Third-party data breaches are unfortunately all too common these days. Check out this blog post from our Technical Services Director Nat Shere to learn more about what happens when third-party data is breached and how data sharing should work:
“You've been pwned!"
I have seen this email a few times before, but at least I usually recognize the company name when it happens. Data breaches are, after all, a fact of life these days. Sometimes it is negligence. Sometimes it is just bad luck. But, that is the risk we take in sharing our personal information.
This time, though, I didn't recognize the company name (Eye4Fraud) at all, let alone, remember ever entrusting my personal data to this company.
So, two things were at play here:
The fact that my personal data was shared without my awareness.
The details of specifically what type of data was shared.
According to haveibeenpwned.com's notification, user passwords were also disclosed in the breach, which raises the serious question of why passwords would have been shared at all.
And this third-party data sharing isn't just a personal issue.
Late last year, the Department of Health and Human Services issued a notice that web trackers can violate HIPAA regulations.
Earlier this year, the FTC even fined a company $1.5 million for the first time because they failed to notify users that data was being shared with a third party.
And just recently, on March 1, Cerebral Inc., a provider of online mental health services, issued a HIPAA privacy breach notice because they had been sharing personal health information (PHI) with third parties such as Facebook, Google, and even TikTok since 2019. The breach affected around 3.17 million patients.
This issue has even led to a bill in the Senate, called the Uphold Privacy Act, which could ban any source from collecting PHI for advertising use without the user's explicit consent.
The simple response is, of course, to get user consent. That way, you don't have to change anything else.
But, users are becoming more aware of and conscious of privacy concerns these days, so starting a customer interaction with “please let us share your personal data” isn't a great first impression.
Instead, be very aware of exactly where you are sharing data and why and ensure that your vendors prioritize security as much, if not more so, than you do. Consider how important the vendor's services are compared to the additional data and security risk that sharing your customers' data entails.
Hopefully, then you won't have to make a breach notification for somebody else's bad luck.