1ihHZ6h

ISSA
DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
Legal Implications of
Big Data
A Primer
By David Navetta, Esq. – ISSA member, Denver, USA Chapter
The potential uses and benefits of Big Data are endless. Unfortunately, Big Data also poses
some risk to both the companies seeking to unlock its potential and the individuals whose
information is now continuously being collected, combined, mined, analyzed, disclosed,
and acted upon. This article explores the concept of Big Data and some of the privacyrelated
legal issues and risks associated with it.
By now many lawyers, security and privacy professionals,
and business managers have heard of the term
“Big Data,” but many may not understand exactly
what it refers to, and still more likely do not know how it will
impact their clients and businesses (or perhaps it already is).
Big Data is everywhere (quite literally). We see it drive the
creative processes used by entertainment companies to construct
the perfect television series based on their customer’s
specific preferences. 1 We see Big Data in action when data
brokers collect detailed employment information concerning
190 million persons (including salary information) and sell it
to debt collectors, financial institutions, and other entities. 2
Big Data is in play when retailers like Target can determine
when its customers are pregnant without being told, and send
them marketing materials early on in order to win business. 3
1 See http://www.salon.com/2013/02/01/how_netflix_is_turning_viewers_into_
puppets/.
2 See http://redtape.nbcnews.com/_news/2013/01/30/16762661-exclusive-youremployer-may-share-your-salary-and-equifax-might-sell-that-datalite.
3 See http://www.nytimes.com/2012/02/19/magazine/shopping-habits.
htmlpagewanted=all&_r=0.
Big Data may also eventually help find the cure to cancer and
other diseases. 4
The potential uses and benefits of Big Data are endless. Unfortunately,
Big Data also poses some risk to both the companies
seeking to unlock its potential and the individuals whose
information is now continuously being collected, combined,
mined, analyzed, disclosed, and acted upon. This article explores
the concept of Big Data and some of the privacy-related
legal issues and risks associated with it.
What is Big Data
To understand the legal issues associated with Big Data, it is
important to understand the meaning of the term. Wikipedia
(part of the Big Data phenomenon itself) defines Big Data as
follows:
Big Data is a collection of data sets so large and complex
that it becomes difficult to process using on-hand database
management tools or traditional data processing applica-
4 See http://articles.washingtonpost.com/2013-01-17/business/36384178_1_big-databreast-cancer-cure-cancer.
14 – ISSA Journal | March 2013
©2013 ISSA • www.issa.org • editor@issa.org • All rights reserved.

Legal Implications of Big Data: A Primer | David Navetta
tions. The challenges include capture, curation, storage,
search, sharing, analysis, and visualization. 5
While the Wikipedia definition highlights the challenges
associated with large data sets and understanding the data
contained in those sets, a definition by the TechAmerican
Foundation also captures the opportunities associated with
Big Data:
Big Data is a term that describes large volumes of high velocity,
complex, and variable data that require advanced
techniques and technologies to enable the capture, storage,
distribution, management, and analysis of the information.
6
The Foundation stresses Big Data solutions as part of its attempt
to define the term: Big Data Solutions: advanced techniques
and technologies to enable the capture, storage, distribution,
management and analysis of information.
According to the TechAmerican Foundation, Big Data is
characterized by three factors: volume, velocity, and variety: 7
CHARACTERISTIC
Volume
Velocity
Variety
DESCRIPTION
The sheer amount of data generated or data intensity
that must be ingested, analyzed, and managed to
make decisions based on complete data analysis
How fast data is being produced and changed and the
speed with which data must be received, understood,
and processed
The rise of information coming from new sources
both inside and outside the walls of the enterprise
or organization creates integration, management,
governance, and architectural pressures on IT
While these definitions and attributes of Big Data may be
helpful, they are still rather abstract. Perhaps the better
question to ask is “what does Big Data mean to companies
or other organizations” Using this filter, Big Data and its
use can be viewed as a business process or a supplement to
existing business processes. Big Data in the business context
means or encompasses the following:
• The ability of the organization to (or could have) access
unimaginable amounts of structured and unstructured
data (much more of it likely in the unstructured category)
both internally and through external resources (e.g., data
brokers, affiliates, or partners).
