- 2017, September 15, SSRN, “Cyber Crime Liability and Insurance“
- 2017, September 15, SSRN, “Encryption Policy and Law Enforcement in the Cloud” — what a tricky situation. There is no easy solution for law enforcement access to data. And really, even if they obtained this hardware backdoor (or whatever other similar implementation), those who have a reason to protect their communications will find a way. So maybe the question is whether the government just wants surveillance at scale, rather than use labour-intensive humans? Perhaps they want algorithmic intelligence gathering? Makes sense, but they can get a hell of a long way with metadata already!
- 2017, September 15, SSRN, “The Law of Everything. Broad Concept of Personal Data and Overstretched Scope of EU Data Protection Law” — this paper makes a good point. The legislation is broad enough that any data could be defined as ‘personally identifiable’. But why don’t we take a step back for a moment … why do we even want to store personal data? Other than the clear case of government records or a medical practice (and some other edge cases), why does any organisation need personal data? Or, more to the point – why does the personal data need to keep on their internal systems? Business processes could work effectively simply with a token to represent an individual. There isn’t any other need for the data (in the general case). Moreover, the token for the individual could represent a hash digest based on pre-defined identification fields. And the fields used in this digest can vary across organisations (which it should to prevent reverse engineering). But the point is that personally identifiable data is removed from business processing almost immediately after it is collected. The remaining data can then be aggregated for analytics.
- 2017, September 15, SSRN, “Cross-Border Data Access Reform: A Primer on the Proposed U.S.-U.K. Agreement“
- 2017, September 14, SSRN, “Trifling and Gambling with Virtual Money“
- 2017, September 14, SSRN, “Freedom to Hack“
- 2017, September 14, SSRN, “The Ascendant Cycle of Cyber Crimes: An Ordeal for the Present Legal Framework“
- 2017, September 14, arXiv – 1709.04767, “A review of approaches to the value of privacy“
What is the Cost of a Data Breach?
If security is breached, data is leaked, and then makes its way to the Dark Web, what consequence does this have for an individual?
Let’s say my personal details were revealed in a breach (which they have according to ‘HaveIBeenPwned’). What happens then? Someone (briefly) has my credentials to a website. Maybe they can see my application preferences, maybe they have my address … what else? Maybe they can post some crap on Twitter or Facebook.
Sure, I wouldn’t like any of this and it would certainly feel like a violation. But what is the quantifiable effect of this breach? Can someone get access to my money? Can my assets be accessed without my knowledge? Is my quality of life at risk?
Or is this all a matter of how much I value my privacy? Is the issue the lack of trust that creeps into online transactions?
I think about this because I wonder how an organisation can truly quantify what data is at risk; and I also wonder how insurance can devise metrics to create cover for this risk?
The value of data is real – at scale. My data only matters to the extent that I fall into a specific demographic that can then be targeted for products and services. The fact that my name is Paul and that I am from Australia (to keep the data points very broad) is inconsequential. But those data points combined – with some other online behaviour – places me in a category. I may or may not succumb to the marketing effort, but that is all my data is good for.
It gets me thinking holistically about the data privacy and security debate. What is the goal here? We can sell endless products and services that aim to keep organisations secure and compliant. But what does it all mean for the average person who this is all meant to be for?! I’m not sure. I think the concept is worthwhile – security, integrity, ethics and governance are important things; it is how it plays out in regulation and business processes that I am concerned about.
And then, if the worst that can come from supplying data to organisations is that I am targeted for an ad or spam … well, I think there are much more important things to worry about!
There are endless posts about failures or lessons about Equifax. But I think we can say one thing – unless compliance is easy, breaches will continue. So I advocate for blending psychology, design thinking (UI/UX optimisation), and security fundamentals to make it simple to be secure. No amount of additional processing or technology will help. What will help is less of all this stuff. Re-think the data pipeline. Sure, it is a transition/change management project, but the payoff is a simpler, more secure online life.