On Cybersecurity Fatalism
Have we turned a corner on corporate consumer data responsibility?
Irina Raicu is the director of the Internet Ethics program at the Markkula Center for Applied Ethics at Santa Clara University. Views are her own.
After the massive cybersecurity disaster at the credit-report firm Equifax recently became public, The Atlantic published an article titled “The Banality of the Equifax Breach.” In it, Ian Bogost argues that within the response to this incident “public shock was diluted by resignation,” and that the breach
suggests that a corner has been turned in corporate consumer data responsibility. Like severe weather, breaches have become so frequent and severe that they can begin receding from prominence. No matter their grievous effects, Equifax’s response suggests that fatalism might replace responsibility, planning, and foresight. This is just what happens now.
Is he right? Since the publication of that article, we have also found out that multiple class action lawsuits have been filed against Equifax; the FTC has opened an investigation into the incident; and, according to Reuters, Equifax shares “have lost 32 percent since the company disclosed the hack on Sept. 7.” Reuters also reports that “[n]early 40 states have joined a probe” of the company’s handling of the breach, and “Equifax’s chief executive, Richard Smith, is expected to testify on Oct. 3 before a House of Representatives panel.” From respected cybersecurity experts like Bruce Schneier, there are renewed calls for regulating the security practices of data brokers.
Yes, there have been a lot of other recent incidents that involved the leaking of vast amounts of consumers’ personal information online. This breach, though, is different. As a CNET article points out, “Companies like Target, Home Depot and Sony have offered free credit monitoring through Equifax after they suffered breaches, and Equifax is one of three major companies that monitor credit scores after data breaches. Equifax is offering its own credit-monitoring service to people affected by its own breach.” The depressing ridiculousness of this situation might yet shake people and organizations out of resignation, and force companies to acknowledge that the practice of offering free credit monitoring after data breaches is more than insufficient; in this case, it’s akin to trying to plug a leaky pipe by connecting it to another leaky one.
We can only hope that Bogost is right that “a corner has been turned in corporate consumer data responsibility,” but that the corner is not the one he identifies. Without cybersecurity there is no privacy; without privacy there is no autonomy, no creativity, no democracy. And even if loads of information have already been compromised, there are always new thoughts, new communications, and new bits of private data to protect. The opportunity to protect privacy presents itself anew every day. This is a time for fierce pushback, not fatalism.
Photo by portal gda, cropped, used under a Creative Commons license.