2013 was filled with even more large service providers, government departments and enterprises getting hacked or otherwise loosing your data. Your data was likely lost on multiple occasions just from the breaches in the news, let alone the ones that never made the headlines. Reputation or direct fiscal impact are proven outcomes of such breaches, yet I’ve observed that in many cases people don’t particularly care when their data is lost. I think many receive an e-mail informing them of the problem, pause for 2-3 seconds of reflection before moving on with whatever they were doing before. Imagine then, the following scenario. How would you behave?
We are all moving more and more of our personal and business data online and the potential damage to you and your business increases every day. What then, you might ask, is being done about this problem?
The trend of data breaches shows little sign of slowing and so governments world over have been scrambling to find ways to increase consumer confidence and to enhance best practice of enterprises small, medium and large. Data breach regulations and data protection reforms have been a hallmark of legal developments over the last few years all over the globe, but right now several regions are embarking on implementation phases which will tighten requirements significantly. California Senate Bill 1386 is perhaps the most legendary of breach notification law but Europe is now considering following suite with standardized breach notification in a bid to create more transparency. E-Privacy Directive, proposed Directive on Network and information security and the proposed data protection regulation are amongst some of the initiatives that place breach notification obligation on various industries. However if we step back for a moment, is this change a positive or negative one?
European data breach regulations specify that in the event of a data breach the appropriate regulator and consumers must be notified that their data has been lost or compromised in reasonable timeframes such that they can take steps to protect themselves. The premise is that by forcing enterprises to be transparent about data breaches they are significantly more likely to handle data with care and act in the interests of consumers. That makes sense to me, but ask yourself, what would your reaction be in the event a provider notified you of a breach? It seems a simple issue and that you have clearly been wronged, but it is more complex then at first it seems. In some instances breaches might be the result of incompetence, where as in others they may be the result of being an unfortunate victim (where suitable security steps were taken and were bypassed by a new technique discovered by cyber criminals). Would you move provider? Would staying with the same provider be the better strategy, as they are less likely to make the same mistake? Is that previous logic actually sound or are they probably going to become a trendy target with criminals?
A great deal of focus and effort is going in to the use of breach notification as a mechanism to drive better security and privacy for you. If you answered the survey above I will feed your responses in to a consultation presently running in this area. Operational Trustworthiness and Enabling technologies (OPTET) is a European 7th framework project. Southampton University ILAWS center is researching the legal aspects of trust and the Internet. You can find more information here.