised

What you can (and can’t) legally do with “your” data is heavily dependent on the type of data you hold and how you came to have it.

Among other things, the New Zealand and Australian Privacy Acts govern how information can be collected, used, stored and disclosed. The information:

  • must only be kept as long as it may lawfully be used
  • a company is restricted to using data for the purposes to which the individual consented and
  • must be satisfied as to its accuracy before using it.

The good news is that under current law, these restrictions only apply to the fourth type of data (personal information), not metadata or B2B data. Both types of data can be highly valuable (as the case studies above high light) and despite typically being absent from company balance sheets they should be regarded as potentially important assets. Efforts should be made by Boards and Management to determine if such data is valuable and how that value could be unlocked.

However on the downside the fact metadata and B2B data fall outside privacy regulations does not however mean companies are free from risk, see our earlier article on cyber-espionage for why some of the biggest risks a business can face is theft of valuable business (not personal) data.

Anonymised Data – Not So Anonymous?

Anonymised B2C data, lives in a somewhat grey middle zone and presents unique challenges. First, at a purely practical level anonymised data may be of little use to many types of businesses, just how useful is a customer list without any contact details?

Secondly “anonymization” isn’t a get out of jail free card. For example car driving data is being continuously collected by many devices to our cars. In a study completed last year, just 15 minutes of driving data was sufficient to create a driving ‘fingerprint’ able to identify an individual driver out of 15 drivers, with 100% accuracy. 15 minutes of the brake pedal data alone gave a 90% identification rate.

In a further example, in 2006 Netflix published 10 million movie reviews by 500,000 of their customers, but anonymised the data by replacing the names of people with random numbers. Two Texas-based researchers managed to identify many of the users by matching reviews to other reviews with similar ratings at similar times on IMDb or on people’s blogs. Even “perturbing” the anonymized data (inducing randomness by adding intentional errors) was not a sufficient solution. The researchers showed that if given only 8 of a person’s ratings, of which 2 may be completely wrong and with dates that were up to 2 weeks in error, they were still able to match individual people to the anonymised (and perturbed) dataset of Netflix ratings at an astounding 99%. That anonymised data set could get you into very hot legal and reputational damage water.

 

Mandatory Reporting of Data Breaches

In Australia a further area where companies face significant legal risk are mandatory data breach notifications. Companies and government agencies that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach. Failure to do so comes with stiff penalties. Similar legislation will likely be implemented in New Zealand.

 When Target’s was hacked in 2013 and the personal information of 100 million customers was compromised it was estimated not only did the retail giant sales drop 3 - 4 % but it suffered an estimated $1 billion in fines and other related expenses.

 Buying Data Cheap: Recieverships

Two recent events in Australia and New Zealand, this time in the context of receiverships, highlight a further legal issue: in 2016 the online retailer Kogans bought the Dick Smith Electronics customer lists (including email addresses). Kogan’s gave Dick Smith customers one week to opt out. In a similar case CatchGroup recently purchased PumpkinPatch’s brand and customer list and again provided a one week opt out.

In both Australia and New Zealand this was considered to be sufficient to infer consent from those who had subscribed to receive marketing material from one party to instead receive marketing material from another. However neither case has been tested in court and there are some significant questions as to whether continued use of the data will meet the privacy principles in both Australia and New Zealand that “information collected for one purpose must not be used for any other purpose”. This risk is amplified when data from one data set is combined with another, dramatically increasing both the potential value of the data but also the risk that uses of that data go far beyond anything ever considered (or consented to) when the individual data sets were first collected.

 The Take Outs

Most companies are likely already sitting on valuable data sets (as well as other important intangible assets). Often these assets will be off balance sheet, under-utilised and under-valued. Conventional reporting and analysis will often fail to identify significant opportunities. Management and boards have a legal obligation to generate a return on all assets, including data assets. There are very significant opportunities to unlock value and drive increased performance from such assets.

However there are also very significant technical, legal and reputational risks and challenges to navigate. These issues require specialised business-centric expertise that measures the potential benefits against these risks: just because something is technically “viable” or is legally “acceptable” does not mean it is the right business thing to do.

So the data gold rush is on but it seems that simply buying a shovel to dig up those data nuggets is not quite as simple as it seems.