Data breaches and privacy violations have long been thought of as different things, but actually, there is a lot of overlap.
Two recent FTC cases address this issue. These cases involve the Health Breach Notification Rule, 16 CFR Part 318, which covers health data breaches beyond HIPAA. The Rule had long existed, but the FTC only started enforcing it in 2021 (see the FTC’s announcement here). Under the Rule, a “breach of security” is defined as “acquisition of [PHR identifiable health information] without the authorization of the individual.” Unlike the FTC Act Section 5, which has no monetary penalties (unless a consent decree is violated), the Health Breach Notification Rule carries fines of more than $50,000 per violation.
In its enforcement of the Rule, the FTC has claimed that privacy violations are data breaches that should have been reported under the Rule.
- In In Re GoodRx Holdings, Inc., (FTC 2023) the FTC claimed that GoodRx shared health data with advertisers, contradicting its privacy notice that stated it didn’t share such data with third parties. This is traditionally a privacy violation — a classic broken promises case. But the FTC contended that this was a data breach because the third parties obtained the data without the proper authorization. The FTC imposed a $1.5 million penalty for violating the Rule.
- In another case from this year, In re Easy Healthcare Corp., (FTC 2023), a fertility app called Premom shared user health data with third parties in violation of its privacy notice. The FTC asserted that this was a data breach that should have been reported under the Health Breach Notification Rule.
These cases are quite notable, and they go far beyond the Health Breach Notification Rule. As I have been arguing for years, privacy and cybersecurity are quite interrelated and should not be understood as the often-siloed separate domains that they are today. Data breaches need not be caused by hackers breaking in or when data is leaked or lost. They can occur even when a company intentionally shares data improperly — a common privacy violation.
I wrote about this issue in my book, Breached! with Woodrow Hartzog:
Everyone is so obsessed with preventing a breach through the back door that they neglect to pay enough attention to the front door. The “back door” is a metaphor to describe the illicit break-ins by hackers or other intruders. We clearly know that they don’t belong in the computer network. The “front door” describes the many people who are invited into the network or who already have access to the network. . . . .
Hackers know that sometimes the easiest way to break in is through the front door, so they pose as regular customers. Recall the ChoicePopint breach. . . . In that breach, the hackers posed as a legitimate ChociePoint customer. They didn’t need to break in—ChoicePoint opened the door and let them in.
We also argued:
The Cambridge Analytica scandal demonstrates that the relationship between privacy and security is vitally important and increasingly frayed. Malicious parties compromised and exfiltrated Facebook users’ data in a way that was different than your standard “hack n’ breach,” but to nearly the same effect. The key difference is that the third parties that filched people’s data didn’t bypass Facebook’s technological safeguards. They used Facebook for the exact purpose for which it was designed. In other words, this was a breach that didn’t occur through a break- in at the back door but through a walk- in at the front door. We can’t protect data by locking it in a safe if we then give out the combination to anyone who asks for it. Although the front door is essential for security, it is often isolated in the privacy silo, where it doesn’t receive the extensive resources from the security silo. For many organizations, too myopic a focus on the back door results in insufficient protection for the front door.
What’s the upshot of all this?
- Data breaches don’t just involve failing to guard the back door; they also involve failures to guard the front door.
- Inadequate vetting of customers or other third parties with whom personal data is shared can constitute a data breach if these parties turn out to be malicious. This is the ChoicePoint case.
- Even more broadly, recent FTC cases are recognizing that the unauthorized sharing of personal data can be a breach. See the GoodRx and Easy Healthcare cases.
- Sharing data with third parties in violation of one’s privacy notice can constitute a data breach.
- Inadequate vetting of vendors or other third parties with whom personal data is shared could potentially constitute a data breach if these parties have inadequate data security, thus making sharing data with them a violation of a company’s privacy notice.
- Many forms of improper data transfer could potentially constitute a data breach. This could include sharing too much data (violation of data minimization requirements), sharing data of minors with advertisers without parental consent, failing to limit internal access of personal data to appropriate personnel, improper cross-border data transfer, and much more.
- Overall, many practices commonly understood to be privacy violations are also data breaches. And with data breaches, there are breach notification requirements as well as other laws that can be implicated. Under the California Consumer Privacy Act (CCPA), for example, there is a private right of action for data breaches but not privacy violations.
For those who are interested, our book is Breached! Why Data Security Law Fails and How to Improve It (Oxford University Press 2022).
We have posted our chapter on the relationship between privacy and security (available for free on SSRN).
And as thanks for reading to the end, here’s a cartoon about privacy and security:
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.