Is Depersonalized Demographic Data Really Anonymous Information?

By Shawn Dougherty July 7, 2014

Shawn DoughertyCell phones are a modern-day convenience — and annoyance. A few years ago, a Cornell University doctoral student and her colleagues conducted a study on why overhearing a phone conversation is so distracting and annoying. They found that hearing only half a conversation causes the brain to work overtime trying to decipher the other half of the conversation and fit the pieces together. Our brains are simply wired to solve puzzles, to take the parts of information provided and work toward a solution.

The functionality of our brain is at the core of why depersonalized data is far from anonymous. The natural detective in our brain immediately tries to put pieces together to identify the person behind the data. The theory that depersonalized data could be “anonymous” was debunked back in the mid-1990s. The Massachusetts Group Insurance Commission thought it could make depersonalized medical records public to assist in research and information sharing that would improve health services for all. A researcher named Dr. Latanya Sweeney was able to analyze the data and compare it against voter rolls to uncover the medical records and history of the governor of Massachusetts. She then politely mailed the records to the governor to prove her point that there is no such thing as “anonymous” information.

The amount of information captured, stored, analyzed, and sold every day is staggering.  The captured data has generally been permission-based, meaning the user gave permission for the data to be collected and used. And to some extent, the data is depersonalized. Unfortunately, few laws and regulations protect individual privacy in the rapidly expanding big data industry.

But that may be changing. The Obama administration’s Big Data and Privacy Working Group released a report in May with six policy recommendations to protect individual privacy, including developing national data breach legislation and advancing the principles presented in the President’s Consumer Privacy Bill of Rights. I wouldn’t recommend holding your breath just yet for any major legislation to pass, but attention is certainly focused on the issue.

If you have any questions about cyber risk or cyber insurance, please feel free to e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.