“If you delete it, it’s gone forever!”– CISOs who have not succeeded at eliminating unsecured external data
This is potentially the most dangerous misconception any CIO or CISO can hold when it comes to combating the pernicious effects of Data Brokers. How to stop Data Brokers from feeding the risk of data breaches and other damaging activities impacting your organization is a challenge which must be addressed. The consequences of failure have never been more dire.
Businesses are increasingly aware that Data Brokers, People Search Sites and other sources of “unsecured external data” are a serious problem when it comes to cyber security, physical security and competitive advantage in the market. As knowledge of this enemy improves, businesses are growing more adept and aggressive at deploying solutions to protect their operations. However, there is still a fundamental misunderstanding about how the Data Broker industry works. This misunderstanding – the idea that once unsecured external data has been deleted, it’s gone forever – leads many companies to a false sense of security.
This document illustrates in eye-opening detail why efforts to secure external data must be ongoing if they are to succeed in any measure. It dispatches the misconception that the process can be achieved with a single, limited engagement providing protection from cybercrimes once and for all. In order to understand why this is the case, this document also educates the reader on the mechanics of the Data Brokerage industry, shining light on how it works.
Data Brokers and People Search Sites 101
Data Brokers and People Search Sites are leading sources of “PII”, the personally identifiable information used to perpetrate cybercrimes like data breaches, ransomware, phishing and other social engineering cyber-attacks. Data Brokers’ product (the PII of your entire workforce and their families) is also routinely used in nominally legal ways by unscrupulous parties to exert competitive advantage in business, fueling damaging activities such as employee poaching, industrial espionage/IP theft, bothersome telemarketing and spam, sapping productivity and costing businesses millions of dollars every year.
As noted in a Privacy Bee White Paper titled, Exposing the Threat to Data Privacy by Data Brokers and People Search Sites, “Industry watchers suggest there are presently more than four thousand Data Brokerage and People Search Site companies in operation worldwide. Delaware-based custom research firm, Transparency Market Research Inc. estimates that in the United States alone, the data broker marketplace will reach a value of $462 billion by 2031. It is growing at a robust compound annual growth rate of 6.8% between 2022 and 2031!” The market for sales of unsecured external data is enormous and growing due to the crushing demand – from both legitimate and illegitimate consumers.
It is important to understand the difference between Data Brokers and People Search Sites as well as the relationship between these two types of organizations. If you have ever purchased a list for sales or marketing purposes, you already possess some understanding of the business model of list resellers and People Search Sites. Marketing list sellers provide detailed lists of prospective customers a business can use to increase sales and drive brand awareness via online and offline sales outreach. The data included in the list purchase can be customized to deliver highly specific groups, improving direct marketing success and boosting new business close ratios.
But that highly specific data does not originate from the People Search Site or list seller. Those sellers buy it from a much smaller group of Data Brokers which feed the mushrooming array of People Search Sites and list sellers.
So, how do Data Brokers produce their product? Privacy Bee CEO, Harry Maugans explains. “The way the industry really works in a nutshell is that People Search Sites or list resellers don’t really collect any data themselves. It is an enormous task that most People Search companies are unable to manage. They’re not data originators or aggregators. They’re basically megaphones, amplifying the volume of PII they purchase from Data Brokers. It is the Data Broker companies that do the actual work of collecting, analyzing, and organizing these vast tranches of PII into usable product.”
Maugans continues to explain that large Data Brokers like Axiom, Epsilon, and others ingest dozens to hundreds of data feeds into their database – all day, every day. These feeds come from a disquieting array of sources with which American consumers routinely interact. Sources can include:
- Online surveys
- Credit card companies which sell the data they collect during applications
- Supermarket and other retail store loyalty programs that sell data they collect
- Insurance companies
- Magazine, newspaper and digital media subscription services
- Public sources like court and motor vehicle records
- Census data
- Birth certificates
- Marriage licenses and divorce records
- Voter registrations
- Bankruptcy records
- Countless other sources of data both public and private
Collecting or aggregating all these data is just the first step in the process of producing the finished product for a Data Broker. The next step involves stitching together the individual data points specific to every unique individual as the data arrives from the numerous sources listed above. Using common data points like date of birth, first name-last name combinations, telephone numbers, etc., the Data Broker builds a profile for every single individual in the country. It is a good deal of work, but once they’ve identified and verified an individual, they continuously attach and append that individual’s file with all the data they find across all these incoming sources.
