Thinking about data after a breach: Fear, outrage, or apathy?
Just in 2017, we've seen a lot of different types of infosec incidents gain major attention. With that attention, we've seen a variety of public responses to these incidents. There are some themes in these responses that I want to discuss here.
One major inspiration, beyond my own curiosity, for this topic was episode 258 of Down the Security Rabbithole. In that episode, Raf, James, and Dave Bittner talk about notPetya (or whatever) fallout, specifically for Maersk. They ask a lot of interesting questions in that episode; go listen to it. Specifically, they talk about the different public responses to recent incidents at Maersk and NHS. So let's look at those cases and some themes in public reactions to major incidents.
Risk perception, again!
A lot of the themes in public responses to infosec incidents can be tied to the risk perception factors I mentioned in a few previous posts. The reaction to the NHS incident was more extreme than to Maersk because the victim identity and catastrophic potential. They mention on the podcast that the catastrophic potential for Maersk is relatively low, especially compared to NHS, and it's likely that most people won't be impacted. Also, those who were impacted by delayed shipping likely acknowledged and accepted that risk early on (voluntariness, familiarity). Lately, we've also seen outrage due to voluntariness with Equifax. Many people who were impacted by this breach didn't give their data to Equifax directly; they didn't voluntarily accept the risk.
This issue of voluntary or involuntary disclosure is particularly interesting for data breaches because we frequently don't have a choice when handing over our PII. This forced disclosure and inability to control how our PII is used, protected, disposed of, etc. is likely one reason breaches of PII lead to such high public outrage. Next, I'll explore a theory that can potentially help understand this aspect of public responses to breaches.
Communication Privacy Management Theory
Maybe one day I'll run out of theories from communication to apply to infosec, but today is not that day. I love CPM theory because I think it has really interesting potential for helping us improve infosec communication.
CPM theory was originally developed to understand how married couples share personal details but it has been expanded to cover other interpersonal relationships (Metzger, 2007). The three main elements of CPM theory are: privacy control, privacy ownership, and privacy turbulence. People believe that they have the authority to regulate how and with whom their private information is shared (privacy control). They believe that they are sole owners of it and, when we share it, the new "co-owners” take on responsibility for that information (privacy ownership). Conflict occurs when information co-owners violate our expectations for how the information should be used or shared (privacy turbulence). In interpersonal relationships (spouses, parents and children, co-workers, etc.) turbulence is followed by boundary renegotiation - rules are changed or clarified to prevent future conflict.
Here's an example of how this might work:
If you tell a co-worker that you have a job interview with another company, you probably don't want them to tell anyone else at work. You might say this explicitly or just imply it. If they bring it up around other people later, you might take them aside and remind them that it is a secret.
When we share private information interpersonally, we try to control third-party access to the information through privacy rules that we've negotiated with co-owners. With friends, this usually comes down to saying "don't tell anyone" or "you can tell X but nobody else." Maybe if it's important information in print (like a check) you expect them to shred it. This negotiation isn't possible in situations that lead to data breaches. You can't negotiate privacy boundaries or rules with an employer or coordinate third party access to your information with a bank, healthcare provider, or retailer. You also can't decide not to share PII with most of these entities in order to function in society. Research into CPM hasn't explored these involuntary-disclosure relationships yet so we don't know how people feel about their ownership and control of private information in these situations.
Based on the CPM work that exists, I believe this inability to negotiate and control how these entities use and protect private information leads to both the short-term outrage and long-term apathy when PII is lost in a data breach. After a data breach, when people ask questions like "why did you still have this data?" or "why wasn't it better secured?" they're basically saying that the co-owners of their PII (whoever got breached) violated their expectations for how that private information should be handled.
Public outrage after a data breach might be caused by the same violated expectations as a friend telling someone your secret but you don't have the same recourse. You can't renegotiate boundaries or privacy rules with your bank or employer. Mostly because there wasn't any negotiation to start with. This might be where the initial outrage leads to apathy. People are used to losing control over their PII when they get a job, join a bank, get on social media even. They know there isn't anything to be done about how organizations (mis)use their PII and don't feel empowered to demand better protection for it.
How does a company treat your data?
Based on CPM theory and reactions to a variety of breaches, I've developed some ideas about how the public interprets organizations' treatment of PII based on breach communication. I'm going to be talking about perception here, not reality. Public perception, no matter how inaccurate, needs to be acknowledged for effective communication to occur.
The fact that a breach occurred in the first place is probably the strongest message to the public about how the organization values their data. CPM theory shows that we have expectations for how co-owners will treat and protect out private information once we share it. A breach tells us that the organization wasn't meeting our personal standards of protection. Now, the general public doesn't have actual technical standards for how PII should be protected. They just know that their PII was lost, so it obviously wasn't being protected effectively.
People are also still a little salty, unconsciously, that they were forced to share this information to begin with. This is all exasperated by the communication coming from most organizations after a breach - cold, formulaic, legalese, CYA communication. This strengthens the perception that the organization isn't properly valuing your data, they're focused on protecting themselves. Your PII is "just data" to them but, to you, it's your identity, it's who you are. This is probably changing due to the number of times people's PII has been breached but the outrage is still there.
Organizations need to understand, and show that they understand, what this data actually means to the victims of a breach. Part of this is realizing that the organization isn't the actual victim of the breach, or at least isn't the biggest victim. People are self-centered, we focus on what is happening to us because that's what we can see. It takes significantly more effort to think about how a situation is impacting someone else. After a breach, organizations see themselves as victims because they are living in that situation - their network may be down, they are trying to get back to normal, they don't have the time to consider how the breach is impacting people outside of their sphere. This isn't an excuse and that type of thinking gets organizations into hot water over and over again.
If you borrow a friend's car and there is an accident, you apologize to your friend because you had possession of their valuable thing and something bad happened. This isn't a perfect analogy but you get the point. Taking possession of someone else's valuables makes you responsible for what happens to them, even if it was an accident and you did everything you could to protect the valuables. If organizations want to own our data, they need to realize that comes with expectations and react accordingly when those expectations are violated.
Metzger, M. J. (2007). Communication privacy management in electronic commerce. Journal of Computer‐Mediated Communication, 12(2), 335-361.
Petronio, S. (2004). Road to developing communication privacy management theory: Narrative in progress, please stand by. Journal of Family Communication, 4(3-4), 193-207.
Petronio, S. (2013). Brief status report on communication privacy management theory. Journal of Family Communication, 13(1), 6-14.