Data Breach vs. Data Misuse: A data breach is characterized by the active and unauthorized penetration by a third party into a company’s digital systems. Data misuse or manipulation is described as a more passive but legitimate sharing of information. Typically, the wrongful act occurs when the company receiving the data uses it in an unauthorized manner. The difference is nuanced, but the difference matters—at least as data breach laws are currently written. A true data breach triggers statutory notification requirements and subjects companies to penalties and liability if not properly followed. The obligations triggered after discovering data misuse are not as clear, but are likely to be addressed by courts and Congress in the near future. Nevertheless, companies should avoid falling victim to either type of “breach,” since both can damage consumer trust and negatively impact a company’s bottom line.
Most states have also enacted similar statutes that permit the attorney general to investigate and institute penalties against noncompliant companies. In New York, Attorney General Eric Schneiderman recently settled charges with three mobile health application developers, after the developers misled consumers about the capabilities of the apps and endorsements the apps had received.
In the end, even if your company’s data use complies with state and federal laws, it still must strictly adhere to your company’s policy to avoid penalties from government agencies. Companies should review their privacy policies and review current practices to ensure absolute compliance.
Control the Human Factor: Technology is not always the problem. Frequently, the breach or misuse is a result of human error, and a mistake by an individual employee subjects a company to the same obligations and penalties described above. Therefore, companies should track employee access to personal data, limit access to private data to individuals who need to access it, and provide ongoing training and education for the employees that process it.
As the dust settles on recent events in data security, data mining will likely undergo intensified regulation that accounts for both breach and misuse or manipulation. As a result, it is critical—now more than ever—that companies track how they receive, store, and share data, both now and in the future, to avoid any potential illegal or unethical practices.