Introduction

Data breaches are the oil spills of the digital economy.1 Despite widespread recognition that they are a serious problem globally, data breaches continue to increase in number, size, and cost. They are toxic for user trust in the Internet, and their impact can spread across the whole data ecosystem affecting millions of users.

What is a data breach? “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”

The Information Commissioner’s Office (ICO) of the UK2

The ultimate casualty of data breaches is trust in the Internet. Would people continue to go to a store that let strangers shop with their credit cards? Go to a psychiatrist who disclosed confessed affairs in public? Work for a company that allowed anyone to access confidential personnel records? It is unimaginable.

Target had 40 million customers’ credit card numbers stolen and put on sale online; Ashley Madison’s records on 37 million married users and their personal affairs were taken and published online; and the US Office of Personnel Management had at least 21.5 million records, including highly sensitive security clearance records of past, present, and potential employees, stolen.

The impact of these breaches on consumers, users, employees and third parties, some of whom did not even know the organisations had their data, is profound and lasting. Users lost time and money protecting their finances and their identity from theft; others saw marriages dissolve and even committed suicide, and still others may be subject to blackmail and exposure. Also, the victims can never be sure that the impact has been contained.

All were let down by the very organisations they had entrusted with their personal information. Even worse, in many cases, the data breach could have been avoided. Some breaches occurred because the systems were not protected from known bugs; others because users were not trained in how to avoid being tricked into providing access. Even then, steps could have been taken to avoid harm in the event of a breach, such as minimising the amount of data collected and encrypting the data that was kept.

The question this report seeks to answer is a simple one. Why are many organisations not taking even the basic steps to protect the personal information they hold? Is it because they do not bear all the costs of the data breach? Is it because there is not enough perceived benefit in better protecting their users’ data?

The answer to both questions is yes. Organisations may only consider their costs and neglect the potential costs to their customers and others. It is also hard for an organisation to signal that they are better prepared against a data breach than others, reducing the benefit of investing in data security.

The Internet Society envisions an Internet for everyone, everywhere. Trust in the Internet is at the core of that vision. Without trust, those of us online are less likely to entrust our personal information to Internet services; and those not yet online will have another reason to stay offline. The Internet economy will not grow as fast as it could, and the UN Sustainable Development Goals (SDGs) will be that much harder to achieve.

To help build trust in the Internet, this report sets clear goals and recommendations to help organisations globally reduce the number and impact of data breaches.

With this report, the Internet Society proposes five recommendations to help address the issue of data breaches:

  1. Put users at the centre of solutions; and include the costs to both users and organisations when assessing the costs of data breaches
  2. Increase transparency through data breach notifications and disclosure.
  3. Data security must be a priority. Better tools and approaches should be made available. Organisations should be held to best practice standards when it comes to data security.
  4. Organisations should be accountable for their breaches. General rules regarding the assignment of liability and remediation of data breaches must be established up front.
  5. Increase incentives to invest in security by catalysing a market for trusted, independent assessment of data security measures.

The ultimate goal is for organisations to take a position of data stewardship over the personal information they gather, and for all stakeholders, including consumers, to acknowledge they have a collective responsibility to help prevent data breaches.

Internet of Things

Online services are the main focus of this report, however, given the size and frequency of data breaches today, the Internet of Things (IoT), poses additional challenges if the lessons learned from present-day data breaches are not applied.

Forecasts show the IoT may grow to tens of billions of connected devices by 2020.3 Many of these will act as sensors, gathering information about us, our homes, cities, and our environments. The data from IoT devices could greatly increase the harm caused by a data breach, as sensor data could include our location, health, and daily habits, including driving and shopping.

Worse yet, these devices could be taken over. The stream from an online camera intercepted; a baby monitor used by a stranger to talk to the baby; a health device sabotaged; a car hijacked.4 In one chilling example, several security researchers recently showed a computer-targeted sniper rifle could be retargeted.5

As such, it’s critical to highlight these issues now, so that we take the necessary steps to secure these devices and their data.6