This article is not about morality but about an urgently-needed change in behaviour. For real and for good. The much talked-about saga involving the theft and subsequent publication of customer data from extramarital affairs website (what a surreal description!) Ashley Madison, has sparked many debates. Opinions have ranged from those who see this as a just punishment for the organised cheating industry to those who have ranked this hack as the most serious privacy violation since the invention of the Internet. The degree of sympathy for the victims has also been variable, but what appears to be a constant theme is the perception that this incident will have more dramatic consequences than any other cyber-attacks we have seen.
The Ashley Madison data hack has been a different type of data incident. In recent times, we have seen cases of Internet businesses being mercilessly attacked by hackers. We have seen small human errors triggering massively embarrassing data incidents. We have seen credit card details being stolen by the bucket from reputable and well-trusted companies. But this time, people’s most intimate secrets have been exposed in a way that credit protection tools or cyber-insurance policies cannot deal with. If anyone ever wondered whether data privacy still matters in our uber-connected world, this is the perfect test. It obviously does.
For all those reasons, aside from this being a reminder that our digital lives are never truly secret, the theft of Ashley Madison’s customer data is possibly the loudest call for action to date. But what action? Once again, the overarching principle for protecting our digital existence has to be ‘data security by default’. We are already living in a world dominated by ones and zeros that control and evidence everything we do. Our life has never been more dependent on what used to be called computers and are now technological extensions of ourselves. However, we have yet to fully embrace the idea of baking in data security in the product and service development process in a way that vulnerabilities are anticipated and the effect of potential incidents is minimised. It is time to deploy some of the thinking of the aviation and automotive industries into our wider digital evolution, so that cybersecurity is as natural and omnipresent as pre-take off safety briefings and seat-belts.
Thinking does not achieve much if it is not translated into actions, of course. Actions need to be properly defined and documented. It is not a coincidence that when regulators investigate potential data breaches, one of the first questions they ask is what policies and procedures are in place to avoid or mitigate such breaches. Ensuring that an appropriate cybersecurity governance framework is in place is probably the single most important step in tackling the risks. This framework cannot be a one-size-fits-all set of policies, as different circumstances – type of data, volume, consequences of misuse, etc. – will dictate what is reasonably necessary. But it is unquestionable that an organisation’s governance of cybersecurity risk must have a constant top spot on the To Do list.
An absolutely crucial element of this is the correct management of service providers. In a world where we outsource everything, vendor management is one of the most difficult issues to get right in practice. Partly because of the sheer number of relationships that are present in the provision of data-related services and partly because commercial imperatives limit the scope of what can be done, it is very tricky to implement a fully adequate vendor management strategy. Still, it is both a legal and business priority to ensure that the provision of any service that touches data is properly risk-assessed and contractually addressed. Achieving perfect data security may not be realistic but striving to do so by engaging responsible and technically adept vendors will go a long way.
Because perfect data security does not exist, figuring out how to manage an incident is also part of the equation. Panicking is a very human reaction but completely unhelpful when facing a data disaster. Planning for a data breach, as depressing as it sounds, is on the other hand a much more helpful approach. A properly drawn up data incident response plan is not something that should be improvised or test-driven in a real crisis. As the word suggests, planning is about anticipating something and deciding upfront what to do about it. In the end, it all comes down to priorities, particularly when time is short and budgets are limited. But ultimately, prioritising cybersecurity is a very real necessity and not something that we can cheat on.
This article was first published in Data Protection Law & Policy in August 2015.