Data breach notification rules will lead to security incident fatigue under GDPR
The new GDPR data breach notification requirement will, from May 2018, impose a need for businesses to advise the data protection authority (in the UK this is the ICO) when they have a notifiable privacy breach.
This means detecting and understanding what has happened and interpreting this, in order to report to the authority when such a situation occurs, then dealing with whatever regulatory steps are necessary. See The 72 hour GDPR challenge.
However, immediately following this notification to the authority is the more public facing part of this process – where the data subjects themselves get informed of the fact that their information has been lost, stolen or compromised (without “undue delay” to quote the Regulation). This might be achieved through an email or a letter, on your web page or through the media or via a different route. This process is undoubtedly necessary in the interests of transparency and openness as well as being required by the new regulation. But there is also the need to be aware of the potential negative effects that such communications could provoke.
On the one hand a notification gives the affected party a warning and information that there has been an issue with their data, advice as to what to do and reassurances from the company involved. On the other hand though, there are possible negative effects of having to deal with data breach notifications as outlined below.
Data breach notification frequency could breed public apathy
In the cyber security industry, we are used to hearing about security breaches and data losses. That is mainly because it is in our interest to be aware of what is happening and to learn any valuable lessons. Although you may not be a customer of Talktalk, TKMax or Equifax, you are likely to have heard in the security industry media that they have had security breaches.
There are undoubtedly breaches that occur at present that are not reported, either through going unnoticed, or when they are handled quickly, quietly or automatically by the company concerned – for example the reissue of bank cards or the acceptance of risk where it is likely that the data hasn’t been compromised with malicious or fraudulent intent.
In the new world of GDPR data breach notification it is much more likely, if not certain, that a breach will be reported as there will be a legal mandate to do so and hence one can expect an increased number of breaches being advised to the public and data subjects.
So we may reach a point where an average member of the public will go from getting one notification a year, to one per month, or one per week – it will become routine rather than exceptional.
Certainly if one looks at the rise of cyber security attacks that are publicised and then add on those that aren’t currently noticed or reported, there will be more of these messages hitting the inboxes of affected customers.
One possible concern, is that this increased frequency leads to breach notifications being so common that the public develop apathy or view them as increasingly unimportant – to the point where they become the background noise of an online life.
Data breach notification – “playing it safe”
This risk of data breaches that affect people becoming routine or mundane is likely to be made worse by the fact companies may notify more often than then they actually need to in order to “play it safe”.
If they feel the best way to minimise fines and/or deal with uncertainty around the amount of data stolen is to contact all possible data subjects “just in case” rather than those actually affected then the volume will increase further.
Imagine a data theft which involved current subscribers to a service which may also have affected past subscribers; or the criteria for notification was based on the assumption that sensitive data was stolen (on a field-by-field basis) when actually it may have just been names and email addresses. Would it be necessary to notify all current and past customers?
The company affected by the breach then notifies all the people who might have been affected by a data breach, when actually they might not have been affected or might not have been affected in any significant way. Hence these “cautionary” notifications add to the noise of actual, real, significant data loss reports.
As well as the volume of these data breach notifications increasing, we risk a “crying wolf effect”. If every 10 reports a person receives about their data being stolen only contains 1 real problem, the signal-to-noise ratio is pretty poor and apathy is likely to set in.
Changing passwords, bank cards, reissuing credentials
When usernames and/or passwords are compromised the account holder is normally advised (or compelled) to change their password. This often involves changing their password across multiple sites (where passwords are reused – see http://www.bbc.co.uk/news/technology-40875534).
Changing a password may appear simple (and for some with weaker password generation approaches it will be) but if passwords are of a high quality it means devising a new random set of words or choosing another set of characters from the words of a song. Either way it is a hassle and often means making a change across multiple devices where a web site, social media account or app is used on a laptop, tablet and phone – re-entering the new password into all the places where it is used.
The same is true for the reissue of compromised credit cards – a nuisance both for the card issuer who has to cancel and reissue the physical cards, and also for all the affected card holders who have to cut up old cards, swap around their wallets and (inevitably) change the stored credit card details in any mobile wallets, shopping sites, app stores, music streaming services and also annual subscription renewals they have used them for.
Having to do this once a year is one thing, having to do it once a month or once a week is a frequency that, for many people, will become a problem.
“Grant me the serenity to accept the things I cannot change…”
If changing passwords, email addresses, bank cards, subscriber details etc. risks becoming overwhelming; then we should worry also about those data fields or characteristics that we cannot change in the event of a data breach.
