Data security traditionally had been an abstract concept that only techies understood and lawyers talked about. You’d think that after the recent hack in which sensitive data from half a million people was stolen, including their full name, address, and social service number (BSN), this would change. That does not seem to be happening anytime soon.
Let’s make the problem concrete. Anyone who has this data can impersonate that person. How big problem is that? On the phone, many organizations do not ask for anything more than their name, address, and date of birth. Official bodies also ask for (part of) their BSN before they are satisfied it is you. This allows criminals to take out subscriptions and loans in the person’s name and on their behalf. As a result, this person can be in debt without knowing it, until the bailiff shows up…
If the bank doesn’t check thoroughly, they can also apply for a bank account, and then all hell breaks loose.
And this is even before phishing attacks are carried out on the person or their environment, using the medical data that was also in the database, misleading them and potentially multiplying the damage.
And as a victim, there is nothing you can do to fix this. You can’t simply change your name and address, and a BSN (social service number) can’t be reissued. As an individual, you can’t do anything about the theft, but you also can not do anything to defend yourself against the resulting damage either.
The potential damage per person could easily be ten thousand euros and could increase further. It’s therefore not unreasonable to demand at least ten thousand euros per person and use that money to, among other things, hire an agency that will monitor credit ratings for the rest of that person’s life to see if this data is misused for debts, loans, etc.
Multiply half a million victims by ten thousand euros in compensation, and you arrive at a damage figure of five billion euros! This suddenly makes the damage of a hack due to poor security tangible. It seems like Monopoly money, until your organization has to foot the bill!
And this is precisely why those techies got so angry that their requests for funding for better security were repeatedly rejected. They tried to protect your organization from this expense, but couldn’t convince you! Things that seemed so obvious to them sounded like Chinese to management.
Managers who casually remarked that they were willing to take this risk were completely lost. After all, how can the data in your database cause billions, or even “just” millions, of risks, and besides, what are the odds of it happening to us (in the time we’ve been here)?!
I hope these five billion are indeed awarded as compensation, also as a deterrent to the rest of the information processors. Until that happens, most management teams will remain unimpressed.
Incidentally, I wouldn’t be surprised if those billions have to be paid by the same government that put the brakes on legislation for better computer security.
Prevention is therefore much cheaper than having to pay for something that can’t be cured…
Are you looking for someone to discuss these risks and how to address them in an accessible way?