As the file on each individual grows, the Data Broker can zero in and drill down into highly specific markers for the person’s affinities, habits, needs, desires, and so forth. Detailed affinity data can come from magazine subscriptions for example, which correlate to the person’s interests and hobbies. Parenting magazines and online groups for example suggest information about the individual’s family. Automotive and motor sports magazines suggest information about a person’s hobbies and pastimes.
Every day, these files are refreshed with the latest data points flowing into the Data Brokers’ operation from the hundreds of sources they exploit. This keeps each individual file as current as possible.
The Data Broker maintains this massive pool of PII data for everybody in the nation in what they refer to as a “Consumer File”. Some Data Brokers call it a “Master File” or “National Consumer File”. It is the total, aggregate of all the data they collect, organized into searchable profiles for every man, woman, and child. It is their entire inventory.
At this point, the Data Broker can offer specialized segments of their data to interested buyers in what the industry refers to as “Selects”. This is where a buyer can purchase specific slices of the Master File, based on their specific needs. Many times, the customers of the Data Broker are list selling companies, many of which specialize in certain marketing channels. The People Search Sites are also customers of Data Brokers. People Search Sites commonly sell individual background checks to their customers, so they’ll license the Master File from a Data Broker. List sellers and People Search Sites typically buy licenses from Data Brokers which include regularly scheduled updates or refreshes so that their data is up to date.
As anyone who has purchased a marketing list from a list seller knows, the data is freshest the day it is purchased and uploaded into the CRM or other sales/marketing tool being used. Over a period as short as 2 to 3 months, the data already begins to show age and the accuracy soon drops off, leading bounce rates on emails and frequency of dead/bad phone numbers to rise. This is because people change email addresses, get new phone numbers, move to new homes/addresses, etc. So, the Data Broker industry relies on its ability to refresh its data and deliver updated information to its customers.
What becomes clear is that Data Brokers are constantly updating their National Consumer Files. Their customers (People Search Sites and other list sellers) typically pay for licenses that include periodic data updates/refreshes. The more frequent the refresh rate – say monthly as opposed to quarterly or semi-annually – the higher the license fee charged.
With this understanding of the internal operations of Data Brokers and their customers, one can rightfully conclude that in order to protect one’s organization from the myriad threats enabled by unsecured PII and other personal data, one must successfully have all this data deleted from these sources.
How Deletions Work (and How they Fail to Stop Data Brokers)
A burgeoning marketplace of solutions purporting to protect organizations from risks associated with data privacy has sprung up to capitalize on this awakening to the threat and the cost of inaction. With varying degrees of success, these myriad solutions promise to remove their customers’ data from the databases offered for sale (or in some cases even for free) on the internet.
The process of requesting the deletion of one’s data from any of these individual data brokers or people search sites is referred to in the industry and in the patchwork of regulations and legislation struggling to keep pace with privacy concerns as a DSAR. A DSAR or “Data Subject Access Request” is a formal inquiry made to a company (like a People Search Site, a Data Broker company or even an individual website or online organization). The inquiry is made by a data subject (that’d be an individual, or a group of individuals within an organization) inquiring what personal data and information has been collected, stored, and used. A DSAR is almost always issued with a deletion request.
Most DSARs and deletion requests are honored and the process is fairly straightforward. But, in order to effectively protect the privacy and cyber security of an entire organization and its workforce, is a labor-intensive process. It involves issuing, tracking, and confirming thousands of DSARs sent to thousands of organizations on behalf of dozens to hundreds of employees (depending on the size of the organization). It is something that most organizations are likely to outsource, which explains the explosion of services and technologies popping up to address the demand.
Although most of these services and solutions are happy to collect their fee for issuing DSARs and deletions requests, the vast majority of the data they have deleted on behalf of their customers returns to the databases from where it had recently been removed. Sometimes within mere weeks of having been deleted.
