Privacy Forensics Services Overview
The ways in which businesses collect, store, provide access to, share with third parties, and analyze user data have given rise to the need for more tailored privacy controls, control testing, forensic investigations and audits, and enforcement in cases of misuse. Stroz Friedberg, an Aon company, has pioneered solutions in all of these privacy forensics service areas.
Web and mobile apps, AI, data analytics, cloud systems, and simplified log-on procedures have contributed to the ever-growing power of business computing, digital advertising, and the capabilities of users. However, these rapid technological advances have created complex and opaque ecosystems through which business and personal data flow – so much so that businesses and the end users they serve may lack understanding and control over how data is collected, used, stored, and potentially shared with others. This creates a significant risk of data misuse, including:
- Use of APIs by third-party apps to collect data beyond the app’s disclosed use case;
- Exploitation of deprecated API functionality;
- Undisclosed and unauthorized downstream sharing of API-derived data with third parties, such as analytics and marketing partners;
- Over-retention of user data beyond agreed-upon periods;
- Data scraping by malicious actors at scale, either over the Web or through APIs;
- Leaking of sensitive data by first- and third-party apps;
- Secret diversion of user data by apps that incorporate third-party software development kits (“SDKs”) back to unauthorized infrastructure; and
Stroz Friedberg takes a multi-disciplinary approach to support clients in privacy and data-related investigations and remediate related gaps by leveraging professionals with subject matter expertise across all of our service lines including digital forensics, security testing, proactive advisory, forensic accounting, and threat intelligence.
We have experience investigating potential data misuse and misalignment of technologies with privacy policies; supporting enforcement actions against third party developers and business partners who scrape, improperly share, or otherwise misuse data; and helping clients proactively mature their API, SDLC, logging, vetting, and enforcement platforms to reduce the likelihood of future events.
Our professional experience has included, among other assignments:
- Reverse engineering APIs to validate the data available for collection and use;
- Validating representations around security controls and encryption made in public statements, including privacy policies and marketing materials;
- Creating in-depth data flow maps to understand and validate whether collection, sharing, and deletion occurs as disclosed;
- Testing to validate that deletion controls work as intended;
- Auditing of third parties to assess the degree of over-collection, scraping, and evasion of AP controls, and supervising the permanent deletion of improperly collected data;
- Supporting enforcement actions or litigations against third-party and SDK developers;
- Performing historical reviews of third-party apps to understand potential historic data misuse;
- Conducting undercover purchases of scraping software, reverse-engineering that software, identifying contributors to the code, and testifying as to the intended functionality of that software;
- Cataloging cookies and trackers, as well as investigating what data they collected and whether that data was operationalized;
- Assessing Dev Ops practices for vetting third party apps;
- Assessing whether API logging was architected properly to support a granular record of data collection and privacy enforcement actions;
- Building an internal corporate data misuse investigations team and processes; and
- Augmenting a client’s internal team to test apps for application security and privacy compliance.
Learn more about our Privacy Forensics Services:
- Eric Friedberg, Co-President, +1 212.981.6536, firstname.lastname@example.org
- Heidi Wachs, Managing Director+1 202.464.5813, email@example.com
- Brian Lichter, Vice President, +1 202.981.2323, firstname.lastname@example.org
Aon plc (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business.
Follow Aon on Twitter and LinkedIn. Stay up-to-date by visiting the Aon Newsroom and sign up for News Alerts here.
© Aon plc 2022. All rights reserved.
About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets and recover from cyber incidents.
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.