The Collateral Damage of a Privileged Information Data Breach


We’ve been looking at the damage that may result to individuals whose information is stolen when corporate or government databases are breached. Our previous article considered the collateral damage possibilities if your biometric information was compromised. In this article we review the possibilities when a privileged information data breach occurs.

Privileged information is any communication between parties that is legally protected as confidential, intended to remain between the confidants. While the concept of “privilege” has undoubtedly been abused in the past by unscrupulous individuals, the law protects such communiques for the protection of society as a whole. Consider how the legal defense of an innocent person could be compromised, for example, if the prosecutor had access to private client-attorney conversations.

Or think about the professional and personal reputational fallout that can befall a person if certain perfectly legal business dealings were made public so that the media could have an inference heyday just to meet a story deadline. The law protects communication between clients and attorneys, between patients and health care providers, between parishioners and clergy, and between husbands and wives for very good reason. Without protected privacy, the benefit society derives from such relationships would be irrevocably compromised.

Privileged Information Data Breach may Negate Constitutional Rights

In March of 2015 an anonymous hacker posted approximately 70 million recorded phone calls made by prisoners in 37 states over a 2 ½ year span. Included in the data dump appears to be numerous calls between prisoners and their attorneys – which are supposed to be constitutionally protected privileged data. While the privileged information data breach from Securus Technologies constitutes a major event, this isn’t the first time privileged information has been compromised. In 2010 WikiLeaks posted 250,000 “secret” cables from the US Embassy. In 2013 Edward Snowden stole more than 1.7 million “classified” records. And in 2016 more than 11.5 million confidential documents from law firm Mossack Fonseca were made public. Not to mention, your smart TV collects the discussion you are having at home and sends it to an external server. Here are a few of the possible ramifications should you experience a privileged information data breach:

  • Breach of Constitutional Rights: The constitution protects an individual’s right to effective legal counsel and access to fair and unbiased courts. This is the basis of our legal system after the abuses the founding fathers witness under the old English system. When a counselor’s conversation with the accused is compromised and made available to the state prosecutors, not only is the individual’s freedom put at risk, but so too is the very foundation by which those freedoms are supposed to be protected.
  • Compromised Professional and Personal Reputation: A privileged information data breach may expose conversations you have with your doctor or your latest employee performance review. Can you imagine the damage to your professional reputation if the details of where your manager wants to see improvement were made public? How forthcoming would you be with your doctor if you believed the contents of that conversation would be made public?
  • Non-Admissible Evidence can be Admitted if from a Third Party: Privileged information is non-admissible in court – legal privacy is intended to prevent the state from crushing the freedom of innocent individuals. However, if that privileged information is collected from a third party or a public domain source, it may be admitted. A privileged information data breach can be used to compile a criminal case against you resulting in successful prosecution.

At the very least, it could also be used for public embarrassment or ransom depending on the type of information. When a privileged information data breach occurs, the collateral damage is difficult to quantify. Not only are the specific individuals whose information was compromised put at risk, but the very basis of our notions for personal freedoms and the value of the individual over the will of the state are put at risk. There is no possibility that credit monitoring or identity protection mitigates the long-term collateral damage that can be done to individuals; how could such measures possibly restore public confidence in our underlying basic freedoms? Who, then, can take responsibility for the full extent of damages such a breach can cause?

Next up in our collateral damage series: what’s the big deal if your social profile becomes public property?

Want to see how ThreatModeler can help your organization prevent data breaches?

Schedule a live presentation today!

Comments are closed.