With data collection tactics becoming part of the public conversation, companies like Google and Facebook have worked hard to quell public fear over their products’ privacy issues. However, based on one recently-publicized case, companies may need to be wary of data purchased or rented from outside sources as well, not only collected data in house.

In mid-January, OfficeMax sent a series of mailers to individuals in northern Illinois to drum up business for a local store. One mailer was accidentally addressed to “Mike Seay, Daughter Killed In Car Crash.” Seay’s daughter indeed had been killed in a car crash in 2012.

Rather than explaining how that information got onto the letter, however, OfficeMax was caught without a valid response. The company claims that it was renting data from retailer Things Remembered Inc. and could not explain how that particular piece of data was collected.

“We would like nothing more than to tell the world what happened,” said an OfficeMax spokeswoman to the Wall Street Journal. “We don’t know what happened yet. We haven’t been told. It was not our data and we don’t have access to the original information.”

For in-house counsel, this particular instance gives yet another reason to be wary of outside data collection. While the additional data is useful and these types of deals between corporations are prevalent, those in charge of the data should ensure that they understand both how the data was collected as well as what types of uses the original collector intended for it.

“It’s impossible to know how many hands and organizations that data passed through before and how many times its been repurposed,” Jay Heiser, an IT risk analyst at Gartner, told the WSJ. “And just in raw terms the more outside sources of information, the more likely you are to have something unexpected happen.”

There are (relatively) easy ways for in-house counsel to improve their cybersecurity practices; it’s on the legal team and IT professionals to institute those ways.


For more on growing cybersecurity concerns, check out these InsideCounsel articles:

ChewBacca malware targets smaller retailers in 11 countries

LabMD claims FTC action has crippled its operations

AG Holder confirms Target data breach investigation by DOJ

Cyber breach insurance: What, me worry?