Cell phones are a modern-day convenience — and annoyance. A few years ago, a Cornell University doctoral student and her colleagues conducted a study on why overhearing a phone conversation is so distracting and annoying. They found that hearing only half a conversation causes the brain to work overtime trying to decipher the other half of the conversation and fit the pieces together. Our brains are simply wired to solve puzzles, to take the parts of information provided and work toward a solution.
The functionality of our brain is at the core of why depersonalized data is far from anonymous. The natural detective in our brain immediately tries to put pieces together to identify the person behind the data. The theory that depersonalized data could be “anonymous” was debunked back in the mid-1990s. The Massachusetts Group Insurance Commission thought it could make depersonalized medical records public to assist in research and information sharing that would improve health services for all. A researcher named Dr. Latanya Sweeney was able to analyze the data and compare it against voter rolls to uncover the medical records and history of the governor of Massachusetts. She then politely mailed the records to the governor to prove her point that there is no such thing as “anonymous” information.
The amount of information captured, stored, analyzed, and sold every day is staggering. The captured data has generally been permission-based, meaning the user gave permission for the data to be collected and used. And to some extent, the data is depersonalized. Unfortunately, few laws and regulations protect individual privacy in the rapidly expanding big data industry.
But that may be changing. The Obama administration’s Big Data and Privacy Working Group released a report in May with six policy recommendations to protect individual privacy, including developing national data breach legislation and advancing the principles presented in the President’s Consumer Privacy Bill of Rights. I wouldn’t recommend holding your breath just yet for any major legislation to pass, but attention is certainly focused on the issue.
If you have any questions about cyber risk or cyber insurance, please feel free to e-mail me at sdougherty@iso.com. You can also follow me on Twitter @doughertyshawn.