Data Breach – The Way Forward

This paper discusses the phenomena of data breaches, which has occurred with high frequency in recent years. As a result of these incidents, victims have not only suffered a violation to their right to privacy and protection over their personal data, but also risked (and suffered) actual losses, financial and otherwise. This paper examines the common causes to a data breach, and also explores the possible solutions to reduce the occurrence of data breaches, including solutions from legal, technical, and advocacy perspectives.

Definition of Data Breach

One legal definition of data breach can be found in the law of the United States where it is stated that a data breach is “the loss, theft, or other unauthorized access … to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.”

More informally, a data breach refers to any inadvertent disclosure or unauthorized access to personal data, with personal data broadly defined as data that could allow a person to be identified.

Value of Data

As we enter into the 4th industrial revolution, the economy we were used to is beginning to move substantially online, and so begins also the reliance on, as well as expansion of, information and communications technology. A collateral consequence of that is that data, is becoming the most valuable asset that can be owned by any individual, institution, business, and government. The common saying now is that data is more valuable than oil.

For example, with data, companies can make better sales as it processes data to anticipate buying trends, while countries can have better governance as policies will be more effective.

However, what about the ordinary individuals? Do they benefit from this evolution?

Contrary to being a party benefitting from usage of these data, individuals are the providers of these data; individuals provide personal data ranging from less sensitive information such as their name, age, education, gender, employment history to more sensitive information such as sexual orientation, credit card information, blood type, political beliefs and so on to different parties frequently. In return, the individuals receive services such as a national identification card or a mobile number as well as services that result from less explicit usage of these data, such as targeted advertisements or free online social media.

Nevertheless, the issue is less worrisome if the data were collected and processed with the full consent and knowledge of the data subjects, i.e. the individuals.

The problem occurs, when the data are firstly, used in ways unknown to the data subjects, or secondly, obtained illegally as a result of a data breach and subsequently abused by malicious parties.

Regardless, the first thing to recognize is that as individuals it must be understood that a data breach is a loss in it of itself whether the data subject eventually suffers any tangible losses, because individuals should have, and do have, the right to the protection of personal data concerning him or her. Hence, any access or usage of these data without consent is a violation, similar to any physical touch without consent is a violation even if it does not lead to injuries.

Secondly, these stolen data, are often monetized by way of being sold online thereby creating profit for the wrongdoer, while the actual owners of those data are being left out. Furthermore, consequences of illegally obtained data range from a minor annoyance to the victims such as receiving unsolicited advertisements and spam messages up to more severe outcomes such as identity theft.

Therefore, in an event of a data breach, the provider of these data, that is the individual, stands to lose the most. That being said, data breaches do not only cause actual or potential losses to the data subject, but to the companies/institutions who process or keep these data as well.

A comprehensive discussion was made by Almudena Arcelus, Brian Ellman, and Randal S. Milch in their article “How Much Is Data Security Worth?” where it captures beautifully the losses that these data holders/companies are looking at in an event of a data breach. The potential losses include the cost of detection, escalation, and notification to the data subjects, cost of responding to regulatory requirements and authorities, a potential penalty by authorities, potential settlement payout for lawsuits by data subjects, losses of businesses and reputation, cost of rebranding and regaining customers, cost of upgrading security infrastructure and so on. Thus, the potential cost to the company/institution, even if they are not the primary cause of the data breach, is huge.

Extraction in the said article is self-explanatory on this point, and provides a clear picture of the potential magnitude of the consequence of a data breach:

“For example, in the immediate aftermath of the breach announcement, Equifax created a website for consumers to determine whether they were impacted and learn how to protect themselves; offered a free credit file monitoring and identity theft protection program to all U.S. consumers for one year; and set up a call center to assist consumers. According to one estimate, Equifax’s “Premier” credit monitoring and identity- protection offer for 250 million U.S. residents over the age of 18 potentially represented nearly $60 billion worth of services.”

Incidents of Data Breaches

Just taking the United States alone, according to studies done by Privacy Rights Clearinghouse statistics show that from 2005 till date, there were 9,046 data breaches that were made public. This leaves the question of what would have been the number should those that were not made public or those not detected were included.

More significant incidents of a data breach are the 145.5 million social security numbers that were compromised in the 2017 Equifax data breach and Facebook’s Cambridge Analytica data breach which affected close to 87 million people and which also is infamously accused of having influenced the presidential election of the country in 2016 and the referendum of Brexit in the same year.

For the two highlighted incidents, Equifax offered up to $700 Million for settlement while Facebook agreed to pay a record-breaking $5 billion settlement. The cost, therefore, speaks for itself.

On the other side of the globe, in Malaysia, a massive data breach occurred in 2017 which witnessed customer data of more than 46 million mobile subscribers in Malaysia being sold online. The data breach was the biggest in the country’s history. The leaked information included mobile numbers and home addresses. However, unfortunately, there was no legal action by individuals or the authorities against the company and commission involved. Consequently, there was also no compensation or any remedy to the victims.

In addition, it is foreseeable that data breaches will only occur even more frequently in the future, particularly with the popularisation of the Internet of Things (IoT). As defined in the Recommendation ITU-T Y.2060, ‘‘the IoT can be viewed as a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies (ICT).”

Thus, over time, more and more devices used by us in our daily lives will be linked to the Internet, and data will be transferred at all times. As a result, more entry points exist for hacking to happen and more opportunities for data breach to occur, especially if adequate safeguards are not put in place.

