In all three of these scenarios, there are specific parameters for how companies handle, store, and distribute your personal data. Yet, in a work-from-home world, it’s becoming more and more difficult for companies to enforce protections against sensitive data to prevent both internal and external data breaches. Data misuse occurs when individuals or organizations use personal data beyond those stated intentions. Often, data misuse isn’t the result of direct company action but rather the missteps of an individual or even a third-party partner. For example, a bank employee might access private accounts to view a friend’s current balance, or a marketer using one client’s data to inform another customer’s campaign.
To be clear, data misuse isn’t necessarily theft—theft occurs when a bad actor takes personal data without permission—data misuse is when legitimately collected information is applied in a way beyond its original purpose. Typically, these instances are less malicious than an insider threat selling company data to a third party and instead take a more negligent approach. In broad strokes, there are 3 different types of data misuse:
In September 2019, Twitter admitted to letting advertisers access its users’; personal data to improve the targeting of marketing campaigns. Cited by the company as an internal error, the bug allowed Twitter’s Tailored Audiences advertisers access to user email addresses and phone numbers. Twitter’s ad buyers could then cross-reference their marketing database with Twitters to identify shared customers and serve them targeted ads—all without our permission.
Not to be outdone, preliminary investigations in a European Union competition watchdog effort found the online retailer “appears to use competitively sensitive information – about marketplace sellers, their products and transactions on the marketplace.” The EU went on to open a second investigation in 2020 concerning the retailer’s use of non-public independent seller data. The outcomes of both are still pending.
Google was fined nearly $57 million in 2020 by the French data protection authority for failing to acknowledge how it used users’ personal data. During that same time, Ireland’s Data Protection Commission notified the global juggernaut of their intentions to investigate the company’s use of and transparency around user location data—its second notification since the GDPR was made policy in 2018.
Getting in on data misuse before it was cool, Uber was fined $20,000 by the Federal Trade Commission (FTC) for its “God View” tool in 2014. “God View” let Uber employees access and track the location and movements of Uber riders without their permission. As a result of their settlement with the FTC, Uber paid their fine and agreed to hire an outside firm to audit their privacy practices every two years from 2014 through 2034.
And it’s not just tech firms! In 2015, a Morgan Stanley financial advisor pleaded guilty to taking the data for roughly 730,000 accounts—roughly 10% of the wealth management firm’s user base—and attempting to take that information with him to a competitor. In the process, the personal data of nearly 900 users was accessed and posted online by hackers that accessed the former employee’s home computer.
While the pro-Brexit group Leave.EU and UK insurance provider Eldon Insurance have very little in common on the surface, both organizations were co-founded by businessman Aaron Banks. In 2019, the UK’s Information Commissioner’s Office fined both organizations roughly $83,000 apiece for commingling customer data—political data for insurance and insurance data for politics.
While the financial impact of data misuse shouldn’t be understated, perhaps the greatest business impact comes in the loss of trust between the company and its audience.
It is entirely reasonable to expect the companies that handle our data to do so securely and under the agreed terms. Anything sort of that agreement is a massive violation of trust between the people and the service provider—trust that is not easily rebuilt. Cambridge Analytica folded in less than three months, Google is still facing constant criticism, and Uber will be audited for the better part of the next two decades.
In 2020, hackers accessed 5.2 million Marriott guest records, including customer contact information, personal preferences, birthdays, and more. This attack succeeded because the attackers compromised employee credentials to access a third-party application. It was two months before anyone realized something was wrong.
Often, data misuse boils down to ignorance and negligence. However, as our digital footprints continue to grow and evolve, the necessity for responsible digital hygiene extends to every citizen of the internet—not just IT professionals.
That starts with improving our general online practices so that we as users are more selective about the companies we trust with our data and that we, as professionals, are treating our customers’ data with the same care we would our own.
Don’t mix professional and personal devices. Never download workplace data to your personal laptop, smartphone, desktop, home server, or whatever device you choose, no matter how fancy your home firewall, encryption, or VPN may be. This mixture of circumstances only invites further scrutiny and additional opportunities for cyber-attacks.
Phishing instances have skyrocketed in recent years, and while many users are more and more confident in their ability to sniff out bad actors, there’s always one person on our social media feeds trying to sell knock-off Ray-Bans. Don’t fall for the cheap tactics of bad actors. Confirm URLs before submitting personal data, don’t click links from email addresses you don’t recognize, and use complex passwords.
While we can refine and perfect our online habits to prevent our own potential misuse, we rarely get to set data policies for the companies we frequent. We as users and customers and contributors must hold the brands we trust accountable for maintaining those expectations. Change never happens out of complacency; whether it’s Big Tech or Wall Street, the only way organizations create serious policy around data misuse is when their customers demand it. Organizations should have basic security structures like behavior alerts and access management tools complemented by need-to-know access and zero-trust architectures. Likewise, we as consumers have a right to clear data collection policies and transparent use cases.
As governing policies like the EU’s GDPR or California’s CCPA continue to shape the future of data regulation, it is only a matter of time before global expectations around data ownership and data misuse become more explicit expectations in every region.
At Invisibly, we believe every citizen of the internet has undeniable rights regarding how their data is used, collected, and monetized, regardless of their governing body. We provide transparency on where your data is going and enable you to benefit off its storage and use. We are more than just data factories. We hope that you’ll join us in that pursuit.
Use your data to access premium content you love.