In the information age in which we live today, privacy issues emerge from simple everyday situations: mobile phones track daily commutes; electronic transactions or credit card payments transfer money and personal data to third-party institutions; and personal information is proudly disclosed to others on social networks. We expect, however, that the institutions providing these services care about our data and ensure it is protected. As crime has moved to cyberspace, the frequency, costs and consequences of security breaches have increased. The response of governments across Europe, the United States, Canada and Australia has favoured mandatory data breach notification, under the premise that organizations and individuals should know a breach occurred so they can be prepared for any misuse of their data. Such policies should be welcomed and encouraged, as they build and restore public trust. It is important to explore how this can be achieved.
One advantage of mandatory breach reporting is the improvement of security and better protection of sensitive information. This would stimulate IT innovation as businesses demand high-speed security tools that will not impact their systems’ usability nor “break the bank.” These preventive measures should be seen as investments in brand and reputation. For the public sector, transparency and care while managing citizens’ personal details will help to avoid the misuse of information by government departments. A Privacy Commission, which is an independent body, should also supervise breaches when they occur on governmental databases. The creation of such a unit is one of the highlights of a new directive being evaluated by the European Commission, along with the standardization of privacy and data breach laws at the European Union level in order to remedy the current conflicting national rules. Some countries, for example the United Kingdom, already have such offices (the Information Commissioner’s Office [ICO]), and the Attorney-General’s office in Australia has recently proposed strengthening that country’s privacy watchdog.[i]
Opponents of mandatory breach reporting mainly direct their criticism at the lack of capacity to process all breaches. If an obligation is imposed to report all breaches, it would overload the judicial system. In addition, public agents assigned to such duties would have access to sensitive data, increasing the possibility that other leaks could occur. Nonetheless, due process is usually the norm when it comes to dealing with criminal activities and public reporting.
Company CEOs and shareholders are likely to disapprove of the obligation to report breaches because publicity of flaws in their system creates distrust in their clients and draws mockery from their competitors. Businesses are also apprehensive of added costs and the bureaucracy that would follow the implementation of new standards for prevention and remedy — and to target that niche, insurance companies have started to offer cyber protection in their portfolio, something that would have been unthinkable 10 years ago (The Canadian Press, 2013). Still, prevention seems to work better when one compares the potential cost savings from preventive security improvements to the much higher costs of fixing a breach. The best example of this is the Sony PlayStation Network data breach in 2011, which leaked personal details ranging from names to credit card numbers of around 100 million customers worldwide (“Sony Restores PlayStation,” 2011). In 2013, the Japanese company was fined £250,000 by the Information Commissioner’s Office in the United Kingdom after it determined that the theft could have been avoided (“Sony Fined,” 2013). Costs in security upgrades and customer support were estimated in US$171 million — a figure that does not include expenses incurred in lawsuits or brand management (“$171 Million Could,” 2011). It is highly unlikely that costs from additional regulation will exceed such sums.
Finally, citizens demand the right to know what information is being collected and how it is being stored. When a security breach occurs, it would be advisable to treat users with respect and show sympathy toward the nuisance and damage the data theft could cause for the affected consumer. Individualized notifications, depending on the size of the damage, can be extremely expensive; however, they might be the most viable option in some cases to avoid additional embarrassment to the customers. It is common to receive product recalls, so a private data breach recall would not be a foreign concept. The fact that a breach has happened should be made public to avoid surprising users.
Despite all of the initiatives for better data treatment in the online world, there is, unfortunately, still great difficulty in drawing the line between carelessness and a security breach occurring despite preventive measures being in place. Establishing this boundary is crucial for all parties. For users, it involves a change in behaviour and awareness of how personal data is collected and managed. Users should also be conscious of what is included in the Terms of Service agreements they sign and be mindful that simple protection measures, such as frequently changing passwords, can, help prevent breaches. Companies and governments must ensure online operations remain hassle-free and easy to use. Today, online and offline worlds coexist and additional layers of protection should not impede users or turn people away from using online sites.
New technologies have improved social relations and promoted gains in economic efficiency. When the Internet was created, people did not contemplate that it would be used for shopping, cash transfers and the exchange of goods. As companies embrace outsourcing their operations, so too can data be managed from a different location than the one in which we reside. Since files are commonly sent overseas, there is a concern with ensuring privacy along the entire business chain — to address this issue, changes being considered by the European Union include a disposition extending the privacy directive outside EU borders, specifically to all companies managing data from European citizens. Due to its controversial nature, the draft bill is expected to face more queries until 2014, the date it is set to come into force.
The privacy laws and recurring recommendations by the European Union and the Council of Europe, in place since the 1980s, have guided similar bills in industrial countries. Their evolution will most likely serve as a stepping stone to modifications in other national legislations.
As the world becomes more interconnected, security breaches will always be a threat, and attention must be focussed on this issue. Public mandatory disclosure of data theft or privacy compromise is the best available legal tool to ensure the Web, institutions, and IT systems will put into place effective protection mechanisms and develop accountable response plans for emergencies.
“$171 million could be just tip of iceberg for Sony’s data breach costs”(2011). Infosecurity Magazine, May 24. Available at: www.infosecurity-magazine.com/view/18162/171-million-could-be-just-tip-of-iceberg-for-sonys-data-breach-costs.
The Canadian Press (2013), “Cyber insurance in demand after recent data breaches,” CBC News, July 28, available at: www.cbc.ca/news/technology/story/2013/07/28/internet-insurance-security.html.
“Sony fined over ‘preventable’ PlayStation data hack” (2013). BBC News, January 24. Available at: www.bbc.co.uk/news/technology-21160818.
“Sony restores PlayStation network” (2011). BBC News, June 2. Available at: www.bbc.co.uk/news/technology-13627482.
[i] The white paper is available at: www.ag.gov.au/Consultations/Documents/AustralianPrivacyBreachNotification/AustralianPrivacyBreachNotificationDiscussionPaper.PDF.