• A realization (or hope) that by capturing, structuring, and
analyzing these huge volumes of data, and understanding
the relationships within and between data, the company
may gain valuable insights (often precise and nonobvious)
that may significantly improve how the company
does business.
• The need to leverage specialized tools and specialized employees
(e.g., data scientists) to enable the capture, cura-
5 See http://en.wikipedia.org/wiki/Big_data.
6 See Demystifying Big Data, http://www.techamerica.org/Docs/fileManager.
cfmf=techamerica-bigdatareport-final.pdf.
7 Ibid.
tion, storage, search, sharing, and analysis of the data in a
way that is valuable to the organization.
• Analyzing and addressing the potential limitations and
legal, security, and privacy risks and issues associated the
collection, analysis, and use of Big Data (and the insights
derived from it).
While the specific applications of Big Data analysis will vary
depending on the industry, the availability of data and the
goals of a particular organization (and some of those practical
applications are summarized above), many organizations will
use Big Data to better understand and market to their customers
(both individuals and corporate).
Big Data and privacy
When it comes to consumer marketing, the potential for Big
Data is enormous (and some would argue that the confluence
of online marketing and Big Data represents the “Holy Grail”
of marketing). Big Data can allow marketers to target customers
precisely and efficiently by providing advertising and
product and services offers that are specifically tailored to a
particular individual, based on his or her attributes. Big data
combined with the use of mobile devices can result in offers
to individuals that are highly relevant, delivered at the right
time, and (with mobile and geo-location tracking) at the right
place. However, one of the most significant legal challenges
associated with Big Data, especially on the consumer marketing
side, is privacy.
Big Data and notice/consent
In the United States, pursuant to the Fair Information Practice
Principles, 8 the foundation of privacy protection includes
the concepts of notice/awareness and choice/consent. To satisfy
the principle of notice and awareness, the data subject from
whom data will be collected must be made aware of the uses
to which his or her personal information will be put, and to
whom such personal information will be disclosed. 9 The notice
is intended to allow the data subject to make an informed
choice as to the collection and use of the subject’s personal
information, and to consent (or not) to that collection and use.
In a Big Data world, some contend that the goals of notice/
consent may be circumvented due to the complexity of the Big
Data ecosystem and practical limitations related to the use of
written privacy policies. For example, privacy advocates believe
that in some cases, a person that reads a privacy policy
and agrees that his or her personal information can be collected,
used, and disclosed for “marketing purposes” may not
understand that such personal information may end up residing
in the database of a data broker and combined and disclosed
in ways not apparent in or contemplated by the privacy
policy. For example, if an ecommerce vendor disclosed to a
marketer that an individual customer purchased a deep fryer,
such information could be combined into a profile about the
individual in a database owned by a data broker. If the data
8 http://www.ftc.gov/reports/privacy3/fairinfo.shtm.
9 Ibid.
©2013 ISSA • www.issa.org • editor@issa.org • All rights reserved.
March 2013 | ISSA Journal – 15

Legal Implications of Big Data: A Primer | David Navetta
In a Big Data
world…data
subjects have even
less awareness
and ability to
provide meaningful
consent.
broker later sells access to the database to a health insurance
company, whose algorithms put people who purchase deep
fryers into a high risk category, in the world of Big Data the
initial, relatively innocuous
data disclosure (that was consented
to) could suddenly serve
as the basis to deny a person
health care (or result in higher
health care rates).
The problem here is twofold.
First, the consumer may not understand
where his or her personal
information may end up,
and that it could be combined
with other existing profile data
in a manner that reveals more
about the person than contemplated
at the time of disclosure.
Further onward transfer and combining with yet more databases
could reveal even more. Second, the data subject lacks
an understanding of the interpretations, inferences, and/or
deductions that may be draw from his combined data using
Big Data mining techniques and analytics. As such, in a Big
Data world some would argue that data subjects have even
less awareness and ability to provide meaningful consent. 10
Big Data and access/participation
Another area of privacy concern related to Big Data deals
with the principle of “access/participation.” 11 This principle
deals with a data subject’s ability to access his or her personal
data in order to ascertain whether it is accurate and complete.
