Oh look, everyone … another data breach!
LivingSocial, an international social service network with a presence in Australia, acknowledged last week it had been hacked, with exposure of information about 50 million accounts.
The business offered the usual reassurance: no financial data had gone AWOL.
But that reassurance was problematical. Names, birth dates, passwords and other data are building blocks for identity offences. In the world of big data, a criminal can do substantial harm by integrating data that appears to be trivial.
Sadly, the breach is being seen as “just another incident” rather than something unprecedented. It follows large scale exposure of data at Medvet, Telstra, Vodafone, Sony and other businesses, along with major breaches involving universities and government agencies.
Much of that exposure was not inevitable. Particular breaches are attributable to poor system design, inadequate management and the indifference of executives.
That indifference reflects perceptions that there is no cost for organisations if something goes wrong, that organisations are data owners rather than custodians, and that there are no legal consequences.
New privacy laws
News of the LivingSocial breach coincides with debate within the privacy and information technology communities about Commonwealth proposals for data-breach legislation.
Jurisdictions overseas mandate reporting of serious breaches, and in the US organisations must provide support to consumers whose health or financial data has been improperly accessed and may accordingly be at risk of identity offences.
That support has not crippled business or government. The reporting is a basis for informed policy-making.
It’s also a heads-up for consumers.
In Australia there is no mandatory reporting. But on the basis of overseas reporting we can infer there’s substantial unauthorised access to personal financial, health and other data every day.
That being said, in the absence of mandatory reporting observers are reliant on anecdotal information.
If we had more information we might be more enthusiastic about the development of standards for the protection of data and for effective responses where a data breach has occurred.
Mandatory reporting works
Mandatory reporting has been proposed in a succession of hard-headed reports by the Australian Law Reform Commission (ALRC) and other bodies.
Those reports reflect the importance of updating the increasingly threadbare Australian privacy regime, which hasn’t kept pace with developments such as drones, social networks and big data.
Overseas experience suggests that mandatory reporting is viable. Importantly, reporting could be complemented by penalties for egregious negligence on the part of public/private sector organisations.
Shaming doesn’t necessarily work: statutory penalties enforced by a vigorous watchdog would encourage shareholder and consumer activism.
They would also focus the minds of executives and corporate directors who’ve shrugged off breaches as someone else’s problem, too tiresome to prevent or fixed by a standard expression of regret that has all the sincerity of a used-car salesman’s smile.
What’s the government doing about it?
The national government’s promotion of proposals for data-breach legislation has been low key.
It appears the government has recently been seeking feedback from stakeholders on a confidential basis, an approach that is inconsistent with its past emphasis on “openness”, “transparency” and “engagement” through for example “Government 2.0”.
Secret consultation belongs in the world of British comedy Yes Minister, where people have to be protected from inconvenient realities and where only a favoured few – whose identities are not disclosed – get to shape policy and drive legislative drafting.
In essence, we have a situation whereby the government doesn’t seem to be particularly concerned about protection of our secrets, but wants to keep its consultation secret.
That is antithetical to the foundations of a liberal democratic state and bureaucratic accountability.
As a society we have a choice. We can succumb to digital defeatism and assume that data about our lives will be hacked, albeit we may not get to hear of the data breach.
There will be few penalties for an organisation that leaves the doors open or that doesn’t bother to install locks and an alarm or two.
Alternately, we can hold governments accountable, expecting them to act on our behalf in requiring organisations to report when things go wrong and to act responsibly.
As part of that accountability governments need to share information with us, rather than relying on winks and hints and the favoured few.
So, was the LivingSocial hack the end of the world? Probably not, but how many more such breaches are we expected to endure?