Recently, Barclays learned of a data breach unlike any other reported to date. Not only was customer financial information stolen, but also detailed health information and psychological profiles on risk aversion for customers. The data was being used not by hackers, but by high pressure securities trading firms. This could be the tip of the iceberg in terms of a competitive assault on privacy.
This breach is particularly interesting because the subjects could be hurt by the disclosure in a material way. Privacy torts have been a recognized valid reason to sue since around 1890, but nobody pursues it because there is no legally recognized harm to be compensated for. However, if the people who acquired this data used it to harm the subjects, that all could change, opening up a whole new area of liability for organizations that has yet to be seen.
The irony is that this data was collected for a business unit that has not been operating since 2011. There was no longer any value to the organization to keep the data online and available. Yet now, in addition to data breach reporting requirements, the organization has opened themselves up to unlimited liability for the potential misuse of that data.
This talk will discuss potential liabilities of detailed customer information and a few simple ideas to mitigate the risk.
Christie Dudley started her career with a BSEE with an emphasis in digital communications from the University of Kansas. A 15 year enterprise network engineer career, largely in finance and manufacturing followed. Starting with a study in anthropology she decided to change fields, eventually pursuing an old interest in communications security and privacy and a brief internship in hardware security. Seeking to combine her interests in technology and society she began pursuing the field from a new perspective, enrolling as JD candidate at Santa Clara Law. She now consults on privacy issues related to communications technology while completing her law degree. She has also cofounded Fork the Law, an effort to bridge the gap between technologists and legislation.
Wayne Huang is VP Engineering at Proofpoint, Inc. and was co-founder and CEO to Armorize Technologies, Inc. With over 15 years of experience in enterprise security, He has led teams to design and develop products that address a spectrum of enterprise security needs, including Web application security, source code analysis, vulnerability assessment, web malware detection, anti-malvertising, malware forensics, advanced threats detection, and threat intelligence analytics.
Wayne is a frequent speaker at security conferences including Black Hat (10), DEFCON (10), RSA (07, 10), SyScan (08, 09), OWASP (08, 09), Hacks in Taiwan (06, 07), WWW (03, 04), PHP (07) and DSN (04). His research has received worldwide media coverage, including for example Reuters, IDG, USA Today, Wired, BBC News, Dark Reading, The Register, The Hacker News, SC Magazine, eWeek, Threat Post, and Krebs on Security.