Without a strictly organized and ongoing process of managing DSARs here’s what commonly occurs:
- Organization issues DSAR/Deletion requests to any number of Data Brokers, People Search Sites or other locations where unsecured PII has been detected by scanning
- Weeks of follow up and correspondence ensues and deletions are ultimately achieved for most of the DSARs issued
- Each People Search Site or list reseller purchases new or receives refreshed data from the Data Brokers as part of its license/contract
- The unsecured data on your personnel is restored to the People Search Sites’ databases
So, in many cases, the data that had recently been removed as a result of the DSAR process is quickly returned to the same places. Because there are so many People Search Sites – each on its own schedule of refreshes – it is nearly impossible to keep the unsecured data from returning.
Organizations may also issue DSARs to Data Brokers too, as part of efforts to interdict the flow of data from the Nation Consumer Files to all the search sites and list resellers. Similarly, the Data Brokers will remove the specified data in response to the DSARs they receive. However, as noted, Data Brokers continue to ingest data feeds daily from innumerable sources of data public and private. As a result, even if one’s data is successfully purged from a Data Broker’s Master File, it is likely that new PII and data on every individual will soon be reintroduced to the file.
For any organization laboring under the misconception that “If you delete it, it’s gone forever”, it can seem as though the solution they’ve engaged has failed. After a six-month engagement, the unsecured data is still available on the internet. So, many write the effort off as a loss and cease attempts to stem the tide of unsecured data privacy.
Isn’t There Legislative or Regulatory Protection for Privacy?
The size and scope of privacy is enormous and the risks and challenges are only just beginning to come into focus – both for private individuals as well as businesses and organizations. How to stop Data Brokers is a question that grows more urgent as each new day brings tales of wreck and ruin of companies targeted and victimized by social engineering and phishing scams, ransomware attacks, data breaches, industrial espionage, intellectual property theft and even physical attacks on high profile executives and political leaders. Governments, courts and corporate governance are behind the curve when it comes to addressing these threats. There is no unified, generally accepted framework – legislative or judicial – to administer regulations equally across the nation let alone the world.
Illustrating the current, fragmented regulatory environment, law firm and legal information repository, JD Supra reports, “An astonishing 71% of countries worldwide have data privacy laws in place, and another 9% have drafted legislation. Meanwhile, five U.S. states have enacted data privacy laws and 35 states have at least contemplated data privacy legislation.”
There are emerging protocols and regulations originating in different countries and in different states within the US. Two of the most well known of these patchwork regulations are the GDPR (General Data Protection Regulation) a data protection and privacy law on the books in the EU and the European Economic Area. Ratified in 2016, this regulation was the archetype for the California Consumer Privacy Act of 2018 (CCPA) which gave consumers more control over the personal information that businesses collect about them. The CCPA regulations were used in 2020 to serve as the basis for the California Privacy Protection Agency (CPRA) which helps with enforcement of CCPA regulations. Other similar laws are cropping up like the CDPA in Virginia, Colorado’s CPA, and Connecticut’s CTDPA. Brazil, Canada, Saudi Arabia and other countries are also fielding similar laws.
Broadly speaking, these regulatory bodies generally maintain rules regarding the “opt-out” and deletions protocols, establishing a set period which must be observed following a DSAR deletion request and during which, a requestor’s data must not be returned to the Master List. However, if an organization or requestor is not located in an area governed by one of these regulations, they are not protected. In addition, once the observation period has expired, their data will easily be reintroduced to the Data Brokers’ Master Lists.
Deleting the Unsecured External Data Once and For All
The reality is scanning and deletions must be a discipline and practice that must be ongoing. No service or solution can scan and identify all the unsecured external data and then achieve all the deletions once and for all. In reality, to successfully protect privacy and mitigate the significant risks of unsecured external data, organizations must sustain an effort indefinitely. Over time, by continuing to remove the unsecured data from wherever it is found, the availability of one’s personal data begins to tighten. Failure to address privacy management as a discipline in today’s threat environment is akin to professional malpractice. Privacy management is a fact of life in business today and must be addressed as such.
