While many of these agreements are unnecessarily dense and challenging to process, they do serve one very specific role for everyday people like you and me—they set the terms for how a company can use the personal data they collect from us. Typically, that data gets used in one of three ways:
- Personal data is aggregated and analyzed to provide us with more personalized advertisements.
- Personal data is logged and assessed for research and development.
- Personal data is sold to a data brokerage.
In all three of these scenarios, there are specific parameters for how companies handle, store, and distribute your personal data. Yet, in a work-from-home world, it’s become more and more difficult for companies to enforce the proper application of personal data. Data misuse occurs when individuals or organizations use personal data beyond those stated intentions. Often, data misuse isn’t the result of direct company action but rather the missteps of an individual or even a third-party partner. For example, a bank employee might access private accounts to view a friend’s current balance, or a marketer using one client’s data to inform another customer’s campaign.
Data Misuse Examples in Our Daily Lives
To be clear, data misuse isn’t necessarily theft—theft occurs when a bad actor takes personal data without permission—data misuse is when legitimately collected information is applied in a way beyond its original purpose. Typically, these instances are less malicious than an insider threat selling company data to a third party and instead take a more negligent approach. In broad strokes, data misuse tends to fall into three categories:1.Commingling
Commingling happens when an organization captures data from a specific audience from a specific stated purpose, then reuses that same personal data for a separate task in the future. Reusing data submitted for academic research for marketing purposes or sharing client data between sister organizations without consent are some of the most common commingling scenarios. Commingling often occurs out of ease of access—marketers and business owners already have the data and assume that, since they collected it, they are entitled to use it at their own discretion.2.Personal Benefit
Data misuse for personal benefit occurs when someone with access to personal data abuses that power for their own gain. Whether simple curiosity or as a competitive advantage, this type of misuse is rarely done with malicious intent. This method regularly involves company employees moving data to personal devices for easy access, often with disastrous results.3.Ambiguity
While the intention may be simple, the stakes can be incredibly high. The cost of data misuse can range from thousands to billions of dollars in fines, not including ransomware or settlements resulting from the misuse. We’ve seen data misuse cases take center stage multiple times in recent years, and in every instance, there have been significant ramifications for the company and its customers.
7 Examples of Data Misuse in the Modern World
- Facebook and Cambridge Analytica
- Morgan Stanley
- Leave.EU and Eldon Insurance
Perhaps the most infamous example of data misuse, in 2018, news outlets revealed that the UK political consulting firm acquired and used personal data from Facebook users that was initially collected from a third party for academic research. In total, Cambridge Analytica misused the data of nearly 87 million Facebook users—many of whom had not given any explicit permission for the company to use or even access their information. Within two months of the scandal, Cambridge Analytica was bankrupt and defunct, while Facebook was left with a $5 billion fine by the Federal Trade Commission.
In September 2019, Twitter admitted to letting advertisers access its users’; personal data to improve the targeting of marketing campaigns. Cited by the company as an internal error, the bug allowed Twitter’s Tailored Audiences advertisers access to user email addresses and phone numbers. Twitter’s ad buyers could then cross-reference their marketing database with Twitters to identify shared customers and serve them targeted ads—all without our permission.
Not to be outdone, preliminary investigations in a European Union competition watchdog effort found the online retailer “appears to use competitively sensitive information – about marketplace sellers, their products and transactions on the marketplace.” The EU went on to open a second investigation in 2020 concerning the retailer's use of non-public independent seller data. The outcomes of both are still pending.Google
Google was fined nearly $57 million in 2020 by the French data protection authority for failing to acknowledge how it used users’ personal data. During that same time, Ireland’s Data Protection Commission notified the global juggernaut of their intentions to investigate the company’s use of and transparency around user location data—its second notification since the GDRP was made policy in 2018.
Getting in on data misuse before it was cool, Uber was fined $20,000 by the Federal Trade Commission (FTC) for its “God View” tool in 2014. “God View” let Uber employees access and track the location and movements of Uber riders without their permission. As a result of their settlement with the FTC, Uber paid their fine and agreed to hire an outside firm to audit their privacy practices every two years from 2014 through 2034.
And it’s not just tech firms! In 2015, a Morgan Stanley financial advisor pled guilty to taking the data for roughly 730,000 accounts—roughly 10% of the wealth management firm’s user base—and attempting to take that information with him to a competitor. In the process, the personal data of nearly 900 users was accessed and posted online by hackers that accessed the former employee's home computer.
Leave.EU and Eldon Insurance
While the pro-Brexit group Leave.EU and UK insurance provider Eldon Insurance have very little in common on the surface, both organizations were co-founded by businessman Aaron Banks. In 2019, the UK’s Information Commissioner’s Office fined both organizations roughly $83,000 apiece for commingling customer data—political data for insurance and insurance data for politics.
While the financial impact of data misuse shouldn’t be understated, perhaps the greatest business impact comes in the loss of trust between the company and its audience. It is entirely reasonable to expect the companies that handle our data to do so securely and under the agreed terms. Anything sort of that agreement is a massive violation of trust between the people and the service provider—trust that is not easily rebuilt. Cambridge Analytica folded in less than three months, Google is still facing constant criticism, and Uber will be audited for the better part of the next two decades.
While these actions may lack the malice of a traditional black hat cyberattack, data misuse increases the opportunities for these criminals to access private data. Many instances of data misuse start with employees or legitimate third-party vendors transferring company data from a secure server onto a personal device with less stringent data security features. Even the most robust network security provisions are irrelevant once data leaves the secure perimeter. Once that personal data—or access to it—is controlled by a more susceptible device, cybercriminals have a much easier path to accessing the personal data they desire.
In 2020, hackers accessed 5.2 million Marriott guest records, including customer contact information, personal preferences, birthdays, and more. This attack succeeded because the attackers compromised employee credentials to access a third-party application. It was two months before anyone realized something was wrong.
Only you can prevent data misuse
Often, data misuse boils down to ignorance and negligence. However, as our digital footprints continue to grow and evolve, the necessity for responsible digital hygiene extends to every citizen of the internet—not just IT professionals. That starts with improving our general online practices so that we as users are more selective about the companies we trust with our data and that we, as professionals, are treating our customers’ data with the same care we would our own.
- Leave work at work
Don’t mix professional and personal devices. Never download workplace data to your personal laptop, smartphone, desktop, home server, or whatever device you choose, no matter how fancy your home firewall, encryption, or VPN may be. This mixture of circumstances only invites further scrutiny and additional opportunities for cyber-attacks.
While we can refine and perfect our online habits to prevent our own potential misuse, we rarely get to set data policies for the companies we frequent. We as users and customers and contributors must hold the brands we trust accountable for maintaining those expectations. Change never happens out of complacency; whether it's Big Tech or Wall Street, the only way organizations create serious policy around data misuse is when their customers demand it. Organizations should have basic security structures like behavior alerts and access management tools complemented by need-to-know access and zero-trust architectures. Likewise, we as consumers have a right to clear data collection policies and transparent use cases.
As governing policies like the EU’s GDPR or California’s CCPA continue to shape the future of data regulation, it is only a matter of time before global expectations around data ownership and data misuse become more explicit expectations in every region. At Invisibly, we believe every citizen of the internet has undeniable rights regarding how theirs is used, collected, and monetized, regardless of their governing body. We are more than just data factories. We hope that you’ll join us in that pursuit.