Once more into the data breach:
the LivingSocial hack and you

5

privacy

This article is by Bruce Baer Arnold, Lecturer in Law at University of Canberra. It first appeared on The Conversation and is replicated here with permission.

analysis Oh look, everyone … another data breach! LivingSocial, an international social service network with a presence in Australia, acknowledged last week it had been hacked, with exposure of information about 50 million accounts. The business offered the usual reassurance: no financial data had gone AWOL.

But that reassurance was problematical. Names, birth dates, passwords and other data are building blocks for identity offences. In the world of big data, a criminal can do substantial harm by integrating data that appears to be trivial. Sadly, the breach is being seen as “just another incident” rather than something unprecedented. It follows large scale exposure of data at Medvet, Telstra, Vodafone, Sony and other businesses, along with major breaches involving universities and government agencies.

Much of that exposure was not inevitable. Particular breaches are attributable to poor system design, inadequate management and the indifference of executives. That indifference reflects perceptions that there is no cost for organisations if something goes wrong, that organisations are data owners rather than custodians, and that there are no legal consequences.

News of the LivingSocial breach coincides with debate within the privacy and information technology communities about Commonwealth proposals for data-breach legislation. Jurisdictions overseas mandate reporting of serious breaches, and in the US organisations must provide support to consumers whose health or financial data has been improperly accessed and may accordingly be at risk of identity offences. That support has not crippled business or government. The reporting is a basis for informed policy-making.

It’s also a heads-up for consumers. In Australia there is no mandatory reporting. But on the basis of overseas reporting we can infer there’s substantial unauthorised access to personal financial, health and other data every day.

That being said, in the absence of mandatory reporting observers are reliant on anecdotal information. If we had more information we might be more enthusiastic about the development of standards for the protection of data and for effective responses where a data breach has occurred.

Mandatory reporting has been proposed in a succession of hard-headed reports by the Australian Law Reform Commission (ALRC) and other bodies.

Those reports reflect the importance of updating the increasingly threadbare Australian privacy regime, which hasn’t kept pace with developments such as drones, social networks and big data.

Overseas experience suggests that mandatory reporting is viable. Importantly, reporting could be complemented by penalties for egregious negligence on the part of public/private sector organisations. Shaming doesn’t necessarily work: statutory penalties enforced by a vigorous watchdog would encourage shareholder and consumer activism.

They would also focus the minds of executives and corporate directors who’ve shrugged off breaches as someone else’s problem, too tiresome to prevent or fixed by a standard expression of regret that has all the sincerity of a used-car salesman’s smile.

The national government’s promotion of proposals for data-breach legislation has been low key. It appears the government has recently been seeking feedback from stakeholders on a confidential basis, an approach that is inconsistent with its past emphasis on “openness”, “transparency” and “engagement” through for example “Government 2.0”.

Secret consultation belongs in the world of British comedy Yes Minister, where people have to be protected from inconvenient realities and where only a favoured few – whose identities are not disclosed – get to shape policy and drive legislative drafting.

In essence, we have a situation whereby the government doesn’t seem to be particularly concerned about protection of our secrets, but wants to keep its consultation secret. That is antithetical to the foundations of a liberal democratic state and bureaucratic accountability. As a society we have a choice. We can succumb to digital defeatism and assume that data about our lives will be hacked, albeit we may not get to hear of the data breach.

There will be few penalties for an organisation that leaves the doors open or that doesn’t bother to install locks and an alarm or two. Alternately, we can hold governments accountable, expecting them to act on our behalf in requiring organisations to report when things go wrong and to act responsibly. As part of that accountability governments need to share information with us, rather than relying on winks and hints and the favoured few.

So, was the LivingSocial hack the end of the world? Probably not, but how many more such breaches are we expected to endure?

Bruce Baer Arnold does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. This article was originally published at The Conversation. Read the original article.

The Conversation

5 COMMENTS

  1. Governments don’t want to see a problem in data security. They’re too busy drafting legislation to put back doors in online repositories. For security reasons, of course.

  2. I noticed myself nodding agreement with nearly every statement. An excellent article that demonstrates an understanding and ramifications of the problem in greater detail than anything I’ve seen written to date.

    My experience backs up much of what is stated with regards to private enterprise – I’ve seen executives openly hostile to reports recommending substantial redesign (and subsequent costs) of security systems and practices. When a business evaluates the cost of implementing best practice security policies and technologies vs the cost of a data breach, ignoring the problem wins every time. In fact, the spate of high profile breaches over the past few years has actually had the opposite effect to ‘shaming’ companies into compliance – it is having a normalising effect in the minds of both executives and the general public. Where such a breach four or five years ago would have seen executives cower in fear at the very thought, these days they shrug their shoulders and say if it can happen to Sony it can happen to anyone.

    I believe a big part of the problem is the lack of knowledge and understanding of executives and key decision makers. Their eyes glaze over at the very mention of an IT problem and they try to shove everything through a bean counter model of business management. They lack understanding of the problem, the vision required to see the value in a long term solution and the incentive of any tangible penalty.

    You can hardly blame them when Govt lack the gumption to pass laws they will be heavily criticised for by business communities wanting to avoid what they will see as unnecessary costs. I very much doubt any movement will be seen on this before the election if at all, and never if the LNP attain power.

Comments are closed.