It’s a question being asked more and more lately: What are data brokers? The answer – in short – is that data brokers represent an emerging industry that trades in any and all data that can be collected from the Internet, mobile networks and other business sources.
After all, big data insights into complex customer behaviors are critical for gaining a competitive advantage for a wide range of businesses.
Unfortunately, because of the resale value of their information, any organization collecting substantial amounts of consumer data has become a favorite target of today’s cyber criminals. So, what if these massive data brokers get hacked? It’s a reality that every financial institution must be prepared to face.
A Quick Glance into the Data Brokerage Landscape
For consumers, 24/7 mobility presents a bit of a dilemma in the form of convenience vs. privacy. Ultimately, we all want to believe that our actions stay private while we’re online, but obviously that’s not always the case.
Regardless of your mobile browser settings (turning off cookies and attempting to eliminate “supercookies”), data brokers can use data fingerprinting to identify your shopping habits, browsing history and more. The more information they collect, the more appealing these organizations become to potential attackers.
What Are Data Brokers’ Fiduciary Obligations?
Collecting sensitive consumer information is a massive responsibility that data brokers may not always take seriously enough. For example, in August 2015, two data brokers (Sequoia One LLC and Gen X Marketing Group) took financial information they collected from consumers applying for payday loans and sold it to a 3rd party company, Ideal Financial Solutions.
This illegal sale fell under FTC investigation after 500,000 people had their bank accounts compromised. Ideal Financial then began debiting these accounts without permission and collected a total of $7 million from these consumers.
This wasn’t even a cyber attack. It was just sheer irresponsibility on the part of data brokers – as they sold the data directly to the criminals. These sorts of occurrences leave many questioning the ethics of data brokerage as a business model.
What are data brokers doing to protect their most valuable asset – your information? With no broad spectrum policy in place, those decisions are left up to individuals beholden to a wide array of competing interests.
With data brokerage gaining so much notoriety, it’s only a matter of time before hackers start targeting these huge wells of financial information and making off with big profits.
What Happens if a Data Broker Gets Hacked?
Data brokers aren’t any more secure than other companies, and who’s to say Axciom won’t be next JP Morgan Chase, Sony or Home Depot? After all, they are a huge data brokerage firm that made $1.1 billion in revenue in 2014 from selling consumer information to willing buyers. Financial institutions face stiff repercussions if they are part of a data broker breach.
In the event that a data incident does occur, here are two things you should to know:
- Generally, the financial institution that is compromised becomes responsible for consumer damages in the event of a data breach. In the case of Sequoia One LLC and Gen X Marketing Group, executives were forced to settle with the FTC for over $7 million (and that’s not including legal fees and costs of notification).
- The Electronic Funds Transfer Act protects consumer checking and banking accounts, limiting their losses to $50 in the case of a breach assuming it is reported within 60 days. Financial institutions are required to make up for additional losses.
Why Data Brokers Won’t Disappear Any Time Soon
Ultimately, the question reverberating through the minds of every enterprise CISO and many well-informed consumers is, what are data brokers getting at? The truth is that that remains to be seen. The industry can take a number of potential paths to maturity, each one with different implications.
What we can say for sure is that, as an industry, data brokerage is seldom held to a high standard of responsibility. Unfortunately, privacy suits against data brokers are consistently rejected. So where does that leave us?
As long as people continue using mobile devices to conduct financial transactions, they’ll be relaying sensitive data to potentially irresponsible and vulnerable brokers. Until the appropriate regulatory bodies rein in the chaos, the only recourse left for individuals and enterprises is to develop an aggressive and comprehensive defense infrastructure.
Without controls in place governing how these companies collect and distribute consumer data, financial institutions will need to prepare for the multiple vulnerabilities data brokers represent. This entails securing consumer access points – mobile apps and online portals, and vigilantly scanning account activity for irregular behaviors impacting whole groups of customers.
Above all, financial institutions should never sell their data to such an organization – no matter how harmless it may seem. Do you believe that financial institutions should be held accountable for breaches originating with data brokers?