Security questions are a good example. My mother’s maiden name is an immutable fact, and although one could select any word as the secret answer to this question (as a secondary password), most people use the actual value. The same goes for the first school, best friend’s name, pet’s details, town of birth etc.
There are also things that might become compromised but can’t be changed, a biometric or an aspect of someone’s life that needs to be accurate but is also fixed – like an address, date of birth, blood group, national insurance number.
In essence, when data is disclosed there will be parts of it that are disclosed forever. If someone reuses passwords across multiple accounts or creates new passwords by adding an additional incrementing digit, they are unlikely to choose different answers to the date-of-birth and mothers-maiden-name security questions.
The recent Equifax data breach is an example of this – the scale being so wide that:
“… every SSN in the United States – together with the accompanying name – must be presumed to be public knowledge, and thus should not be used to validate anyone’s identity, ever again”.
Identity theft insurance clash
It is common to be offered identity theft insurance or credit monitoring when your data, account or personal details are leaked.
This has some value, at least as part of the organisation’s attempts to fix a bad situation. However, if a person has similar insurance from past breaches they may not need another policy (which could be from the same provider) due to a later breach somewhere else.
These insurance policies usually last a set period of time, typically a year. Hence, if breaches affecting personal data come along more frequently then the market for the provision of this becomes somewhat dysfunctional.
Breached Company A provides insurance to affected customers, breached Company B tries to do the same but finds some customers already have cover so do they overlap with new cover, or just extend it? Alternatively, do they provide a cash equivalent as compensation? For the recipients of these insurance policies – do they amass several similar policies with different benefits and subscription windows over time? Who do they claim from when a fraud occurs if their details have been exposed multiple times? Does having multiple policies in place mean that the insurers argue about whose liability it is?
Choosing a safe service provider
There are some organisations you have to disclose data to – a tax office or vehicle registration authority for example. Maybe you live in a small town where there is only one doctor’s surgery, or your employer has a pension arrangement with a specific pension provider.
However, there are other areas where people have choice – banks, mortgage providers, online stores, news subscription services, insurers, airlines etc.
Whether people will start choosing providers based on past data security track records remains to be seen – if Company A develops a reputation for data breaches, then people may decide to choose Company B in preference to it. Buying choices are typically made based on price, value, brand reputation, choice of products, customer service etc. rather than quality of data security or the number of data breaches experienced.
A large company with millions of customers may have more publicised breaches than a small provider that isn’t as much of a target. This doesn’t mean the larger company’s security provisions are worse, just that their profile – as well as statistics, probability and newsworthiness – skew the numbers.
In a future where data breaches are being publicised more frequently, one wonders if there is competitive advantage in being “breach free”, or if the sad reality will be that most of the providers in a sector will have had breaches and hence customers have little effective choice between them based on their past data protection track record.
As a final point on competitive choice, there are service providers who provide value through either the community, devices, supporting services or purchase and account history they provide. For example:
- A customer whose account details were exposed in the Sony breach is unlikely to swap their PlayStation for an Xbox if they have hundreds of pounds worth of video games;
- The compromise of LinkedIn accounts probably didn’t cause many to move to an alternate business social network that didn’t have the volume of contacts and network size LinkedIn does;
- Who could afford to walk away from a lifetime of iTunes music, app and video purchases to an alternative provider just on the basis of their account being breached at some future point?
So for those wanting to make choices based on data safety it is likely that real choice might not exist. Or there might not be a way to exercise choice except at the very first stage of a business relationship. Most service providers aim to be “sticky” – reducing churn and retaining (or locking in) customers – this won’t change in the post-GDPR world.
The data protection and data breach notification challenge
For citizens and data subjects, the data breach notification process could end up being a double-edged sword.
What seems clear is that the level of discussion about data breach notifications will increase until the volume grows to the point that it either becomes uninteresting and routine, or completely moot in a market differentiating sense. Security incident fatigue could become very real!
For companies, the only course of action seems to be to avoid being part of the noise and hubris by staying safe and keeping data secure, so that they can claim a patch of moral high ground in the mountain range of data protection that might end up being an increasingly lonely, but valuable, place to be.
If you need some reassurance around your level of risk, or if this blog post has convinced you that data breaches are more than ever something to avoid, the Huntsman Security GDPR Risk Tool is worth using to get some answers as to the possible size of the problem you might face. It is free to download from the link below.