It may not seem obvious, but calculating the severity of impact from any kind of breach of privacy is one of the most fundamental issues when it comes to privacy legislation. With nearly universal agreement that privacy is critically important yet elusive to uphold, the need for greater clarity on the underlying regulatory objectives and the specific ways to uphold it in the real world is increasing. ActiveCo has taken time to understand these regulations as they have been presented, while working with the government bodies involved to ensure our clients receive the proper consulting. Even then, there are still grey areas and unanswered questions, despite legislation being passed for businesses to adhere to.
The confusion comes in the definition of identity, which can thus further define the severity of a data breach (who is impacted and how). There will need to be approaches which can connect legally recognized online identities with individual people as well as the multiple personas they adopt in their daily lives. There is also a growing recognition that identity per se is not the issue (coming to a widespread agreement on what that means is just too difficult). From who you are at home, who you are at work and who you are in day-to-day interactions and whether or not you share that information online (and how you present it) all call in to question the idea of “identity”. It’s a confusing definition that even experts are having trouble grasping.
So how can a non-expert in the field of identity definition (a common business owner, consumer, etc) manage a legislation that doesn’t understand it itself?
It all comes down to how severe an attack on any aspect of one’s identity could be to them, or any organization they have ties to, or own. There is no room anymore for “I’ll cross that bridge when I come to it”, protective planning is required now, not later. Although the majority of planning, legislation and policy creation is not about preventing breaches in data, it’s more important now about how you react to it. Do you have a plan in place?
The World Economic Forum, heavily embroiled in these tense conversations while cyberattacks continue unabated, states:
A starting point begins with asking: What is the intended impact of using data? How severe is that impact? How likely is it to occur? Who holds the risk? In pursuing this analysis it is also important to differentiate between threats in the stewardship of data and the associated benefits or harms they could create. This provides a way to organize threats (i.e. security breaches, loss of confidentiality, inappropriate usage or inappropriate access) and classes of harms. Some harms are tangible (loss of life, freedom of movement, property theft and physical injury) and some are intangible (such as restrictions on personal expression, social anxieties, emotional distress and reputational damages). The scale of the potential impact and who holds the risk also need to be addressed. Is the anticipated impact intended for a particular individual, a community or is it societal?
Trying to answer these philosophical questions can make it extremely difficult to agree on a definition of “risk”, or where on the scale of “severity” certain cybersecurity breaches fall. In a way, it’s all in how you perceive the outcome and the point of view can be an extreme swing depending on who you’re asking (and even who’s doing the asking).
So where does this leave us? Struggling to come to a universal definition. Severity + Likelihood = Level of risk is a simple equation until you add a multitude of human perspectives into it, definitions grow wide and decisions become few and far between. This has not, however, stopped legislation such as the EU’s “GDPR” and Canada’s “Breach of Security Safeguard Regulations” from being adopted. Businesses are required to do their best with the rules and guidelines provided, and sifting through that information can be daunting, let alone knowing what steps to take to pursue compliance.