Data leaks are sadly quite frequent, and I always found that affected companies were little to no disturbed by them. Most of the time, they make some PR announcements, ask users to change their passwords, and that’s it. From time to time, a tech giant gets a fine, but this is pretty rare. I find this system unfair since they are not held accountable for their misbehaving.
I’ve been thinking of an accountability system for tech companies and their security for quite some time now. It was only a thought, but it became more tangible in the last few months. The previous few weeks pushed me to write this article. The twitch data leak made me think that there is no better time to discuss this subject.
It’s Users Fault
Quite often, in cases of a data leak, the discussion focus on how the users have bad passwords or use the same across many websites. All that is fair, there is a severe lack of education regarding basic computer security, but that should not be the focus of the discussion at that time.
Suppose we know how weak some passwords are because the data was leaked in the first place. On rare occasions, a weak password could lead to an attack again. Who is responsible, the user for its weak password or the website for lacking basic security measures?
In my opinion, whatever the user’s password is, the responsibility still comes to the website. Is the password too small? Password not containing special characters? That’s still to the website to enforce rules, so users are safe.
Instead of looking at the users, we should focus on the company.
When in Reality it’s the Company
As I said before, we know that users have bad passwords because the data was leaked. The security measures put in place were compromised, and someone was able to access the data. There are no cases where the company is not responsible for the leak.
Did they find a vulnerability in one of the tools used? Did they use a weak password to get access to an administrator interface? Did they use social engineering to trick one of the employees? Did they have access to a database that wasn’t protected? All those reasons still come down to the company and its processes. They made a mistake at some point.
The Marriott hotels had two catastrophic data breaches, one in 2018 and one in 2020. The first one affected approximately 500 million users (there might be many duplicates), and the company didn’t tell much about what caused the issue. Marriott’s response was not great, and they focused on reassuring the shareholders that the measure would be taken and long-term profits would not be jeopardized. It doesn’t seem that the company took the matter seriously since they announced a new 5.2 million data breach in March 2020. Marriott was fined £18.4 million ($25 million) for the breach of 2018. The same year, the company announced a $20.758 billion revenue making the fine look ridiculous.
How to make them accountable
The Marriott response to the data leak of 2018 was lackluster. They made a statement, created a website to see if their data was leaked, and reassured shareholders. It didn’t affect the company much, and business went back to normal pretty rapidly. Besides, the fine was pretty low, considering the amount of data leaked and company revenue. From an outside point of view, it seems that the company didn’t suffer much from this issue.
Having a secure IT architecture is way more expensive than the companies’ fine, and it’s an issue. Of course, the goal is not to make the company file bankruptcy or to jeopardize its future. However, there is a difference between making the fine big enough and risking the company's future. Hence, the company considers implementing changes and having a meager fine that doesn’t dent the annual revenue.
Progressive Fine System
A fine is a way to make people accountable for their actions, but they don't encourage better behavior. This is why my proposed system includes a base fine, but it could be reduced if the company wants to improve and fix its issues.
There are several factors to consider when calculating the fine. Some aspects have a positive impact on the final result, while others increase the amount.
A base amount must be established, which can be calculated by multiplying the number of affected accounts by a percentage of the previous year’s business income. This value would be the base, and other parameters will impact the results.
Type of Leaked Data
The first influencing factor is the type of leaked data. Some data is more sensitive than others, and its leakage will impact the fine. The GDPR doesn’t provide a classification of the data. Still, they have a list of sensitive data that are the following: race, ethnicity, political views, religion, spiritual or philosophical beliefs, biometric data for ID purposes, health data, sex life data, sexual orientation, and genetic data. Those data are the ones that would affect the fine the worst since they are very personal.
While data type is essential, it’s also critical to assess the current state of the company's IT infrastructure. Bad practices and lacks of governance would have a worsening effect on the fine. Many aspects can be considered at this stage since it can include technological and human factors. Did one employee have access to ways more data they should have? Are sensitive data stored in a public database? Is the component updated with the latest security patches? A third party should audit the whole IT of the company, and their report will influence the rate.
Last factor, more subjective since it measures the response of the company. Did the company promptly disclose the leak and take appropriate measures (password reset, shut part of the affected system, assist users in improving their security). The goal here is to force companies to take action when users are the most vulnerable and take responsibility for their issues.
This factor could be the most influential one since it could encourage companies to improve their processes. Getting an ISO 27:0001 certification is a great way to reassure customers. It’s possible that the cost of the accreditation could be deducted from the fine, so businesses are encouraged to do so. I don’t think a financial fine is interesting in any context. It’s a way for wealthy individuals to break the law. Punishment is still required and can be a learning exercise, but stimulating people to do better will lead to more results. That’s why this last point is essential, it can penalize companies that don’t care, but it also encourages firms to improve themselves by reducing their fines.
Limitation of the System
The rudimentary system described before is far from perfect and has many limitations. The goal was to express my idea of an ideal system where IT companies are held accountable for their actions, as it’s the case for most other iI’lltries. I’ll address some limitations I see with the system to discuss some potential solutions.
Who Should Handle the Investigation
Since IT is global and every country has different legislation, the first question is defining who will lead the investigation. This process already exists in other industries where state and continental agencies are responsible for recalling a product if it’s faulty. The same should apply to IT if the company is based in the EU would be led by the EU. A collaboration between state and continental agencies is required to make sure that the process follows the guidelines.
Ideally, this should work, but I can see countries not too keen to collaborate or openly share data. An intergovernmental organization could be required to ensure efficient collaboration. Countries members of this organization would openly share the information. I’m not aware of such an organization that handles those cases. Maybe the UN’s Office of Information and Communications Technology (OICT) is a great candidate.
To Whom Should the Companies Pay?
That’s another critical point complicated by the global nature of the web. If a global IGO is created, the money should be trickled down to every member state. The amount is distributed according to the number of users affected by the country. That’s how the GDPR fine system currently works, and it’s a great way to handle the issue. Besides, I think that users should receive a part of the money. Once the country gets the money, affected users can claim a part of it and receive it.
Which companies are affected?
Officially the system should affect all companies, regardless of the revenue or the size. Sadly, investigating every data leak is not feasible. It will require too many people and money. This is why only the most significant data leaks should be targeted, the one with more than, for example,100’0000 users affected.
The three most critical issues have been discussed. There still are a thousand problems that could be answered, but it’s out of the scope of this article. However, there are still some matters that I want to address quickly.
- Time to audit: auditing a company is tedious and can take many months. That’s not a concern since the investigation led by the IGO will also be extensive and can take years to accomplish.
- Legacy programs: it’s not rare that an essential component of an IT architecture is ancient and impossible to upgrade (either technically or financially). The fine system should take this into account and see how the system was protected. Besides, the fine could be reduced if the company wants to upgrade or change the legacy system.
Tech companies and services are an exciting industry. They enjoy lacking legislation and are often not disturbed when something terrible happens to them. No other industry (as far as I can think of) benefits from this level of liberty. Yes, legislation change and politics take time to adapt to new problems, but the difference is too slow, and some governments are crucially lacking in education in this area.
The proposed system of this article is, in my opinion, required as it makes companies accountable for their misbehaving. The fine is not capped and can seriously alter a company's future if they either don’t build a secure system or don’t want to improve their IT in the future. I’m well aware that it’s rudimentary and unlikely to see a future, but I wanted to shed light on an industry with too much privilege.
The same kind of legislation exists in other sectors, and it’s time to extend this to the web. I bet that not many people would fly a plane if no ruling ruled the aeronautics industry. On the other hand, everyone surfs the internet without a parachute and without seeing the danger that this can have.