What to Do When Mobile Apps Breach Customer Data
How California businesses and consumers can protect their information
on July 6, 2018
Updated on March 31, 2022
Would it surprise you if there were no laws controlling the app data on your phone? Because that’s the truth. These programs you interact with, often several times each day, don’t have regulatory constraints and, if an app is free, you’re the product.
“I frequently tell my clients, ‘the thing you think is a phone, isn’t a phone; it’s a marketing device,’” says Encino business litigator Adam D.H. Grant.
Collecting Personal Data
Apps are not necessarily about offering you free services. These companies that give you the next great game to while away your time don’t do it out of charity. They create them to make money.
“There is a huge black-market industry of these apps that say they are for one purpose but are actually for another, more nefarious purpose, such as, ‘We can get you from one place to another but what we are really doing is taking all of your contacts without telling you, taking all of your photos without telling you, taking all of the passwords that are on your phone without telling you,’” Grant says. “Unfortunately, there are a significant number of apps out there that do just that. They are supposed to give a significant amount of privacy notices or the privacy notices they give are not in sync with what they do. That happens frequently. Then your info shows up on the dark web and your identity goes up for sale.”
Making money can also be on a per click basis in the case of websites, Grant continues.
“The way people make money on free sites isn’t by selling a product, but on hyperlinking to other sites or other products. Each time you click on it, that click has value and that is subject to some contract and that person who owns the domain or URL gets money. If it’s popular, this can be big business. I’ve had clients who make millions of dollars per month on only clicks.”
Data Protection Law
The United States doesn’t have a scheme to regulate this yet. But, as of May 25, 2018, the EU’s General Data Protection Regulation went into effect, and Grant says it can affect business owners in the U.S. “If you are using customers’ personal identifiable information and you are collecting and storing addresses or emails in some way, you definitely need to take steps to protect that information,” he says.
Is your app used or website accessed by Europeans? Simple analytical tools will give you this information. Are you getting a geolocation and email from those contacts? If either is true, you are subject to the law and must address security risks and protect against potential security breaches of user data.
“Based on the Hauge Convention, your American company can be subject to that law and be prosecuted for non-compliance. The penalties for non-compliance are statutory or automatic upon proof of a violation. Those penalties are 4 percent of your gross business for each violation. Are they going hit small mom-and-pops? Probably not, but they could. It’s not an issue of whether you knew you were breaking this law or not, if you grabbed the information from a client and you don’t comply with the notice requirements, if they don’t have the opportunity to take it back, if you don’t have a digital privacy officer, all are violations. You don’t have to have used the information; you just have to have taken it without telling them what you’re doing with it.”
Mobile App Security
For consumers, the best thing to do to guard against security issues is download apps from known mobile app developers.
“Avoid using apps that are convenient but you don’t know much about the industry they are in,” says Grant. “You can download various malware on your phone to help. The lowest hanging fruit for criminals to grab your personal identifiable information are people who download apps arbitrarily without regard to the safety.”
Mobile Data Breach is a Concern for Businesses
Businesses who provide employees with mobile devices without vetting what mobile apps are downloaded onto those mobile phones open themsleves up to vulnerabilities. Unfortunately, this will result in a data breach where sensitive information, including both your companies and customers’ information, is blasted onto the dark web.
“That’s when I’m called,” Grant says. “On behalf of the company, I handle how you notify your customers that a breach has occurred. It’s equally a client management issue as much as a legal issue. Often we will hire a crisis management PR firm to assist in how to manage a data breach with a company.”
Another best practice is having good IT providers on board who know your system and update your firewall and security protocols. Make sure you have cyber security insurance in place. And most importantly: Have an experienced and reputable data privacy attorney in place to review over these policies to make sure you have the proper coverage. For more information on this area, see our business litigation overview.