The elevator pitch for the new economy is that “data is the new oil”. Data lakes are forming faster than the lakes formed by melting glaciers. As for the latter, I’d rather the glaciers don’t melt!
Database products and analytics tools that power concepts like data lakes are flourishing. They are increasingly getting powerful features that a modern enterprise needs. If you are not playing the data game, you will be left behind, they say!
In the ‘bad old days’ powered by oil, there were the inevitable oil spills. They spoilt natural habits, and this information was often covered up. The big spills got into the limelight mainly because videos, satellite imagery and other tools made them difficult to stay hidden. The second-order effects also got noticed, and the regulators wrapped some knuckles, even if a bit gently.
The modern equivalent of the oil spill is the data breach. Not a day passes by without some story about a data breach or leakage. It is troubling that the number of records per breach is sometimes in the millions, and we seem to not even blink an eye. Every record contains a name or a number or email at least; sometimes a lot more!
#1 The breach should not happen
Why have data breaches become a lot more common? There are 8 main causes of these breaches
- Social engineering
- Stolen / Weak credentials
- Vulnerabilities in the OS or applications
- Human error
- Physical theft / Device loss
- Complex and new forms of cyber attack
Each of these is a topic in itself, and experts in cyber safety and human behaviors grapple with them constantly.
Every data breach has real people impacted and hidden behind the numbers. Some are direct links, and some not so straightforward. One cannot be indifferent to the human impact of the story. While the records are aggregated, and one scans through the numbers with increasing disinterest. The effect on each of the real people is undocumented and disaggregated. It is a cause for concern because this leaked data is being traded-in marketplaces and one can safely assume, by bad actors. Further, this data will most likely come back into other third party or ad-tech databases as well. Think about the data enrichment providers that offer services to brands and companies.
Should companies be asked to certify whether they have traded in data that may have been stolen? The analogy that comes to mind is the traceability of raw materials and whether they have come from a sustainable source and methods.
This brings me to corporate responses to breaches. A balanced response to a breach is to think from multiple perspectives –
Technical and internal process response –
Regulatory updates –
Communication and PR etc –
and certainly the most important response needed is to a customer.
In the latest instance, the world’s dominant social network seems to have washed its hands of the breach by claiming that this was old and already fixed in 2019. They resolved, as per them, the technical issue that caused the data leak. The question to ask them, is data being sold in the market now? How will you inform these people, and what is a more responsible disclosure that ensures their protection? Who pays for consequential damages, second order effects? They have the money to pull this off, but it seems they will not for reasons they know best.
Another recent instance is the Indian banking regulator asking for a forensic audit of a payments company’s data leakage. A view that they have vehemently denied. If one is a customer of the company, their public response does not seem either comprehensive or reasonable.
As opposed to these two examples, an older instance that comes to mind is that of a storied hotel brand. Their data breach resulted in them setting up a website and a call centre to help address customer concerns.
This finally brings me to the people element of a data breach. As a customer some of the things they might be looking for are-
#2 Trusted people
Each leak increases a sense of vulnerability in that situation, and people seek positive reassurance from anyone. People want to turn to trusted people or resources who can answer with empathy and a place of knowledge.
#3 What should the customer do
When you get to know that a service you use has had a data leak, the immediate response is to try and find out if your records have been leaked or not. Is there any incident response related update on the website or social channels? Invariably there is the first statement but not much else that is actionable from the customer’s point of view. It does not tell them what to do or not to do. I often wonder what the current marketing wisdom is to meet the customer where they are, but it is often not followed in these kinds of situations. I’d instead there is a dedicated journey from an incident response standpoint from the brand. Not statements alone. But actions that protect the customer.
#4 Safe spaces
Then there is the question of the ‘dark web’. Most have not paid attention to this phrase till they start searching for information on some breach or the other. The typical media report will faithfully inform people that you can explore some database or the other on the dark web or some such. The valid question then is should this person go there and look for their records? The short answer is no unless your technology and security skills are excellent.
#5 The Real Situation
The CEO of a networking company once said, there are two kinds of companies- those that know they have been hacked and those that don’t know it yet. He said it sometime in 2014, and things have certainly escalated now. The other reality is that every person is a customer with many companies and platforms. Since most people don’t keep track of this kind of news and companies are not reporting it if they can help it, the average user would like to have a service or dashboard that informs the latest status on services/brands/companies that are reporting data breaches? Should they turn to a private provider or a data safety regulator (if there is one), or who else? No easy answers for now.