This principle is necessary to allow individuals to correct inaccurate
information about them.
This principle has been incorporated into the Fair Credit Reporting
Act 12 (FCRA), which requires credit reporting agencies
to provide consumers with access to their credit reports
so they can have inaccuracies corrected. In the Big Data
context satisfying the access/participation principle poses
significant challenges. Except for the established and highly
visible players, the general public does not know what entities
may be collecting information about them and creating profiles.
While data subjects may be able to identify companies
to whom they have provided personal information, and may
have a direct relationship with such companies, the same is
not true in the case of data brokers. In most cases data subjects
do not have a direct relationship with them and these
brokers typically do not receive information directly from
the data subjects. Even if a consumer can identify a data
broker that holds his or her profile, without a contract the
consumer may have no legal recourse that would require the
broker to provide access to his or her personal information.
10 Notice and Consent in a World of Big Data, http://www.techpolicy.com/
NoticeConsent-inWorldBigData.aspx.
11 Fair Information Practice Principles, http://www.ftc.gov/reports/privacy3/fairinfo.
shtm.
12 Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681, et. seq.
While some data brokers may be acting as “credit reporting
agencies” and therefore subject to the FCRA, many take steps
to avoid that status.
Based on concerns over access and transparency, the Federal
Trade Commission (FTC) has indicated a desire to consider
additional regulatory scrutiny over data brokers:
To address the invisibility of, and consumers’ lack of control
over, data brokers’ collection and use of consumer information,
the Commission supports targeted legislation
– similar to that contained in several of the data security
bills introduced in the 112th Congress – that would provide
consumers with access to information about them
held by a data broker. To further increase transparency,
the Commission calls on data brokers that compile data
for marketing purposes to explore creating a centralized
website where data brokers could (1) identify themselves to
consumers and describe how they collect and use consumer
data, and (2) detail the access rights and other choices
they provide with respect to the consumer data they maintain.
13
More recently, in December 2012, the FTC launched an investigation
to study the data broker industry’s collection and
use of consumer information. 14 Moreover, much of the privacy-related
legislation proposed in Congress has included provisions
related to the regulation and oversight of data brokers
(although none has passed to date). 15 Overall, this is an area
that is ripe for an increased regulatory response and potentially
federal and/or state legislation.
Big Data and Do Not Target/Do Not Collect
Another privacy-related area impacted by Big Data is the do
not track (DNT) debate. 16 For many in the advertising industry
do not track refers to the use of consumer data for purposes
of targeted advertising. In contrast, the FTC and privacy
advocates believe the concept of DNT encompasses not only
targeting of individuals, but also collection of personal information
from individuals (do not collect). Recent regulatory
emphasis on do not collect stems in part from concerns surrounding
Big Data. With the pervasive and constant collection
of information about individuals from multiple sources,
many data brokers are able to pinpoint a user’s identity and
specific preferences without having any information traditionally
considered personally identifiable information. As
discussed further below, common methods for de-identifying
personal information may not be effective, if the unique
identifier of the computer or mobile device used to access a
website, when combined with specific behavioral and other
data, can supply enough information to identify a person individually.
This may lead to heightened regulatory scrutiny
13 See Protecting Consumer Privacy in an Era of Rapid Change, http://ftc.gov/
os/2012/03/120326privacyreport.pdf.
14 See http://www.ftc.gov/opa/2012/12/databrokers.shtm.
15 See e.g., http://www.infolawgroup.com/2010/08/articles/breach-notice/yet-anotherproposed-federal-data-security-and-breach-notification-bill-senators-rockefellerand-pryor-jump-into-the-fray/.
16 See http://www.infolawgroup.com/2012/03/articles/data-privacy-law-or-regulation/
ftc-looks-to-link-donottrack-big-data-privacy-concerns-seeks-solutions/.
16 – ISSA Journal | March 2013
©2013 ISSA • www.issa.org • editor@issa.org • All rights reserved.

