Are you from the United States or Canada? If so, there is a big chance you had sensitive personal information stolen in the biggest data breach of the summer. Equifax, a major consumer credit agency in North America, experienced a data breach resulting in the loss of the personal information of over 140 million individuals, which puts its victims at increased risk of identity theft and other forms of fraud. The Equifax breach is on a massive scale, but it is only the latest in a very long list of reported data breaches in recent years. According to Gemalto, over nine billion individual records have been lost or stolen in reported data breaches since 2013 – and the vast majority of breaches go unreported. Data handlers of all types continue to act irresponsibly, failing to protect the data of their users or to even attempt to apply basic data protection procedures.
How data handlers protect the privacy of user data isn’t working.
The dominant approach to data handling, based around the concepts of risk and compliance, is over 35-years-old. With this approach, data handlers try to adhere to regulatory requirements and minimize the risk to themselves – not necessarily to the individuals whose data they handle. For some data handlers, the risk that poor security creates may not extend to them. Instead, it may seem riskier to spend resources on data security that could be used elsewhere in the business. After all, if a data breach does occur, how much of its cost is going to fall on the data handler? Research shows that the vast majority of the costs will fall on someone else, most often those with lost or stolen data.
Victims of the Equifax breach face a long and costly process ahead of them. In their analysis of a similar data breach in 2015, Javelin Strategy & Research estimated that each incident of identity theft resulted in approximately $3,300 in losses for victims, $770 of legal fees, and 20 hours spent trying to fix the problem.Victims, after spending time and money to mitigate the impact of the breach, then must spend more time and money fighting for fair compensation.
Known vulnerabilities are one of the main causes of data breaches. If reports are correct, the Equifax breach was caused by a known and patchable vulnerability in third-party software. Timely patching of known vulnerabilities is critical. As long as they remain unpatched, users’ data is at increased risk of being stolen or lost. If a breach does occur, a data handler can help mitigate its impact by notifying the individuals impacted by the breach in an efficient and responsible manner, allowing them to take precautions.
If we want devastating data breaches like the Equifax breach to stop, the dominant approach for data handling must change.
The Internet Society would like to see organizations like Equifax shift to an ethical data handling approach that includes effective data security. Ethical data handling is about establishing a set of principles that a data handler can affirm, that go beyond what is strictly required for legal or regulatory compliance, and which more fairly represent the balance of interests between the data handler and the data subject. In many ways, the principles are an undertaking by the data handler that there are some things they “could” do (both legally and practically) with your data, but voluntarily commit not to do them. It’s also a commitment to do more than the bare minimum to safeguard personal data.
In practice, this means that rather than only asking, “how much will this cost me” data handlers should ask themselves the following:
- Does this use of data genuinely reflect the interests of the data subject as well as the interests of the organization?
- Is there transparency and accountability in its collection, sharing, and use?
- Would this use of data come as a surprise or a shock to the individual concerned?
- When the organization faces a choice about what to do with data, which option represents the greatest fairness, transparency, and accountability?
- What obligations do we have with regard to protecting this data, and how effectively are we meeting them?
If data handlers do not start asking themselves these questions, we, the consumers, or our governments, will.
See the Online Trust Alliance’s guide on Cyber Incidents & Breach Response.