• United States



Aggregated Data and the Threat of Re-Identification

Apr 18, 20122 mins

I have written before about the risks of clauses in technology contracts giving the vendor broad and, usually, undefined rights in aggregated data of their customers.  Specifically, I have talked about the need for specificity as to what constitutes “aggregation” (e.g., combination with other customer data and no identification of any individual or entity) and requiring the vendor to assume liability for its use of the data.  Recently, however, we have seen instances where data that was thought to have been properly aggregated was, in fact, easily re-identifiable through the use of sophisticated data mining tools.  

The threat of re-identification is not new.  The drafters of the Health Insurance Portability and Accountability Act (HIPAA) went so far as to include clear standards for de-identification of protected health information (see 45 CFR § 164.514).  Similar standards should be used anytime highly sensitive data is being aggregated.  For example, a clear statement in the contract that the aggregation process must be done in such a way as to render re-identification statistically impossible would be a fine start.  The point is to have at least some nod to the fact that this risk exists and simply saying the data will be “aggregated” is no longer sufficient.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author