May 10, 2008

The Italian Job: highlights the gap between indirect and direct damage

If you've been following the story of the Internet and Information Security, by now you will have worked out that there are two common classes of damage that are done when data is breached: The direct damage to the individual victims and the scandal damage to the organisation victim when the media get hold of it. From the Economist:

Illustration by Peter Schrank

... Italians had learnt, to their varying dismay, amusement and fascination, that—without warning or consultation with the data-protection authority—the tax authorities had put all 38.5m tax returns for 2005 up on the internet. The site was promptly jammed by the volume of hits. Before being blacked out at the insistence of data protectors, vast amounts of data were downloaded, posted to other sites or, as eBay found, burned on to disks.

The uproar in families and workplaces caused by the revelation of people's incomes (or, rather, declared incomes) can only be guessed at. A society aristocrat, returning from St Tropez, found himself explaining to the media how he financed a gilded lifestyle on earnings of just €32,043 ($47,423). He said he had generous friends.

...Vincenzo Visco, who was responsible for stamping out tax dodging, said it promoted “transparency and democracy”. Since the 1970s, tax returns have been sent to town halls where they can be seen by the public (which is how incomes of public figures reach the media). Officials say blandly that they were merely following government guidelines to encourage the use of the internet as a means of communication.

The data-protection authority disagreed. On May 6th it ruled that releasing tax returns into cyberspace was “illicit”, and qualitatively different from making them available in paper form. It could lead to the preparation of lists containing falsified data and meant the information would remain available for longer than the 12 months fixed by law.

The affair may not end there. A prosecutor is investigating if the law has been broken. And a consumer association is seeking damages. It suggests €520 per taxpayer would be appropriate compensation for the unsolicited exposure.

An insight of the 'silver bullets' approach to the market is that these damages should be considered separately, not lumped together. The one that is the biggest cost will dominate the solution, and if the two damages suggest opposing solutions, the result may be at the expense of the weaker side.

What makes Information Security so difficult is that the public scandal part of the damage (the indirect component) is generally the greater damage. Hence, breaches have been classically hushed up, and the direct damages to the consumers are untreated. In this market, then, the driving force is avoiding the scandal, which not only means that direct damage to the consumer is ignored, it is likely made worse.

We then see more evidence of the (rare) wisdom of breach disclosure laws, even if, in this case, the breach was a disclosure by intention. The legal action mentioned above puts a number on the direct damage to the consumer victim. We may not agree with €520, but it's a number and a starting position that is only possible because the breach is fully out in the open.

Those then that oppose stronger breach laws, or wish to insert various weasel words such as "you're cool to keep it hush-hush if you encrypted the data with ROT13" should ask themselves this: is it reasonable to reduce the indirect damage of adverse publicity at the expense of making direct damages to the consumer even worse?

Lots of discussion, etc etc blah blah. My thought is this: we need to get ourselves to a point, as a society, where we do not turn the organisation into more of a secondary victim that it already is through its breach. We need to not make matters worse; we should work to remove the incentives to secrecy, rather than counterbalancing them with opposing and negative incentives such as heavy handed data protection regulators. If there is any vestige of professionalism in the industry, then this is one way to show it: let's close down the paparazzi school of infosec and encourage and reward companies for sharing their breaches in the open.

Posted by iang at May 10, 2008 10:24 AM | TrackBack

By Stefanie Hoffman, ChannelWeb 7:42 PM EDT Mon. May. 12, 2008
An unidentified hacker posted personal information of more than six million Chileans on the Web after breaking into two popular government databases and stealing information, in what he claims was an effort to demonstrate the poor state of security in Chile.

The stolen data was located on sites run by the state-owned electoral agency, and Chile's Education Ministry.

Altogether, the hacker posted identifying data including names, telephone numbers, addresses, ID card numbers and academic records on two Web sites. The data appeared on IT site FayerWayer and community blog site, a Chilean blog site dedicated to technology issues, according to the El Mercurio, the newspaper that first broke the news.

Posted by: Hacker Posts Stolen Data Of Six Million Chileans at May 13, 2008 11:27 AM

Italians does not hold neither pioneer role or any monopoly in this area - lovely Finland keeps all records in this area. While data protection ombudsman is one of tightest in EU, the matter of tax being published is legalized for many years, and barely every envy person (just take every another person - Finland is concentrated envy) can go to ordinary kiosk and a long list of those, who had gone over certain income limit (and limit stays rather low). But last year scandal had blasted into legal muddle with EU involved - now one could order particular person's data via SMS, and EU is now pondering what to do about that, as internal legal system has failed to resolve conflict. More read in our beloved Hesari (local newspaper with English section)

Posted by: A.T. at May 19, 2008 07:38 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.