09 Jan, 2016Could a Privacy Breach be Deadly?
The Internet of Things and Privacy by Design.
How dangerous are potential consequences of a privacy breach? So far we heard about cases with multi-million dollar financial losses, damage to a brand reputation, and executive career crashes. Could a privacy breach lead to a loss of human life?
We touched on the topic of Big Data and Privacy in one of our earlier posts a couple of years ago. I have a strong feeling that the subject of privacy is becoming, even more, pressing with the growth in online data collection, facial recognition technology, the Internet of things and further development of Big Data and Data Science. During my career, I have had multiple conversations regarding the importance of privacy with colleges and clients. In most cases individuals expressed their opinion that privacy is more of a necessary legal compliance issue rather than a critical component of any modern data-driven process. Over the last couple of years, I have noticed an accelerated evolution in the perception of privacy by business leaders and consumers. For instance, last fall I received multiple invitations and attended three events that covered different aspects of privacy.
The media has played a significant role in the overall perception of privacy issues. I believe the media should continue to contribute and even increase attention to the importance of privacy and data security.
Unfortunately, the awareness about the risks of privacy breaches is falling far behind the actual threat, increased frequency of those threats and the seriousness of the consequences to the victims of each security breach.
Below are a few examples of the cases that received attention from the mass media and shed some light on risk and made an average person focus on how privacy issues may impact their lives.
The Target Breach
The Target Breach, By the Numbers (1)
40 million – The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.
70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers.
46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.
200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.
100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.
Target has agreed to pay $10 million to settle a class-action lawsuit related to the company’s 2013 data breach. (2)
Court documents show hacking victims could get as much as $10,000 apiece.
U.S. District Court Judge Paul Magnuson indicated a hearing Thursday in St. Paul, Minn., that he planned to grant preliminary approval of the 97-page settlement, The Associated Press reported.
Healthcare Data Breaches
Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare, According to New Ponemon Study
May 7, 2015 — The healthcare industry is experiencing a surge in data breaches, security incidents, and criminal attacks—exposing millions of patients and their medical records—according to the latest Ponemon Institute study, sponsored by ID Experts®, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. The study reveals that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach. According to a 2013 Ponemon study, the most recent available, 1.8 million Americans or their close family members fell victim to medical identity theft, and 36 percent of them faced significant out-of-pocket expenses as a result.
Ashley Maddison Privacy Breach
In July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The group copied personal information about the site’s user base and threatened to release users’ names and personally identifying information if Ashley Madison was not immediately shut down. On 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details.On 24 August 2015, Toronto police announced that two unconfirmed suicides had been linked to the data breach, in addition to “reports of hate crimes connected to the hack.” Unconfirmed reports say a man in the U.S. died by suicide. At least one suicide, which was previously linked to Ashley Madison, has since been reported as being due to “stress entirely related to issues at work that had no connection to the data leak”.
On 24 August 2015, Toronto police announced that two unconfirmed suicides had been linked to the data breach, in addition to “reports of hate crimes connected to the hack.” Unconfirmed reports say a man in the U.S. died by suicide. At least one suicide, which was previously linked to Ashley Madison, has since been reported as being due to “stress entirely related to issues at work that had no connection to the data leak”.
On 24 August 2015, a pastor and professor at the New Orleans Baptist Theological Seminary committed suicide citing the leak that had occurred six days before. (4)
Broken Hearts (television drama series Homeland)
“Broken Hearts” is the tenth episode of the second season of the American television drama series Homeland.
One of the characters a terrorist leader Nazir with his associate gains access to – Walden’s (the Vice President of the United States) pacemaker and accelerates his heartbeat, inducing a heart attack. (5)
The security experts confirmed that terrorists could hack pacemakers like in Homeland. (6)
The Internet of Things creates a tremendous opportunity to increase productivity by reducing the waste of energy and resources. Facial Recognition can help in security applications, make our lives safer and reduce efforts spent on individual security checks. At the same time, those technologies create new privacy and safety risks.
I believe there is great urgency for change in privacy and data security from the legal compliance problem to the key principles of any system or business process design. We need coordinated efforts between the legal, business and technology communities to make this happen.
For example, the European Union is the current in privacy legislation and one of the earliest adaptors of the so-called Privacy by Design approach.
The Privacy By Design
Privacy by Design (PbD) is an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures. That means building in privacy up front – right into the design specifications and architecture of new systems and processes. (7)
Dr. Ann Cavoukian, Former Ontario’s Information and Privacy Commissioner, developed the principles of the Privacy by Design in the 1990s
The Privacy by Design approach gained widespread international recognition and was recognized as a new global privacy standard.
Privacy by Design: The Foundational Principles
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default
- Privacy Embedded into Design
- Full Functionality: Positive-Sum, not Zero-Sum
- End-to-End Lifecycle Protection
- Visibility and Transparency
- Respect for User Privacy
The Privacy by Design approach provides us with essential guidelines to follow in our business processes and systems designs for our highly interconnected world. We need to continue our efforts to make Privacy by Design an integral part of the business and technology culture. The legislation efforts are necessary but not sufficient without a more fundamental change in our business and technology practices.
- The Target Breach, By the Numbers, http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
- Target Offers $10 Million Settlement In Data Breach Lawsuit, http://www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit
- Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare, According to New Ponemon Study, http://www.ponemon.org/news-2/66
- Ashley Madison data breach, https://en.wikipedia.org/wiki/Ashley_Madison_data_breach
- Broken Hearts (Homeland), https://en.wikipedia.org/wiki/Broken_Hearts_(Homeland)
- Terrorists could hack pacemakers like in Homeland, say security experts, http://www.telegraph.co.uk/news/science/science-news/11212777/Terrorists-could-hack-pacemakers-like-in-Homeland-say-security-experts.html
- Privacy by Design , https://www.ipc.on.ca/english/privacy/introduction-to-pbd/