ETHICAL DISCLOSURE OF DATA BREACHES COREY TODALEN
WHAT IS A DATA BREACH? • “The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”
• All 50 states and associated territories have some form of breach notification law • U.S. currently doesn’t have any federal WHAT DOES guidelines or laws THE LAW SAY? • California first to create legislation in 2002 • European Union enacted E-Privacy Directive in 2009
FACEBOOK AND CAMBRIDGE ANALYTICA • Cambridge Analytica leaked 87 million Facebook users’ data • Data collected through personality quiz app and FB API • One of several major controversies during 2016 presidential election • Facebook fined 500k euros due to new E.U. GDPR guidelines
• Breach lasted from May 2017 through July 2017 • Included SSNs, birthdates, home addresses, drivers licenses, and credit card numbers EQUIFAX • Attack leveraged unpatched vulnerability in Apache Struts web framework • In Feb. 2020 U.S. D.O.J. indicted several ranking members of Chinese military in association with the attack
• In 2018 330 million users were notified that their passwords may have been compromised due to flaw in Twitter’s password hashing algorithm TWITTER • May 2019 Twitter got hacked again this time losing location data and browser histories • 2019 hack was due to third party cookies from Twitter ad partner
• Breached in March 2019 leaking over 100 million customers’ data • Customers weren’t notified until July 2019 CAPITAL • Included names, addresses, birthdates and ONE financial data • Leak stemmed from misconfigured AWS S3 buckets
CLINTON PRESIDENTIAL CAMPAIGN • In June 2016 CrowdStrike releases report of alleged DNC and Clinton campaign hack in early 2016 • Report revealed attack originated from the Russian intelligence agency and associated hacking group Fancy Bear • Attack used spearphishing tactics and Mimikatz to scope out DNC network • Also used X-Agent and X-Tunnel for data exfiltration • Lead to the indictment of 12 GRU officers in 2018
• First formulation • Not disclosing a breach is a lie by omission • Prompt disclosure is required by law • Second formulation KANTIANISM • Obligated to inform consumers of data compromise • Not doing so implies a lack of respect for customers therefore using them as a means to an end
• Prompt disclosure is the ethical move • Implies the company is acting ACT in good faith for the benefit UTILITARIANISM of everyone not just themselves • Not disclosing a breach fails the Utilitarian Calculus
• In all 50 states prompt disclosure is required by law • Informing the public of a breach should RULE not be determined by pros and cons UTILITARIANISM • Disclosure should not be clouded by bias and any implied gain derived from keeping information from the public
• The ideal virtuous person would inform the public of a data breach VIRTUE • Breaking a non-disclosure agreement when ETHICS it is in the public’s best interest is considered virtuous
Thanks for coming to my Talk.
Recommend
More recommend