Furthermore, in fear of being left out by their competition and in pursuant for more profits, companies may rush to adapt IoT technology into their products without fully understanding the potential risks and without equipping their devices with adequate cybersecurity protection. This, only exacerbates the potential for a data breach.

Common Causes of Data Breaches

Research into the root causes of data breaches reveals that there are three main types of causes to data breaches, namely, 1) well-meaning insiders, 2) targeted attacks, and 3) malicious insiders .

Well-meaning insiders

Well-meaning insiders refer to inadvertent mistakes made by insiders within the organization. For example, when an employee inadvertently sends a confidential email to a wrong recipient, when an employee losses his/her laptop, when an employee is unaware of confidential policies of the organization thereby sending confidential information unencrypted or removing devices containing confidential information from the premise for external use. In the latter, the data is exposed to attack both during transmission and on the removable device used at an unprotected environment.

Targeted Attacks

In relation to targeted attacks, it refers to deliberate effort done externally by cybercriminals. Normally it involves the exploitation of the vulnerability of the cybersecurity system in the organization. For example, poor credentials, improper computer or security configurations, outdated security patches, usage of factory default settings, and so on, which all provide vulnerabilities that cybercriminals could seize to intrude the system and steal data. Another popular method of targeted attack is through malware whereby hackers use phishing emails to entice users to a website compromised with malware. Once a user visits the website, the malware can be downloaded and installed without the user’s knowledge, and could for one become spyware that monitors the user activity on the device including tracking passwords or alternatively allow remote access and control of the device by the hacker.

Malicious Insider

Lastly, another common cause to a data breach is the malicious insider. Malicious insider refers to employees who abuse their accessibility to the company’s data. For example, rogue employees who steal data from the company for usage unrelated to the company’s business, a disgruntled former employee who steals data such as clients list upon exit for personal usage in the future, or an infidel employee who passes data and confidential information to another competing company which he/she is providing services for, without the knowledge or approval of his/her current employer.

Solutions to Reducing Data Breaches

Legal solutions

While different countries will have different laws in relation to personal data, there are some elements that must exist in these laws to reduce the frequency of data breaches, and to provide adequate remedy to victims in the event of a data breach.

First and foremost, the laws should recognize that being a victim of a data breach, i.e. when a data subject discovers that his/her data has fallen into the wrong hands, immediately provides a standing for the victim to initiate legal action, regardless of whether he/she suffers actual financial losses due to the data breach. The right to initiate civil action against the wrongdoers shall be guaranteed.

Secondly, the laws should lay out a comprehensive and uniform standard for companies’ and institutions’ in relation to data collection, storage, and usage. This will guarantee a minimum standard of protection put in place against data breaches. In addition to that, the laws should also provide for a statutory penalty in the event of failure to comply any of the provisions in the framework.

Finally, the laws should create a commission specifically dedicated to enforcing the framework and rules, while also constantly develop more rules and best practices so that the laws and requirements can move in accordance with time and the development of the technology.

Technical solutions

In relation to technical solutions, legislators and policymakers should explore alternative identification systems and methods for storing personal information that is more secure against data breaches, such as by utilising blockchain and encryption technology. These will reduce vulnerabilities within a network and opportunities for external attackers.

An interesting example is e-Estonia which is a blockchain technology employed by the government of Estonia. In Estonia the citizens have a nationally issued Estonia ID card that keeps track of the citizens’ public, financial, medical, driving records, and others using a blockchain-like distributed ledger system instead of the conventional centralized storage system. As a result, any intervention to a public database would be recorded and secured by the blockchain-based timestamping, and therefore can easily be detected. These lead to less tendency of interference with the system and thus deterring data breaches.

Furthermore, as pointed out above, companies and institutions should constantly update and upgrade their cybersecurity to minimise vulnerabilities. On top of that, companies should consider obtaining cyber liability insurance as data breaches are almost inevitable despite the best efforts to protect against them. By purchasing insurance, risk can be minimised.

Advocacy solutions

Lastly, a cliché but nevertheless important solution, is by raising awareness and having proper training on digital security. For example, in the circumstance of the bona fide employee, companies should have in place adequate training to educate employees on the data security policies of the company. Companies should be dedicated in developing a risk-conscious work environment and workforce.

Government should also raise awareness on the cost of data breaches and conduct public awareness campaigns to educate the people in protecting their personal data, i.e. on the topics of being aware of one’s digital footprint, being cautious against phishing emails, avoid logging into sensitive websites such as banking websites at public places or when using public wi-fi.

Conclusion

Data breach is a common occurrence across the globe and across players of different industries. This paper has laid out, though briefly, the definition, causes, and possible solutions to data breaches. It is evident from it that a comprehensive and holistic discussion on that matter is not only needed to be held at the soonest, but must also involve all the relevant stakeholders. This is because any meaningful solutions, as discussed, would require co-operation and sharing of expertise of different stakeholders.

In a nutshell, with a concerted and committed effort undertaken upon a thorough and multi-stakeholder discussion, it is believed that while data breach is not expected to be entirely eliminated, at least its impact could be minimised and its frequency of occurrence lessen.

Edit: Written in 2019, as part of the selection process for the Internet Society’s Internet Governance Forum Youth Ambassador

LouisLiaw: