Big harm in little hands and the rise of the trusted organisation
October 2017 | EXPERT BRIEFING | RISK MANAGEMENT
Our concerns over data privacy and legislation providing for interception and access are somewhat assuaged by our belief that we can control the availability of our personal data and that technological limitations restrict those who could use that data to cause us injury. However the real question is, what happens when anyone, out of curiosity or malice, can access our personal data?
We accept that we are living in the ‘age of observation’ and as such we attempt to obscure our personal information and routines in the belief that we can control that which would be accessible to third parties who would do us harm. This is increasingly difficult when so many aspects of our social relationships are turned into data.
Previously, we have been able to roughly gauge whether aspects of our daily routines and personal disclosures of information would be guarded at any appropriate level of privacy protection by guessing the likelihood our information would be discovered or understood by third parties with exploitative or undesirable interests. However, in the age of Big Data, the confidence level associated with our view of privacy has decreased considerably; even when we exhibit due diligence, individuals are now able to harness big datasets and tools that enable intentional or unintentional privacy harms of a magnitude not previously thought possible.
By corollary, we are placing increasing importance in the ‘trust’ we place in organisations to keep our data safe and only to collect and retain what is absolutely necessary in exchange for the service to be provided. Organisations that are cognisant of this phenomenon have an opportunity to cement longstanding customer relationships and attract disenfranchised customers from less deferential competitors.
However, the inevitability of a data breach in even the most secure organisations, predicates the imperative of a well-orchestrated breach response plan; if not, that hard earned ‘trust’ will evaporate faster than it was generated.
Why is it that ‘trusted’ data custodianship has become so important for customer acquisition and retention? To answer this we need to look at changes in the threat environment and changes in the regulatory space. The former has seen new threats rapidly emerge and existing threats enhanced, while the latter reflects a broadening view of data subject rights that recognise that traditional privacy protection, based upon restricting disclosure of existing personal information, is perhaps less important than preventing the more serious harms that result from the combinations of democratised Big Data that can turn seemingly harmless disclosures into much more serious privacy problems.
We have seen previously secure state sponsored exploits released into the wild, such as this year’s Shadowbroker’s release of NSA exploits. The result was a plethora of ‘zero day’ exploits ready to be grafted onto existing malware to create far more virulent strains, as the Petya and WannaCry outbreaks demonstrated.
We have seen the emergence of new state actors in the malware and cyber exploit space, such as Vietnam and Iran, alongside traditional players, such as North Korea and Syria. Each producing sophisticated modifications to existing threats that are quickly ‘monetised’ and offered as ‘services’ on the dark web.
It is perhaps the rapid ‘monetisation’ of hacking services that has had the greatest impact in eroding trust in data custodians. The economics of the network effect result in a race to the bottom in terms of fees charged for these services; access to any company’s email system is just a few hundred dollars, the price of a sustained denial of service attack just a few dollars and the ability to remain undetected, almost assured. The transformation of hacking services over the past two years has been just as transformative as that of the car rental and accommodation markets, as a brief perusal of hacking forums reveals.
It is not just the fear of unauthorised access or loss of our data that has rekindled the value of the ‘trusted’ organisation; it is the recognition that the harms perpetuated by ‘fake news’ can be just as debilitating as a data breach, if not more so. The rapid growth of social networks are ideal platforms for spreading disinformation campaigns. The pricing models are generally simple – a fixed amount of money results in a fixed amount of actions and manipulations performed on a social media site (likes, favourites, and so on). Some of these services guarantee the quality of these actions by using humans instead of automated scripts. The services available in these markets extend beyond spreading fake news and often include the creation of the news stories and marketing these to the target users. Comments sections are also vulnerable to being manipulated; news articles can be flooded with comments designed to promote the objectives of a client, whatever these may be.
So where does this leave us? It leaves us understandably wary, cognisant that we live in an age of observation, where increasingly we are providing false information to organisations we do not trust, we live in an age where no organisation is impervious to attack, we live in an age where ‘trust’ is increasingly a differentiator.
What constitutes trust in the digital economy? An organisation generates trust by reducing the risk of harm by only collecting the information that is needed and holding that information only for as long as necessary. Trust is facilitated when the organisation clearly articulates its cyber security posture in terms that are meaningful to the data subject. Trust is maintained when the organisation has a breach response plan that is well tested and minimises the potential harm that can result to the data subject.
One thing is clear: privacy is not dead, it is an inherent requirement of society and perhaps a fundamental human right. Organisations that recognise and acknowledge that data subjects are placing increasing importance on the value of their personal information have the opportunity to differentiate themselves in the marketplace, turning cyber security, data custodianship and privacy into robust and durable customer retention and acquisition tools.
Kit Lloyd is a legal consultant at MinterEllison. He can be contacted on +61 2 9921 4811 or by email: firstname.lastname@example.org.
© Financier Worldwide