It’s sad but true, the 1967 Cuby + Blizzards hit has to be paraphrased in 2012. It’s all very impersonal a hack. It’s something that happens to someone else, till it happens to you or someone close to you. The sad thing is that nothing seems to change. No matter how many companies’ database are hacked and exposed, sometimes even to the general public, it is not as if the people responsible for cyber security think: How’s this arranged in my company. Another day there’s always a more spectacular hack. Dear readers, let’s face the music, storing privacy sensitive data in a secure does not have the slightest priority for most companies and institutions. Is there nothing that can be done? Of course there is. Where there’s a will ….
Making data hacks personal
Only two weeks back I got a phone call from my credit company that someone had bought something for a large amount of money on my credit card in a country far away. Luckily they noticed before I did, so it did not come to any other personal harm to me other than a blocked card and waiting for the new one. A result from the credit card transaction processing company breach in the U.S. just before. I don’t know, but not unlikely.
A friend told me this afternoon she had entered data into a site and after two weeks she started to receive spam in large volumes and on some very personal targeted products too. A little while later she received an e-mail from the site saying that the database of this web company was hacked and that it may be smart to change pass words. Also that all personal data that was accessed from the database was published online and thus explained the endless volumes of spam she received. (That apparently was not filtered. Among the spam lots of very Dutch companies and charities. So, they are spamming through unlawfully begotten data. OPTA, there’s work to be done!)
She was very disappointed that this web company did nothing else then send this e-mail. After that the customer is on his/her own. With all the consequences, losses, nuisance, etc.
I wrote this before, who is responsible here? It is not as if we can still assume ignorance. It’s almost impossible that ICT responsible officers at major companies, institutions and web companies that handle and store personal data have not heard in any way of major data breaches in the past six months. So it’s either sheer negligence, a financial choice not to invest in cyber security or such plain stupidity that being forced to look at another job is the least one deserves.
I understand that there is a difference in what sort of data is hacked, but in all cases it’s clear that the hacked data can be used to inflict a form of personal harm. Persons and companies storing that data should be made to understand that losing personal data is not without consequence, to them and not only to their customers. The present lack of felt, real responsibility towards the customer’s data is an attitude that must no longer be allowed to continue.
To me it’s clear that without a law, ruling, directive, whatever we call it, nothing is going to change. So (again) I state:
1. The government drafts a law.
2. NCSC draws a bottom line, that is adapted every time the change in technique calls for it.
3. OPTA enforces this ruling as she has the most experience in this field (and not an agency without specific expertise, sufficient enforcement tools and the dedicated will to enforce).
4. Law breakers, who did not protect data in prescribed ways get punished.
5. There’s a difference between ethical hackers and black hats.
6. All data breaches need to be reported and direct measures taken.
7. A general duty to care for costumers’ data is instituted.
I do not see this situation going to change in any other way. Sorry people, but I’ve really become convinced self-regulation is not going to work here. The time to act for the Dutch government and undoubtedly all other governments, is here. Waiting any longer is also a form of negligence, I’d say.
Wout de Natris, De Natris Consult
Leiderdorp, 21 April 2012