I have written before about the risks of clauses in technology contracts giving the vendor broad and, usually, undefined rights in aggregated data of their customers. Specifically, I have talked about the need for specificity as to what constitutes “aggregation” (e.g., combination with other customer data and no identification of any individual or entity) and requiring the vendor to assume liability for its use of the data. Recently, however, we have seen instances where data that was thought to have been properly aggregated was, in fact, easily re-identifiable through the use of sophisticated data mining tools. The threat of re-identification is not new. The drafters of the Health Insurance Portability and Accountability Act (HIPAA) went so far as to include clear standards for de-identification of protected health information (see 45 CFR § 164.514). Similar standards should be used anytime highly sensitive data is being aggregated. For example, a clear statement in the contract that the aggregation process must be done in such a way as to render re-identification statistically impossible would be a fine start. The point is to have at least some nod to the fact that this risk exists and simply saying the data will be “aggregated” is no longer sufficient. Related content opinion Finding Common Threads in Privacy and Information Security Laws. By Michael Overly Apr 26, 2013 3 mins Compliance opinion Ensure Your Data is Securely Deleted By Michael Overly Mar 11, 2013 2 mins Cloud Security opinion CIA in the Cloud By Michael Overly Dec 18, 2012 2 mins Cloud Security opinion Overreacting to Information Security By Michael Overly Dec 10, 2012 2 mins Privacy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe