Who’s Responsible for the Death of Privacy?

In the last 40 years, the industrialized world has become reliant on interconnected technologies, with nearly all communication now accomplished through email, cellular phones, and various messaging systems. Additionally, nearly all records — from the critical to the mundane — are stored in connected environments not controlled by those who routinely entrust their data to others. Unsurprisingly, data breaches resulting in the loss of privacy have become ubiquitous, with few adults in modern societies untouched by at least some compromise.

Concluding that nearly every American is likely compromised by 2019, a professor at the University of Notre Dame’s Mendoza School of Business recommended the radical move of publishing everyone’s Social Security number to stop organizations from considering that once sacred piece of personally identifying information (PII)  a valid form of authentication.^[1]

With all the reports showing the growing threat of data compromise, surely companies are doing a better job of protecting data and preventing and responding to data breaches, right? Well…not really. With the Identity Theft Resource Center reporting a jump of 68% in data breaches over one year — and a 24% increase over the 2017 record — things do not appear to be getting better.^[2] Adding to that, according to IBM and the Ponemon Institute it now takes an average of 287 days for security teams to identify and contain a data breach.^[3] This marks the fourth straight year that number has grown, with it now taking 30 days longer to identify and contain a data breach than it did in 2017, according to IBM.^[4] More breaches with longer time to detect and respond is not a recipe for maintaining privacy.

Have we improved in motivation for increased security?

In a free market economy, for-profit companies are unlikely to spend on things that don’t generate revenue until forced to do so. Knowing this, we assess that the three threats most likely to increase effort and funding for security have typically been seen as:

1. Defending against something that damages the ability to deliver products or services.
2. Defending against something that damages a company brand or reputation.
3. Defending against something that causes legal trouble and financial consequences (fines).

However, years into data collection on security breaches, some interesting trends are developing. While many polls suggest that up to 81% of consumers would stop doing business with companies that reported a data breach,^{[5][6][7][8][9]} those surveys don’t reflect the business data before and after some of the largest and well-known breaches of the last handful of years. (See Figure 1 below)

So, why the discrepancy between what people say in surveys and the bottom line of compromised companies? Perhaps respondents want to be thought of as brave and principled when the reality is that they are primarily motivated by convenience…or don’t even know about most breaches so they continue to patronize companies that have been compromised. It’s also possible that some surveys – which are often conducted by vendors who benefit from results showing that breaches increase the risk of companies losing business – are not entirely trustworthy. One can only speculate. But the data itself reveals that, in many cases, companies can weather a breach and continue to prosper. In some cases, they can even delay paying significant fines for years, further diminishing the deterrence of such actions.

Do fines work?

While breaches don’t seem to result in significant consequences from losing customers or revenue — at least for very large and established companies — surely fines are forcing companies to consider better security practices, right? Well…again…not really. According to CSO Online, twenty-three companies combined to pay nearly $1.3B in fines over the last decade in response to hacks and data thefts.^[12] None of those fines amounted to more than a small fraction of the annual revenue of the companies and, in more than one case, the same company was fined repeatedly. No company on the list saw a significant drop in revenue or customer count except for Yahoo, which was already struggling before being acquired, written off, and relaunched.

The General Data Protection Regulation (GDPR) was launched in 2018 with high hopes of bringing serious consequences for companies that didn’t better protect data and privacy. In three years, the law has resulted in 596 fines worth 278,549,188 Euros based on huge discrepancies in enforcement. Most tellingly, the authorities tasked with assessing fines have struggled to resolve even 5% of the cases against some of the largest U.S.-based technology companies.

Are users more diligent about privacy?

If fear of losing revenue or customers due to changes in spending patterns isn’t a large motivator for improving security — and fines for suffering large data breaches aren’t significant enough to impact large companies’ bottom line — then what about users themselves? Are we seeing any improvement in how the average person protects their data or an increase in their concerns for privacy? Unfortunately, data regarding user behavior and attitudes around privacy and security is not encouraging.

A late 2021 report from the National Cybersecurity Alliance – which polled 2,000 individuals across the U.S. and U.K. — revealed that less than half of the respondents employed the most basic security practices for password creation and use. Within that same group, 48% had “never heard of MFA.”^[13] Perhaps more important than that lack of security awareness may be the changing social norms over the past few generations. According to a 2019 survey of U.S. mobile users, Millennial and Gen Z users were markedly less concerned about privacy than their Gen X and Baby Boomer counterparts. In fact, 47% of Baby Boomers were “very concerned” about privacy as compared to only 28% of Gen Z.^[14] Furthermore, a 2020 survey found that nearly 20% of Gen Z respondents actually did not want more privacy online.^[15] And, while the same survey suggested that specific generations may not be as important as age — meaning that Gen Z could grow to have the same feelings about privacy that Gen X has today — the explosion of social media may make that realization moot for Gen Z by the time they reach 35+ years old. Even if youthful ignorance may be overcome by maturity — as has been the case for most of us — it probably won’t matter this time. Once compromised, be it through a breach or willfully sharing, most data is forever in the public domain. Maturity may lead to regret, but it won’t put the genie back in the bottle.

The combination of extreme reliance on third-party technologies, relatively light consequences for security failures, and decreasing privacy and security concerns by younger generations leads to a logical conclusion: privacy is internally decapitated and we’re all partially responsible for its demise.

What do we do now?

If privacy is dead, which admittedly remains a debate for most people, what comes next? Do we just give up? As a proud Gen Xer, that isn’t the route recommended. Let’s say it is a known fact that PII has been exposed repeatedly, we would still monitor for activity that could result in harm due to previous compromises and take precautions to reduce the risk of a future compromise.

Here are some recommendations to consider:

Managing risk from past data compromises

• Employ a service to monitor credit and look for references to PII in underground cybercrime forums, but DO NOT attempt to go into the cybercrime underground unless trained in tradecraft and Operational Security (OPSEC).
  1. In many cases, victims of previous breaches are eligible for limited – if not lifetime – monitoring from named vendors.
• Change all existing passwords and set up a timeline for periodicity.
  1. A strong password is 12-15 characters, including at least two of each of the following: capital and lower-case letters, numbers, and symbols.
  2. Utilize one of many password management tools; eliminating the excuse that memorizing dozens (or 100’s) of complicated credentials is too hard.

Preventing future data compromises

• Maintain strict personal behaviors on ALL social media.
  1. Update privacy settings to limit threat actors’ unauthorized access to personal information that can be fed social engineering campaigns.
     • * Family structure, pets, work information, education, clubs, hobbies, and geography are all bits of information that can be stitched together to create an angle for approaching a target for social engineering.
  2. Don’t share PII with anyone that isn’t vetted and validated; never publicly.
• Use Virtual Private Network (VPN) technologies.^[16]
• Use browser isolation.^[17]
• Use a secure email provider^[18] and segment email usage by account (e.g., business on one account, personal on another, “burner” accounts, etc.).