Like millions of other Americans, my personal data was compromised with the recent Equifax data breach. The event was both eye-opening and maddening. I've always known that credit reporting bureaus like Equifax keep financial record data about me, but what I never realized was how little responsibility Equifax has to me for wrongfully disclosing my personal information. I will be dealing with this breach the rest of my life.
Equifax is just the latest company to disclose consumer's personal information. Yahoo, Anthem, Home Depot, and Target have all had data breaches within the last few years. These have resulted in class-action lawsuits delivering a few dollars back to consumers, but this rarely offsets the hassle and long-term problems these victims will face.
Ag data has not yet experienced an Equifax data-breach moment, but inevitably, that day will come. American ag tech companies are still trying to sort out the value of captured ag data. When value is realized, the hackers will find the value as well.
What should we do in the meantime to prepare? I have a few suggestions.
No ag tech provider should be collecting farmer's data without their consent. This seems obvious, but I am certain there still companies collecting information from farms without obtaining farmer consent first. One of my frustrations with Equifax is that I never really consented to Equifax's collection of my personal information.
Likewise, ag data that is collected by one ag data platform should not be transferred out without the farmers' consent. Data integrations are a powerful and useful tool, but before those connections are established--allowing the free flow of data back and forth between two platforms--farmers should get the opportunity to consent. This should not just be a blanket consent when the farmer first signs up for one platform. Farmers should get to "opt in" to data sharing, not have to "opt out" from automatic sharing.
The federal government could help by streamlining the obligations for reporting breaches. Even if a tech provider wants to promise its users that it will notify them in the event of a data breach, our patchwork quilt of data breach laws makes this challenging. When each state has different data breach notice requirements, it is very difficult for terms and conditions or privacy policies to promise the manner for notification in a standard agreement. Deference to state law is great, but only when states can do it better.
For more information, check out Foley & Lardner's summary of State Data Breach Notification Laws.
The day will come when farmers' ag data, which could include agronomic, financial and other proprietary data, will be breached. Let's hope this is not an Equifax moment that wakes people up. In the meantime, ag data platforms should prepare for the inevitable by obtaining farmers consent for data sharing, putting in place proper security measures, and making sure they have a plan for notifying farmers if a breach occurs.