The Forum on Cyber Resilience of the National Academies of Sciences, Engineering, and Medicine hosted a Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions. The meeting was held on January 12, 2016, in Washington, D.C.
The workshop featured nine speakers addressing a broad range of perspectives on data breaches: empirical, consumer, and data holders’ perspectives and legal and policy perspectives. Distinguished scholars, lawyers, consumer advocates, and industry executives contributed their varied expertise to help draw out key themes and examples and to offer their views on response mechanisms for mitigating harm when data breaches occur.
Cross-cutting themes that emerged throughout the day and were discussed in the concluding plenary session include the following: defining harm, data breach and analysis and the need for a feedback loop to learn from aftermath and remediation to help prevent future breaches, data breach remediation itself, and possible mechanisms for future change.
The meeting was open to the public. This proceedings was created from the presenters’ slides, notes, and a full transcript of the workshop. The proceedings thus serves as a public record of the workshop presentations and discussions. Individuals’ affiliations are provided for identification purposes only.
Fred B. Schneider, Ph.D., the Samuel B. Eckert Professor of Computer Science at Cornell University and Chair of the Forum on Cyber Resilience, opened the workshop. He began with an emphasis on the word “resilience,” which was deliberately chosen to reflect the broad goals of the Forum on Cyber Resilience. In addition to typical aspects of information technology, such as security, reliability, and usability, resilience also encompasses social aspects, such as policy, regulation, and economics. By framing the workshop in this context, Schneider underscored the workshop’s broad aim to understand the wide range of potential harms from data breaches and its intention to take a holistic look at how we can build resilience in the face of increasingly large, frequent breaches.
Schneider noted that historically, data breaches have been mostly seen as a threat that leaves people open to personal identity theft; as such, remedies focus on addressing that specific risk. But data breach harms can be more nebulous, and sometimes far more dangerous, than that. He observed that recent breaches on the dating site Ashley Madison, or the U.S. government’s Office of Personnel Management, or the toy company VTech, prove that more than just financial loss is at stake: the harms from data breaches extend into the realms of personal reputations, national security, and even the safety of children.
It is clear that credit monitoring, currently the main remediation for data breaches, has become an inadequate remedy, Schneider said. The question now is, What would be appropriate? Schneider said that proper remediation cannot be determined until the wide range of possible harms, which can range from financial, to national security, to psychological, are understood. Once we identify the harms, he noted, the next step would be to incentivize data holders to anticipate, and mitigate, the risk of harm from future data breaches. He referred attendees to a short document that provided some context-setting material and discussion questions for the workshop (reproduced in the box on the following page).
Having this discussion in Washington, D.C., Schneider noted, is a useful reminder of who has the power to facilitate the types of changes workshop participants are discussing, researching, and advocating. Schneider expressed his hope that the workshop and discussions can have an impact on policy makers and power brokers beyond its participants.