Who’s minding
your cloud
Securely embrace the cloud. Our solutions do more than bring you to the cloud,
they keep your business secure when you get there.
+ FIND OUT how CA Technologies can help you secure and enable your
business by visiting us at ca.com/mindyourcloud
CA Technologies makes an
important announcement
in Cloud-Based Identity
& Access Management
Learn more at ca.com/mindyourcloud
Copyright © 2013 CA. All rights reserved.

Legal Implications of Big Data: A Primer | David Navetta
of Big Data practices, specifically where the collection and
aggregation of seemingly harmless data about a person can
be used to reveal sensitive information (e.g., health status,
sexual orientation, and financial status).
Anonymization and Big Data
One technique for mitigating privacy-related risks associated
with Big Data is de-identification or anonymization. 17 Data
sets that are de-identified have had key information stripped
away in order to prevent others from individually identifying
the persons to whom the data set relates. This technique
allows organizations to work with Big Data sets while mitigating
privacy concerns, and has been used in many realms,
including health care, banking and finance, and online advertising.
In fact, many regulatory regimes recognize the concept of
de-identified personal information. Under regulations promulgated
pursuant to Gramm-Leach-Bliley 18 (regulating the
privacy and security of financial data) “personally identifiable
financial information” does not include information that
does not identify a consumer “such as aggregate information
or blind data that does not contain personal identifiers such
as account numbers, names, or addresses.” 19 The Office for
Civil Rights of the Department of Health and Human Services
has issued extensive guidance concerning de-identification
of health data, and sets forth two methods to achieve
de-identification under HIPAA: expert determination and
“safe harbor” de-identification (which involves removing
eighteen types of identifiers from health data). 20 Under European
data protection laws, to achieve legally permissible
de-identification, “anonymization of data should exclude any
possibility of individuals to be identified, even by combining
anonymized information.” 21
However, organizations relying on de-identification to circumvent
privacy issues (and liability) must proceed carefully.
If de-identification is not performed properly, it may be possible
to re-identify individuals in an anonymized data set.
There have been several real-life instances where re-identification
has occurred, and researchers have also been able to
demonstrate methods for identifying individuals from data
that appeared anonymous on its face.
In one infamous example, as part of a contest to create a better
movie recommendation engine, Netflix released an anonymized
data set containing the movie rental histories of approximately
480,000 of its customers. Researchers established
that they could re-identify some of the Netflix customers at
issue by accessing and analyzing publicly available information
concerning movie ratings performed by such custom-
17 See http://en.wikipedia.org/wiki/De-identification.
18 Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338 (codified as
amended in scattered sections of 12 and 15 U.S.C. (2008)).
19 See 17 CFR PART 248.
20 See Guidance Regarding Methods for De-identification of Protected Health
Information in Accordance with the Health Insurance Portability and Accountability
Act (HIPAA) Privacy Rule, http://www.hhs.gov/ocr/privacy/hipaa/understanding/
coveredentities/De-identification/hhs_deid_guidance.pdf.
21 European Union Directive 95/46/EC.
ers. 22 The Netflix contest eventually led to a lawsuit 23 against
the company and regulatory scrutiny from the Federal Trade
Commission. In another example, a researcher showed how
she could re-identify persons with data in an anonymous
health care data base by using publicly available voter records
(in this case she was able to re-identify the information of the
governor of Massachusetts). 24
The risk of re-identification of Big Data sets using contextual
“micro data” is a significant concern for organizations work-
22 See Robust De-anonymization of Large Data sets (How to Break Anonymity of the
Netflix Prize Data set) http://arxiv.org/PS_cache/cs/pdf/0610/0610105v2.pdf. The
Netflix contest eventually lead to a lawsuit against the company and regulatory
scrutiny by the Federal Trade Commission.
23 See http://www.wired.com/images_blogs/threatlevel/2009/12/doe-v-netflix.pdf.
24 See http://www.cs.duke.edu/~ashwin/pubs/BigPrivacyACMXRDS_final.
pdf.
