Cybercrime Regulation, Legislation Struggling to Keep Up
The recently reported hack of an estimated 80 million records from U.S. health insurer Anthem follows an impressive list of known data breaches from otherwise reputable organizations and government agencies around the world.
Yet, these breaches represent only the tip of the cybercrime and data breach iceberg.
Wade Baker, principle author of the 2014 Data Breach Investigations Report from the U.S. mobile communications company Verizon, sums up the situation more bluntly: “After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime—and the bad guys are winning.”
Legislation and Regulation
The effectiveness of any data breach notification or privacy legislation in our fast moving, mercurial and shadowy digital world has to be questioned. The speed and agility of the cybercrime industry stands in stark contrast to the glacial pace of regulatory and legislative evolution.
For the legal and regulatory mandates to be effective, they rely on considerations such as:
- Deterrence factor
- Actual protections afforded under the law
- Practicalities of enforcing the law
Legislating across multiple legal jurisdictions only further adds to the overhead of prosecuting cybercriminal activities. Cybercrime is borderless in our digital world.
A recent high profile conviction of creator of the online illicit drug marketplace known as the Silk Road is a rare case of a successful cybercrime prosecution and conviction. The Silk Road takedown followed a sustained and extensive investigation on a known and visible target – and the main prosecution related to money laundering and narcotics dealings, not data theft alone.
Effectiveness of data breach notification or privacy legislation in fast moving digital world has to be questioned.
In the face of advanced and persistent threats (known in the security industry as APTs), the protection offered by the legislation is limited, especially if an organization was not aware of the attack having even occurred.
Mandatory data breach reporting legislation also presents a unique challenge for organizations with existing cloud computing arrangements, in that they are, for the most part, at the mercy of their provider’s willingness or ability to meet these legal requirements. In the face of such legislation, it is prudent for cloud customers to reassess their cloud provider’s security measures, loss compensation and remediation approaches.
Add to this mix the challenges facing those organizations at war with their own IT departments or IT vendors. Legacy systems, poorly architected IT services based on fragmented technologies, inflexible IT supply contracts—not to mention substandard business leadership and technology management practices—are hindering many an organization’s abilities to respond rapidly to meet the rapidly changing cybercrime threats. And that’s all in addition to increasing demands from regulators and legislators for protecting important information assets.
Moreover, the pervasive phenomenon of Shadow IT is also a contributory risk, where individuals, local departments or business units within organizations are implementing IT systems without the appropriate due diligence, contribute to the risk of a potential data breach.
Both Shadow IT and cybercrime escalate the risks and challenges associated with the protection of sensitive data.
Data Breach Legislation
Globally, cybercrime is a multi-billion dollar business with some of the smartest brains employed to crack security systems. Put simply, there is an ongoing arms race between the cloud providers and the cybercriminals, and sometimes the latter win.
We should never ignore the fact big data presents a rich target of opportunity for cybercriminals.
To comply with relevant privacy legislation in different countries and regions, data that is to be externally released for purposes such as marketing, analysis and reporting should have the individual’s personal information removed—a process known as anonymizing, or de-identifying.
But when disparate data from a range of anonymized, independent data sources can be matched using specialised algorithms to geo-tagged information, it may be possible to re-identify data.
A number of researchers have already shown re-identification to be possible by using specially crafted matching algorithms.
The risks associated with the possible re-identification of personal information should be a topic high on the agenda for industry regulators, legislators and those concerned about information security and privacy.
On the bright side, the re-identification of big data is a distinct advantage for anti-terrorism and law enforcement agencies. The ability to pinpoint individuals who are a likely threat to society or involved in criminal activities would be largely seen as a positive use of big data.
But the possibility of misidentification is real, which may have serious consequences for the individuals concerned. Factors such as the provenance and accuracy of source data, together with the validity of the analytical techniques used, needs to be meticulously verified to minimize the occurrence of misidentification in such instances.