Time to Get Transparent about Cyber Security

Another day, another hack. Apple, Sony, Citigroup, and Lockheed Martin are just some of the big-name companies afflicted by recent cyber-security breaches. Canada has not been spared. Beyond the attacks on the federal Treasury and Finance Departments and the Conservative Party of Canada, Sony, Husky Energy, and Honda have all had Canadian branches or units compromised in recent hacks. Even major Canadian law firms have been victimized.

Expectedly, questions are being raised about the nature of the cyber-attacks, their scope, and the means and motives of those behind them.  And, perhaps most importantly, people are raising privacy concerns about the massive amounts of personal and financial information that these, and other, companies hold, and about the data safeguards – or lack thereof – rendering that data vulnerable to theft and exploitation.

Despite these real public concerns, a troubling trend is emerging – a tendency for companies to sit on information about hacks and data breaches, sometimes for weeks, before going public, and to, even then, downplay the severity and scope of the breach.

Sony was the victim of a massive data breach in early April, and, later that month, its PlayStation network was hacked a second time. However, the second time around, Sony delayed disclosing the fact that it had been hacked, and even misrepresented the timeline for when the company had found out about the second hack. Similarly, Citigroup sat on a data security breach for almost a month before disclosing information about it, and still understated the seriousness of the attack: At first, Citigroup said data was stolen from 200,000 bank accounts. Then it said data was stolen from 360,000 accounts. Tomorrow, who knows?

Lack of timely and frank public disclosure is a serious problem. To begin with, it puts consumers and the general public at continuing risk. Without warning or notice of such cyber-attacks or data hacks, customers continue to use potentially compromised sites and networks, making misappropriation of their personal and financial data even more likely. In the process, people are unable to make informed decisions about consumer goods and financial services; including the amount of data they wish to confer and the companies or banks with which they choose to do business.

And, without the public scrutiny that disclosure attracts, there is little incentive for companies to take network security seriously, or to take the necessary, often costly, steps to prevent later attacks. According to a recent study from the Ponemon Institute, 79 per cent of internet cloud-computing companies dedicate less than 10 per cent of their resources to cyber-security.

What should we do about this in Canada? A few ideas have been floated. Some have pushed for more American-style class-action lawsuits based on such privacy breaches. In fact, Honda Canada was recently served a $200 million class-action lawsuit arising from its own data breach. Some, like Canada’s Privacy Commissioner Jennifer Stoddart, have suggested imposing large fines on companies for cyber-security and data breaches.

These are not bad ideas, but without transparency they achieve little. Litigation is costly and time consuming, and often leads to secretive settlement without public benefit. Furthermore, after-the-fact punitive measures, either through litigation or government fines, can encourage companies to bury information about data breaches, or to downplay their scope.

Besides, no fine can be imposed, or investigation or lawsuit launched, if no one knows about a data security breach in the first place.

So, a strong data security breach disclosure law is an essential first step. In fact, the Canadian government’s own Bill C-29, which died in the last Parliament, proposed making disclosure of “material” data breaches mandatory. That legislation, however, was seriously flawed.

To begin with, it gave companies too much discretion in deciding what they had to report, as they were only required to report “material” data breaches that caused “systemic” issues. Under this law, then, Citigroup could arguably have concluded that its breach – the theft of data from 300,000 accounts – was not a “material” breach, as it was a single breach and the vulnerability was subsequently patched. In other words, it was not a “systemic” issue, and so, under Bill C-29, Citigroup would not be required to report it.

Bill C-29 also gave companies too much discretion with regard to the timing of security-breach reports, as it only required them to file a report once they had decided that a material breach had, in fact, occurred. This meant reporting could be delayed until a lengthy internal investigation had been carried out in order to make that determination.

Finally, other than court orders, Bill C-29 offered no additional penalties or new mechanisms to enforce disclosure rules.

A tougher approach is being debated in the United States. One bill called the “Safe Data Act”, which the Republicans recently tabled, would require companies to notify law enforcement within 48 hours of a data breach. If the breach was serious enough, the FTC, and any people affected, would also be notified. An even stronger Democratic bill, the “Personal Data Privacy and Security Act”, would require that all of the people whose information may have been stolen in a data breach be notified.

Unlike Canada’s Bill C-29, each of these proposals in the U.S. have separate sections creating new enforcement powers, including assigning large statutory fines for violations (even up to $5,000,000) and in the Democratic legislation, even jail terms for those convicted of intentionally conceal a data breach.

The last Canadian proposals, which died with Bill C-29, lacked teeth, and gave companies too much discretion in deciding what situations required security-breach reports, as well as the timing of those reports. Now, the Canadian government has a clean slate, and knowledge of these tougher alternatives, with which to forge a more robust disclosure regime.

Cyber-security challenges, and the privacy, transparency, and data-retention issues they raise, are not going away, and the ideas offered here are far from comprehensive. But full disclosure, public scrutiny, and transparency are, without question, the foundation upon which more intelligent and comprehensive solutions will be built.

About the Author

Jon Penney is a lawyer and (currently) a Google Policy Fellow at the Citizen Lab. Before coming to the Lab, he spent time studying and researching at Oxford University, Columbia Law School, and Victoria University (Wellington), where he was a Senior Research Fellow and Lecturer in the law faculty.

A version of this article previously appeared in The Mark News