How would you feel if your personal information is exposed to the world?
That’s exactly what 57 000 000 people woke up to recently. A story broke about Uber’s data breach that involved the leaking of customer information. And all of it was kept secret for almost a year. That means your information could be exposed already.
And Uber’s support to its customers? Not much. They provide assistance to drivers for credit monitoring, but not passengers.
While there’s public outrage about their refusal to be transparent, one must look at the facts. Which guidelines are companies supposed to follow?
Cyber-security is still rather new. Yes, there have been problems since the internet started 50 years ago. But technology, laws and security requirements change daily. We’re still in uncharted territory.
What should the public expect from companies after data breaches? Here are a few thoughts to help you gain perspective.
Will Transparency Keep the Public Safe?
Safety is a central theme in heated discussions about cyber-security. People feel violated when hackers access information. They expect companies to keep them—and their information safe—and demand transparency in light of this.
Yes, transparency will allow the public to take important security steps:
- Change passwords on devices and online platforms
- Monitor financial accounts so they can act if hackers gain access
- Monitor computers and mobile devices to prevent being manipulated remotely
But this is the extent of what transparency will help with.
Some companies don’t mention cyber-attacks because of public safety issues. When a hack isn’t publicized other hackers can’t learn from the event’s details. The company can also monitor the attack and perhaps catch a hacker in the act. That’s what Uber is claiming to have done. Can such motivations pardon lack of transparency?
Should Companies be Allowed to Protect Their Reputations?
Of course companies’ main reasons for not reporting cyber-attacks are their reputations ( Uber’s growing list of scandals). Stock prices, sales and client support will plummet the moment consumers feel insecure using a specific service provider.
In many cases, information is recovered at the company’s expense and the data restored. Ransoms are paid so people’s information is kept safe. If the risk is managed well and no harm comes to individuals should a company be blamed for looking after its assets?
This move is risky as the company runs the risk of future embarrassment which can be worse than the initial problem. People learning about a breach months after it took place will be less inclined to trust the company, than one that’s always transparent.
This is a gamble each company takes.
Uber may regret not disclosing the last breach. Faith in its security systems is already at a low point. This is because of a previous breach in 2014 and an ongoing security investigation by the FTC (Federal Trade Commission). The question is will Uber survive the public battle for its reputation and the legal battle for its future?
Is Transparency a Legal Requirement?
Of course these perspectives require laws to make them actionable.
And some areas already have laws in place. This means it may be illegal not to disclose a data breach. But these laws create even more challenges.
Different states and countries employ different laws regarding:
- Whether breaches must be reported
- How quick the attack must be reported
- How much detail about breaches must be reported
- Which companies such as private or public must adhere to the laws
- To whom reports should be made
This is problematic for companies with interests and assets that cross borders. And are these law conducive to fighting cyber-crime? As you can see there are drawbacks to giving out too much or too little information.
Stricter laws are necessary, but governments don’t agree on which guidelines are most beneficial.
Can Transparency Prevent Other Attacks?
Prevention is another reason people fight for more transparency. It’s necessary that people realize the global impact cyber-attacks and data breaches can have. Online dependencies between consumers, service providers and companies increase daily. If one party is infiltrated others are put at risk.
When you know about an attack you can take steps to protect your own network. If we’re willing to fight collectively against cyber-attacks, transparency is vital.
Shared knowledge will help companies and cyber-security agencies to develop necessary features faster:
- Security features
- Emergency procedures
Knowledge will help more people be prepared for future attacks.
Unfortunately, the reality is that few companies realize the importance of being pro-active yet. Cyber-security doesn’t feature high on priority lists in most companies.
This means few entities will benefit from the information provided by full disclosures on data breaches.
Will Transparency Help or Hinder Criminals?
Of course the ultimate goal in cyber-security is to regain control in a situation. In many cases hackers seem to be one step ahead of cyber-security features. They have the time and resources to find access to well-protected networks.
Will transparency help cyber-security service providers improve their features?
This is debatable.
Instead of reporting an attack and making it public a company can help fight cyber-crime by not disclosing the problem:
- IT experts can monitor the attack and even trace hackers.
- Software experts can learn how hackers work to develop better security features.
- Criminals tend to learn from each other’s success stories. When the news reports how access was gained other hackers can attempt the same tactics. If it’s not reported you prevent criminals’ knowledge from spreading.
But this is only part of the answer.
When breaches are reported it allows the entire force of cyber-security to work together. Lasting solutions that will benefit everyone may be reached sooner. Is the answer to be transparent to certain entities only? The public won’t like being kept out of the loop. Customers are more concerned with how an organization responds to a breach than the fact that it occurred. It’s about trust.
Perhaps the best alternative is to publicize breaches, but not detail about the case. This allows for transparency but creates an environment where criminals don’t get information. Cyber-security companies can still use the detail to users’ benefit.
Clearly this is a discussion that will evolve in years to come. We don’t know what problems or solutions the future holds. The ideal solution will benefit both the public and the companies they support. What do you think will take us closer to this ideal?