Physical fitness regimens provide an apt metaphor for privacy management. If one’s body is out of shape, one might join a gym to work on improving one’s physical fitness. At the beginning, an out of shape person will find it is most difficult when first exercising at the gym. As physical fitness improves, the activities of the workout become easier though, and less time and effort is required to maintain fitness levels. However, if one stops exercising altogether, the hard-won gains are quickly lost altogether.
Achieving healthy data hygiene and securing external data for any organization is similar. As it should now be apparent, just because data is deleted from one People Search Site or Data Broker, there is little chance the data will not be returned to these outlets within weeks to months. As such, it becomes clear that monitoring and DSAR management must be an ongoing practice. The longer it is practiced, the less data is available to be re-ingested by Data Brokers and the more effective privacy management efforts become.
Another important metaphor to help understand the process is the concept of the tree and the leaves. Think of Data Brokers as the trunk and branches of a tree. Consider each People Search Site and list reseller as an individual leaf on the tree. If an organization focuses only on deletions with People Search Sites, removing individual metaphorical leaves, the trunk and branches will provide the energy to regrow new leaves more quickly than they can be pruned. This is why solutions that focus only on removing PII data from People Search Sites are destined to fail. It is much more effective a strategy to focus efforts as much on the Data Brokers as the People Search Sites. The number of Data Brokers is far lower than the number of People Search Sites. Moreover, the Brokers are the true aggregators of the data, feeding the entire industry. If the trunk of the tree is felled, no more leaves will be able to grow on any branch.
How to Stop Data Brokers with Privacy Bee Solutions
100% Free Privacy Threat Monitoring and External Privacy Data Audits are the best place to begin to identify where unsecured data for all your employees may exist all over the internet.
For consumer customers, the Privacy Bee solution performs continuous monitoring to scan the net for any public exposures of the customer’s personal data and informs of any exposures so that mitigation steps can be quickly undertaken. For the Business customer, Privacy Bee’s External Privacy Data Audit provides in-depth reporting on external exposures and their cost on a company’s productivity. Turning those stats into figures, the financial risk assessment provides a conservative estimate of the estimated cost these external exposures have. The platform provides full employee privacy audits, covering how many employees have been exposed, what type of exposures they’ve had, and the source of the exposure. The tool sets detect recent critical vulnerabilities and target where to start cleaning up employee data.
The Privacy Risk Assessment (PRA), also 100% free, is roughly 75 questions and takes about an hour to complete. It explores how customer and employee data is managed by your organization, illuminating any unmitigated risk and opportunities for improvement. Once completed, the answers help derive your organization’s Privacy Risk Score.
Once these audits and assessments have identified where the unsecured data lives, it is time to embark on an ongoing campaign to remove it.
Data Broker Removal services from Privacy Bee mobilize an army of “worker bees” to continuously issue, manage and reissue DSARs to all identified unsecured data. Privacy Bee manages the requests, correspondence and ongoing steps needed to erase customer data from the more than 350 data broker and People Search Sites in the US. This labor-intensive process is handled by the Privacy Bee solution, so users are not burdened with the administrative burden. Privacy Bee boasts the industry’s highest removal success rating.
Marketing List Removal service is critical to businesses seeking to minimize unwanted distractions to their workforce derived from spam and targeted marketing. This is also useful in mitigating HR poaching.
Privacy Preference Management on the Privacy Bee platform provides the ability for each user to create their own “whitelist” or “privacy bubble” by cataloging the list of all sites a user visits or has visited. Then enabling the user to allow trusted sites to collect their data while barring distrusted sites from doing so. For the Business customer, this type of selectivity allows all company business machines to configure trusted sites and enforce prohibitions against any user visiting web equities deemed to be a privacy risk for the client company. The Business solution provides graphical visualizer dashboards with risk assessment scoring for every website, so that management can gauge the risk/reward profile of all sites the workforce may visit and interact with.
Vendor Risk Management is crucial to protecting the internal workforce as well because all best efforts can be defeated if the organization’s business partners are not exercising the same diligence in protecting privacy. If a vendor or other business partner has any access to information systems, then it is imperative that they be covered under the same privacy umbrella. Privacy Bee is fully extensible to provide such coverage to any organization’s external partners and business connections.
Reach out today to learn how to license Privacy Bee to protect your organization from the threats associated with unsecured external data.