The ISSA Web Conferences bring together ISSA
members from around the world to share leading
industry presentations and answer members’
questions. Each event is designed to address the timely
needs of our members through a live, online event and a
subsequent recorded version for on-demand viewing.
All content is developed by the ISSA Web Conference
Committee. CPE credit available: ISSA members will be
eligible for a certificate of attendance, after successful
completion of a post-event quiz, to submit CPE credits for
various certifications.
Legislative Landscape
2-Hour Live Event: March 26, 2013
9am US Pacific/12pm US Eastern/5pm London
Generously supported by Venafi.
Increasingly legislation and regulation are becoming extremely
important drivers for what information security
professionals have to do, and the pace of delivery seems to
be increasing wherever you work in the world today. What
impacts will recently enabled, pending, and possible future
legislation and regulation have on organizations and
individuals and their approaches to what and how they do
information security How do we prioritize what is most
important What can we do to make compliance easier
How do we get our policies aligned with the differing
regulatory environments across different jurisdictions
How do we deal with export controls (software and information)
In some cases the question might be “How do
we stay out of jail” Join our industry experts to get their
views on this topic and the questions around it.
Click here to register or here for more information.
Visit https://www.issa.org/page=WebConferences
for information on our 2013 schedule.
18 – ISSA Journal | March 2013
©2013 ISSA • www.issa.org • editor@issa.org • All rights reserved.

Legal Implications of Big Data: A Primer | David Navetta
ing with de-identified data sets. If the de-identification is not
done properly, third parties with access to de-identified data
sets may be able to re-identify individuals, and that re-identification
could expose the individuals at issue or constitute
a data breach under existing data breach notification laws, 25
and could lead to litigation or regulatory scrutiny. Organizations
desiring to de-identify and anonymize their data sets
should consider several questions to help understand and
mitigate potential privacy and organizational risks, including:
• What are the purposes, risks, and benefits of de-identifying
and using or disclosing the data, and do the benefits
outweigh the risks
• Will the third parties and/or service providers at issue use
any data (aggregate, de-identified, etc.) for own purposes
Do they have any contractual rights to use the data or engage
in their own aggregation or anonymization of data
• Is the data truly anonymized How can the company be
sure What information will be exposed if the data is reidentified
Is it worth investing effort to verify anonymization
• What is the risk to the business if the data is re-identified
Data breach notification Lawsuits Regulatory investigations
or actions
Engaging in the analysis above can be very helpful in mitigating
risks. However, companies need to be aware that the
very nature of Big Data makes true anonymization more difficult.
With reams of detailed data now available and accessible
and sophisticated algorithms that allow data mining, it
is arguably easier to re-identify individuals. The analysis and
25 http://en.wikipedia.org/wiki/Security_breach_notification_laws.
combination of anonymized data sets with data sets containing
identified individuals is largely unpredictable, and yet can
potentially result in an organization getting into legal trouble.
Conclusion
The Big Data era is upon us, and it will become increasingly
common for companies to collect, data mine, and analyze
large data sets in order to further their business interests. Big
Data analytics is already the norm for many organizations,
and this trend will only continue over time as more and more
data is collected, and stronger and more predictive tools and
processes are developed to understand that data. As companies
rush headlong into the Big Data space, they would be
wise to step back and contemplate the potential privacy implications
of their activities, and consider steps to address
privacy concerns. Proactively dealing with the privacy issues
discussed in this article can help organizations safely leverage
Big Data while still retaining customers and avoiding reputational
harm, litigation, and regulatory scrutiny.
About the Author
David Navetta, Esq., CIPP/US, is one of
the founding partners of Information Law
Group LLP (www.infolawgroup.com). David
has practiced law for over fifteen years,
and focuses on technology, privacy, information
security, and intellectual property
law. He has previously served as a cochair
of the American Bar Association’s
Information Security Committee. He has
spoken and written frequently concerning technology, privacy,
and data security legal issues and can be reached at dnavetta@
infolawgroup.com.
©2013 ISSA • www.issa.org • editor@issa.org • All rights reserved.
March 2013 | ISSA Journal – 19