If US citizens weren’t convinced by now that they have long lost control of their data, the fact is more than obvious after a misconfigured database containing 198 million US voters was found leaking the information online.
What’s more, successfully suing Deep Root Analytics, the company that inadvertently leaked the data, will likely be difficult, if not impossible.
The root of the problem
Different US states have different data security regulations, and some of those don’t cover the type of data revealed here, and aren’t usually applied to this type of company. Also, the various US states have different laws concerning voter information.
“Some states have laws requiring that businesses have reasonable security measures in place to protect personal information, but those laws are generally directed toward financial harms like identity theft. The information here, while many would consider it sensitive, probably wouldn’t be subject to those laws,” Everett Monroe, an attorney with California-based law firm Hanson Bridgett, told SC Magazine.
“Other tort causes of action, like invasion of privacy or publication of private facts, often requires that the information either be obtained in an improper manner or not be publicly available. It sounds like the exposed information was collected from publicly available sources, which makes it difficult for individuals to successfully sue on those grounds.”
But what about the leaking of the information that creates a pretty accurate picture on where the individual voters stand in regard with many political issues? Deep Root Analytics says that information is proprietary, so it’s possible that data security laws might not apply in the same measure.
I think we can safely say that current data security and breach laws are way behind these modern times and data usage realities.
Possible consequences and fixes
As UpGuard analyst Dan O’Sullivan noted when he revealed the leak, “beyond the almost limitless criminal applications of the exposed data for purposes of identity theft, fraud, and resale on the black market, the heft of the data and analytical power of the modeling could be applied to even more ambitious efforts – corporate marketing, spam, advanced political targeting.”
Chris Pierson, CSO and General Counsel of Viewpost, notes that the exposure of RNC voter data ups the ante for election security in 2018 and beyond.
“The unique problems attached to a voter database include the fact that the immutable characteristics, location and age data will be viable points of attack for decades to come in many instances,” he told Help Net Security. “With such a large data dump of voter data and contact information, a nation state could reverse engineer an influence attack on those individuals that might be able to affect their voting predisposition or the communications they receive in future elections.”
“The RNC database leak root cause appears to be sloppiness by their third-party and might have been caught in mandated configuration scanning or cloud storage providers or other types of penetration testing,” he also added.
“All companies rely on third parties to perform services on their behalf in varying degrees. But while you can offshore or outsource tasks and functions, you can never outsource the risks. As such, every company that deals in sensitive or valuable data should have an information assurance program that risk rates their vendors, monitors them for security and other factors and provides governance to the company regarding their third-party and the risk appetite set by the company.”