Information technology is increasingly pervading every aspect of our lives, promising fantastic opportunities for improving our health, wealth, knowledge and the way live together. But with the increased pervasiveness of information technology, more and more personal data is collected, processed and used for purposes nobody imagined even a few years ago.
In the past, capabilities for storing and processing mass amounts of personal data were limited by physical barriers, but now information technology allows us to go in any direction we want with virtually no obstacles standing in our way.
However, they say there is no light without dark. And within the darkness of our Information Age—difficult to recognize at first glance—resides a stealthy dragon in disguise waiting to exploit vulnerabilities and poor data security practices.
Data breaches and other privacy mishaps are increasing in volume and are frequently making headlines. In April 2011, the Sony PlayStation hack compromised the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords, and led to a sanction of £250,000 by the UK Information Commissioner’s Office (ICO). The ICO didn’t hold back:
“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe. The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”
Following the breach, Sony rebuilt its network platform to ensure that the account information and passwords it processes are kept secure. Just recently, the PlayStation Network was attacked by a hacker group for a second time, resulting in a forced downtime of Sony’s gaming network.
In November 2013, the data breach at U.S. retailer Target exposed millions of customer records, including names, mailing addresses and phone numbers and sensitive credit/debit card details, to unauthorized third parties. First-quarter sales figures following the breach showed a 16-percent decline over the same period the year before, and Target’s stock has fallen 11 percent since December. In February, the retailer reported profits had nearly halved from a year earlier to $520 million and its revenue had slid five percent to $21.5 billion. Costs for credit-card replacements and payments to credit unions associated with the data breach already topped $200 million. Five months after Target's data breach, the retailer's former chairman and chief executive Gregg Steinhafel was devoured by the dragon of the Information Age when he had to step down from his more than $23 million-a-year position. Plus, in recent weeks, it was discovered that the “Backoff” hacker tool has affected more than 1,000 American businesses, including UPS and Supervalu, exposing the businesses to similar risks.
Last month, The New York Times reported “Russian Hackers Amass Over a Billion Internet Passwords,” demonstrating, once more, an inadequate protection of account information, but this time the incident exceeded the volume of the Sony breach dramatically. Additionally, The Guardian reported that the FBI is investigating another series of attacks on high profile banks targeting sensitive data with speculation the hackers were Russian.
With a revision of the European data protection framework underway, lawmakers are considering an increase to sanctions imposed by EU data protection authorities to €100,000,000 or five percent of the worldwide annual turnover of a corporation, whichever is greater. It is now obvious that the size of potential fines simply reflects the threat the dragon in the dark represents for the information society. Furthermore, it is clear that effective data protection is not a national but an international matter and that the patchwork of similar but actually diverse data protection laws in the European Economic Area need to be replaced by “One Regulation.”
Privacy is not dead. Data protection is more relevant now than ever. The information economy presents a watershed for economic development and progress, but with that increase in wealth comes greater responsibility to protect information.
So, let us beat the drums and recruit brave fighters for data protection beyond the known realms of the privacy profession. Equipped with the freshly forged CIPT swords from the IAPP arsensal, privacy professionals may dare to climb down into the dark, fight the dragon of the Information Age and track down its eggs wherever they may hide. And one day, hopefully in the not too distant future, together we may enjoy a fluffy omelet with a crispy piece of bacon …
Dragon image courtesy of author.
If you want to comment on this post, you need to login.