#6 Services that Help
The next and related question is to find a service that lets a person know whether their records are made available in the public domain? If so, when and what is the advice for it. For this question and the one above, there are two sites to see https://haveibeenpwned.com/ and https://monitor.firefox.com/ . They are email-based but what gets out are things like national identity numbers and so on. There needs to be a service that is comprehensive and can be trusted.
#7 Regulator and Proactive corporate action
What people want is for a company to communicate transparently and inform customers of the steps they are taking to mitigate its impact. There is so much to be concerned about, and sometimes the effect may not be immediate but gradual, so the response has to be graded and comprehensive. A data breach is considered an ESG risk, and perhaps the regulators (in various regions) have provided steps that a company must take after an incident occurs. The feeling I get after reading some of this literature is that the effort is to ensure that the business’s stability is not in doubt with enough regulatory oversight. I wonder if the relevant regulators need to ask for more about the long-term mitigation efforts that a company might undertake to assist customers. It is undoubtedly necessary to talk about as the next billion customers, or even additional data from augmented reality and the metaverse gets added in some data lake. Things are going to get a lot worse at this rate and needs proactive action.
#8 Trust building in Safety Processes
In one instance, a company offered identity theft protection services to people whose data was leaked. This kind of service is essential when the data involved is financial, visual and more. The concern of the full KYC information being in the public domain means the individual needs to track every single id for misuse. Where is the service or portal that would provide that functionality? Is the dominant social network a trustworthy information partner when they are docked for misusing 2FA authentication numbers and adding them into customer records which have then got leaked? The big question is how many more companies are using information captured as part of the security support loop for other data enrichment services and needs not related to security. This certainly undermines the trust in safety communication and also becomes yet another vector for a cybersecurity incident. Should companies be required to certify their practices on these kinds of things more specifically? Are there any downsides or more responsible upside to it?
#9 Data sharing and protection disclosures
In effect, for every type of customer-related data point, the concerns to protect themselves is equally magnified. The customer needs to be educated in a systematic and supported comprehensively. Is it digital literacy outreach, or is it better communication, better design and a certain customer-first mindset regarding data management practices as well? This may be related to but also slightly different from the nuances of the privacy discussions that are going on. This is all preemptive, but once the data is leaked and is being misused, what is it that the company or the data protection authority do to help? Disaggregated legal complaints don’t reasonably document the havoc that this misuse creates. With the recent changes of last year, the newest data being aggregated is that of young children who are perhaps not even supposed to have accounts. Still, they are being asked to use gaming and quizzing apps, educational platforms and some reasonably aggressive proctoring services. There are enough signs that most apps are tapping into an opportunity but may not have the foresight enough to protect these new audiences in a manner they should. They are creating their data streams, etc, but their other related customer focused processes are not what they should be. We should be talking about data sharing and protection disclosures in more complete terms. And if you have recently read the news of Instagram wanting to build a network for under 13 children. It is alarming that they should even be thinking about it.
#10 Focus on each person
Finally, the other concern that people have is when data of the social fabric is leaked. It makes social engineering a lot easier for the people who are out to misuse data but very difficult to explain for the individual to others. So there is a lot of victim-blaming and in a world where the information stays a lot longer the suffering is a lot more for the individual. The company may have gone on the next investor call, taken a minor hit and would be good to go. The story of the individual is a lot harder.
There are many issues to address, and I think all companies should consider putting in more than sufficient resources to support the customer. It’s more than a decade since the oil spill that captured global attention and concern for months. It is still in the news for the environmental impact it has had. I also remember reading about the multi-year and multi-billion financial resourcing the company had to do to enable the mitigation efforts.
I can’t help but think that the emotional, professional, or social impact of personal information loss may well be lifelong for people. There is no undo button to restore any semblance of normalcy. Yet, one does not see the same level of multi-year mitigation efforts to help people who are impacted. We are talking machine language and all kinds of automation that could be used at scale to hurt a lot of people who may well be defenseless and not know who to turn to.
When brands and companies are moving towards more digital platforms, services and even APIs it is time for the brand purpose to reflect this long-term commitment. Leaky data faucets, incorrect settings, and improper sharing practices are not technical problems alone; they should be a brand purpose focus. Monetising and being a data business are all fine, but the company needs to be a trustee of their customer data and safety in this context too.