Is there a reason why we can't have strict liability laws for data breaches? Seems like every time companies get off because proving negligence or damages is too hard. If you get hacked, you should pay $x per affected individual. No more "we did our best, but it was a Sophisticated Attack™ carried out by a nation state/APT, so plz don't fine us". Imagine if companies could use this logic if they lost physical goods. eg. if a bank got robbed, they shouldn't be able to say "well they were a really sophisticated crew of bank robbers, so there goes your deposit!".
This would be awesome since companies were suddenly incentivised to keep personal data to a minimum. Instead of having idiots in government that complain about what plebs post online and want to hold companies responsible for it, this would actually be sensible legislation.
I would only apply it to business models that directly monetize consumer data though, because there are no technological means to guarantee complete security. A fact more people calling themselves computer scientists should make more clear in my opinion. But if you want to monetize data, you have the responsibility to keep it safe.
Would have severe consequences for funding of some sites, but I think it would seriously be worth it.
One of the problems with this idea is, that you can do your due diligience, use state of the art security, and still lose.
Also liability is interesting: According to [1] banks are not liable for contents of lockers. According to [2] banks might be liable for ATM robberies though, if there is not a resonable amount of security (camera, lighting, ...). It's quite an interesting topic.
There are also quite a few followup questions: Does a company that had a databreach have recourse against the software vendors? Are open source developers liable when there was a bug leading to a databreach? (I assume "no liability" licencese might be void in this case?) Is an social engineered or phished employee personally liable?
It might have far reaching consequences, and it's interesting to think about them.
That's actually one of the features of CCPA. If there's a data breach, the company can be sued by each affected individual for $100-$750.
This is entirely separate from strict liability, though. The main issue is damages. Even if a company is strictly liable, they are only liable for the dollar value of damages caused by the data breach. And your data privacy has a dollar value of zero dollars until a law like CCPA says otherwise.
Under current legal theory, if your data is stolen, you can sue a company for the cost of identity theft that is provably caused by that data breach. But if you are not the victim of identity theft (or if you are, but can't connect that to the data breach in a court of law), then you don't have damages. A company has nothing to fear from strict liability if they are liable for zero damages.
tl;dr CCPA addresses severe problem in the existing system.
According to [1], one of the requirements for statutory damages is negligence. (The other two are very narrow definitions of private data and that it must be nonencrypted and nonredacted)
> “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
>I think a shift toward identity as a service is underway for the market to solve this. Auth0 and the like are offering a solution.
How does auth0 solve this? This isn't about your email or passwords getting leaked. This is about your lab test results (eg. HIV, herpes, etc.) getting leaked.
Not sure how there is no government oversight for handling of sensitive data in the first place. I get that we have a "Privacy Commissioner of Canada". But this sort of thing should almost never happen.
Also, how the heck can a privately owned company that deliberately mishandled data (let's be honest here - instead of paying legal fees to fight in court, you could be, I don't know, tightning up your NetSec?) overrule a federally mandated officer?
Basically the government keeps asking for more centralization, they do it every year. Each year the privacy people in the actual custodians of these data get more and more demoralized, and replaced with yes men.
Write to your MP. Not that they will do anything - Maybe you'll be luckier than me and wont get a canned response about how they are "working hard to stop this" without taking action.
I occasionally do - and there are times where I do get a response back.
I'm considering registering myself as a lobbyist so that I can have more of a face to face contact with councillors in my city, and actually push for more change.
Because right now, if people in tech aren't advocating for better security practices...we're going to doom ourselves by standing by and not doing anything at all.
Canadian here. This lifelabs breach is a national travesty. Compared to the ruckus the opposition made for the We charity situation, why are they not after these guys? This really disgusts me about our political system today .. if you can score points against your opposition, go full-on guns blazing. If it actually is of consequence to citizens, meh.
For context ... the lifelabs folks do labs/diagnostics for a huge part of the country .. and they had a data breach where some private data was lost. That's half of Canada, eh.
Wait that whole billion dollar ethical possible crimminal situation that the government created on their own makes you made you angry at the opposition (left / right / french / green)?
You don't think it's of any consequence to citzens? You think they are causing an unnecessary ruckus?
What part of Canada are you from? Is that you Justin?
All levels of the Canadian govt have done a reasonable job during the pandemic when a bulk of the world has faltered. I'm not a fan of all the fiscal stimulus (top tax bracket) but I understand why it is being done. There is a concept called Helicopter money that some economists have proposed. You may want to look into that.
I'm in Ontario btw and don't see the need for a personal attack in your comment.
Another Canadian here... We have a seldom understood issue in Canada about representation. I'm hopeful that this will change. https://nationalcitizensassembly.ca/
The cost of litigating to suppress details could be less than the cost of LifeLabs potential exposure to a class action suit because of what could potentially be construed as negligence in their IT security practices. They're not just psycho jerks for fighting it, it could just be part of their fiduciary duty.
The risk to them is, IMO, the standard of security and privacy governance within the public sector is much higher than pretty much any other institution I've seen, so in comparison, showing that a private company did not meet that standard would be trivial. However, the question of what kind of diligence was done on the original contract (or not) could blow up, since every mandatory risk assessment (if completed) done on it would have raised this breach possibility and recommended controls to mitigate it.
I was livid when I read about the breach as it's precisely the kind of incident every single security and privacy analyst who has ever advised the public service has used as a baseline scenario. It fell out of the news cycle I think because it was so bad it crossed the line into discrediting institutions, which isn't done in mainstream Canada.
The party in power whose minister approved this contract has been out of power for 3+ years, so politically for them it's just wastewater under the bridge, but as a legacy, this breach was in the realm of worst case scenario. For the sake of popular trust in the health system in general, the root cause analysis should be seen through.
As a Canadian, I find this disgraceful. This data breach poses a significant and life-long financial risk to all those impacted. For example, insurance companies could obtain this data and use it to increase premiums for individuals they deem to have higher risk due to the data from their blood tests.
LifeLabs needs to be held accountable and the courts should make an example out of them, and send a clear message to other companies that hoard personal data.
Corporations need to consider personal data as a liability, not an asset.
Reminds me of a small privacy issue with many Canadian institutes: a lot of medical institutions and facilities use google maps or google fonts. This sort of reveals to google that a user with a certain ip address is visiting a certain site related to <private medical issue>
I lost a few points but it was a genuine question. Does the PM just walk into a lab with a requisition and get blood work or does he have a private doctor and private lab do it. As the PM I would assume his medical results would be of interest to some people and as a Canadian genuinely have no idea how he manages his affairs. It would be interesting to learn more about how he keeps his affairs private.
He comes from an important political family, but he hasn't been Prime Minister for his whole life. There's a fair chance that LifeLabs has handled his data at some point.
