The Impact of a Breach: When the Fallout Means More than Money

Written by

Data breaches can mean more than just financial loss. Wendy M. Grossman explores how fear, anxiety and even danger can impact victims

My private shame had become public shaming”, said the novelist Deanna Fei at the 2016 Health Privacy Summit. Three years earlier, five months into a normal pregnancy, Fei unexpectedly went into labor and delivered a one-pound, 19-ounce baby. Her daughter, Mila, survived months in the neonatal intensive care unit before emerging, tiny but healthy. In 2014, these months of trauma were exposed to public view when AOL’s CEO, her husband’s employer, told the world he was trimming employees’ retirement benefits because two “distressed babies” had dented the company’s bottom line. Colleagues immediately identified Fei’s husband as one of the parents. Fei responded by writing first a widely-shared essay and then the book Girl in Glass to tell the full story. “I spoke out to defend the basic worth of my daughter’s life”, Fei said.

In most countries, an employer would not be in a position to know such specifics. Even so, the story shows the emotional pain attached to data privacy violations even where no one has anything to be ashamed of. For some years, ‘If you have nothing to hide, you have nothing to fear’ has been the mantra of those promoting increased surveillance. Fei’s reaction proves otherwise, and it is very common, no matter how the data breach occurs.

“When we’re contacted by individuals who have received a data breach notice letter, the most common emotions are – and this is very subjective – fear, anxiety, and/or anger,” says Beth Givens, founder of the Privacy Rights Clearinghouse, a California-based non-profit created in 1992 to help individuals protect their privacy. “Fear and anxiety that the data breach will lead to identity theft, and anger that the breached company, university or government agency was so careless with their personal information that the breach occurred.” This is on top of the potential financial impact, the billions of dollars breaches can cost the victims.

Medical records, Givens says, provoke particular anxieties: what if the record is corrupted? Will they be incorrectly treated? Will medical ID theft mean they’ll be refused care? How can they get these records corrected?

Compared to the several suicides, one a married pastor, thought to be linked to the 2015 Ashley Madison hack, such anxieties may seem undramatic, but those who deal with breach victims say their distress can be intense. The harm may be intangible, but it is not hypothetical even though, as Fei has said, it’s often perceived that way.

Pam Dixon, director of the World Privacy Forum, recounts similar experiences to those Givens reports. As part of providing research, analysis and help to individuals whose privacy has been violated, she has seen many “one-to-one breaches” that, like Fei’s, are the result of one person publicizing information that was given to them in confidence. “It happens all the time”, she says.

"Revenge porn is a type of data breach"

Social Standing, Reputation and Livelihood

The category Dixon hears about most – and the one that upsets people most – concerns HIV/AIDS status. “When they contact us they’re very upset,” she explains. “They feel it jeopardizes their ability to earn a living and their family, especially when it’s posted online.” This is especially true for those in areas of the world where HIV/AIDS is still stigmatized. In Asian countries, for example, people fear they will lose their social standing, reputation and livelihood.

The second-most upsetting area is reproductive health, around which Dixon finds “amazing tension” – particularly whether a woman is pregnant or thinking of becoming pregnant. “It’s a bad thing to have breached,” she says. “It’s beyond sensitive, and no one talks about this.” She believes this is why the story of the father who was tipped off that his daughter was pregnant by Target marketing mailings still resonates. “The Target story hit a nerve that others have not hit. If I had not been getting these calls over the years, I would not be as aware of this issue. Women have called up, and either they haven’t disclosed a pregnancy yet, or they had one and didn’t disclose it, and maybe they miscarried...there are thousands of reasons why they don’t want it breached.”

Dixon’s final most-distressed category is teenage girls whose former short- or long-term boyfriends post material such as ‘sexts’ and naked pictures online. “Revenge porn is a type of data breach,” she claims, “because it’s information you’ve trusted that person with and then you end up with this horrifying situation.”

Bad for One’s Health

Even outside these categories, health data is enormously sensitive, for two reasons. The first is the intimacy of the detail, as Dixon says. The second is that health records may contain private information about people besides the victim – parents, children, other family members – and, in the US, detailed financial and employment information. That information is of sufficient value on the black market.

In 2015, Ponemon Institute found that criminal attacks had become the leading cause of healthcare data breaches. A 2016 McAfee report found that the enormous supply of data (accounts for payment services, streaming services such as sports and HBO, hotel loyalty programs) is leading prices to drop noticeably, with prices depending on factors such as the level of investment required to extract the data, market conditions, what the data is, how full the records are and the reputation of the seller.

Other recent breaches have adopted more direct methods. In the recent hack of a Lithuanian plastic surgery clinic, patients were blackmailed with the threat that intimate images such as nude photos, passport scans and national insurance numbers would be made public. Similar concerns apply to the theft of patient data from a Beverly Hills plastic surgery clinic with clients worldwide, including some celebrities.

The Burden of Biometrics

Danielle Citron, a University of Maryland professor and author of the book Hate Crimes in Cyberspace, expects these problems to get worse as organizations begin to collect biometric data, which she calls “ultra-hazardous”. She says that the aggregation of unique identifiers – Social Security Numbers as well as biometrics – has “negative externalities that customers bear and that are never internalized by companies.” She argues that courts should take such intangible harms seriously and that companies should have to bear these costs, not just those of notification. Consumers, who lack both the ability and the opportunity to audit the security practices of the organizations that collect their data, have little choice but to trust them.

Based on his company’s work protecting organizations, Giovanni Varga, the founder and CTO of Lastline, argues that “Unfortunately, companies look at ways to protect their data after a breach, not as preventive measures.”

In most cases, unlike Fei’s, it’s hard to trace a specific disclosure directly to a particular data breach and it may be some time before victims know they’ve been exposed or experience damage from that exposure. Recognizing this, both Dixon and Citron believe that companies need to offer greater assistance to victims than the law strictly requires (see Assisting Victims).

Pam Dixon concludes, “I think building centralized databases has been an untenable proposition for a long time, I don’t understand why people still want to build them because the risk has become so high.”

Assisting Victims

Breach notification laws, wherever they’re in place, impose legal requirements that companies must fulfill with respect to informing victims about the breach and their rights. Under the EU’s General Data Protection Regulation (GDPR), which will take force in May 2018, data controllers must notify the relevant supervisory authority within 72 hours of discovery and individuals directly where a breach is likely to result in a “high risk to the rights and freedoms of individuals” (GDPR, Recital 85). In most areas of the US, companies are also required to include a year of credit monitoring to catch damage.

However, for both disinterested (it’s the right thing to do) and self-interested (you need your customers to trust you) reasons, companies may find it better to do more than the law requires.

Be transparent about what data has been exposed, notify people about the damage and support them in case of cybercrime.

Particularly for sensitive data, offer a longer-term option of monitoring and access to an attorney free of charge if needed. According to Pam Dixon, it typically takes longer before sensitive data is used, and in the US it’s hard to get health data corrected and people often need experienced help. If there are financial costs to freezing the person’s credit, pay them. Use commercial services to help victims of identity fraud.

Also for particularly sensitive data, consider hiring an expert or buying software to help scrub the data from the web, particularly the ‘dark’ areas criminals frequent. Otherwise, the data breach victims are at risk of being victimized repeatedly over time as the data is reused and resold.

If you store biometric data, hire an expert to perform a risk assessment. Through lack of experience to date, much biometric data is not secured as well as it should be, Dixon says, and many healthcare providers require it. As iris scans cannot be replaced, the problems following the use of this kind of hardened identity for spoofing are far harder to unwind.

Engage in both internal and external conversations about the state of your security.

What’s hot on Infosecurity Magazine?