Making the Case for Data Minimization

Both Apple Inc. and Meta Platforms, Inc. recently fell prey to a social engineering scheme leading to both companies divulging personal information of their clients to hackers.

The personal information divulged included addresses, phone numbers, and IP addresses.  The divulgence occurred when the hackers and ultimate data recipients pretended to be law enforcement officials.  Under certain conditions companies are obligated to comply with requests from law enforcement.

The companies thought they were doing everything properly, by the book.  Sometimes law enforcement does submit requests for data from companies.  More often than not, the requests are accompanied by search warrants or subpoenas signed by a judge.  Sometimes though, “emergency data requests” come in and they don’t require accompanying legal process at the outset.

The very nature of the requests, emergent in nature, influences companies to be more compliant, to not ask questions, to provide the data expediently to stay on the requestor’s good side.  However, as the hackers demonstrated, there are some flaws in the system.  Are there not enough safeguards for emergency data requests?  Do companies just bow to the requests of law enforcement without proper consideration of privacy?

Apple’s law enforcement guidelines say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

Meta, for its part, said that they “review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests.”

Despite their safeguards, they still ended up divulging personal information to unauthorized third parties.

It’s an example of hacking cross-contamination.  Hackers gained access to email domains belonging to law enforcement agencies.  That strategic position, of appearing to be an authorized requestor allowed them to gain access to additional information that they shouldn’t have had access to.

The particularly scary thing about this episode is that the companies presumably had adequate cybersecurity measures to prevent the hackers from forcing their way into their systems.  That didn’t matter.  The hackers found a way.

Thus, the case is made for data minimization.  There is always some risk in maintaining personal information.  Data breaches can come in many forms.  Even when companies think they are doing everything right, the regulatory requirements themselves that they need to comply with may cause their liability.

Based on their own safeguards, Apple and Meta should have caught these social engineering efforts.  Maybe the regulatory burdens were too heavy.  Thankfully, Clarip can help companies manage a hefty data privacy regulatory burden.  Clarip provides tools for data subject request fulfillment, consent management, data mapping, vendor management, website scanning, and much, much more.  Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com