Breached! Why Data Security Law Fails and How to Improve It

Book written by Daniel J. Solove and Woodrow Hartzog

Book review by Ben Smith

Bottom Line

I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.

Review

Can any of us remember a time when every new week failed to produce a story about a new data breach or cyberattack? As the attack surface we all individually live in continues to expand, in sometimes surprising ways, governments are trying to keep up to protect both citizens and businesses. "Trying" is the operative word here, as it feels like this is a race where the good guys are consistently falling further and further behind the bad guys. 

Why is that? "Breached! Why Data Security Law Fails and How to Improve It" brings together two academics, very well-known in the privacy and data security space, in an attempt to address this policy question. And the bottom line is this: laws and regulations which are focused only on outcomes and not root causes will fail to achieve their intended goals, much as they are failing today with our current data security laws.

Some of the key concepts found in this book which underline this challenge:

"Breaches are the product of many actors — it takes a village to create a breach." And that village is the data ecosystem which sources, moves, stores, secures and acts on the data that every organization needs to survive. This data ecosystem is all around us, like water surrounds a fish, even if we do not recognize its presence. The authors group key actors/roles within the data ecosystem to make their presence clear: Designers (of insecure devices and software), Distributors (who fail to vet insecure apps being served on their platform), Amplifiers (who vacuum up and aggregate personal data as a business model), Facilitators (who create vulnerabilities by demanding special access or back doors), Exploiters (who weaponize vulnerabilities and fail to report or warn others) and Miseducators (who undermine security hygiene efforts). Without recognizing these systemic contributors to the problem of data breaches, it is virtually assured that the quantity and scope of future data breaches will continue to increase.

"Because of the lack of incentives, better security is often not engineered into products even when it would have been easy and inexpensive to do so." Incentives are ultimately the root of all behaviors - both positive and negative. In the context of breaches, incentives from customers, markets, and governments (through regulations and laws) collectively drive vendor behavior and decisions they make when delivering new products and services. It's no surprise that a focus on features and functionality, combined with a first-to-market mentality, may deprioritize security as a secondary (or worse) goal. All of these decisions are made within the data ecosystem, where too frequently it's the nominal victim (the entity who was attacked) who is blamed for a breach. And don't overlook the true victims of most of these breaches: the individual customers of that breached entity, for whom "a free year of credit monitoring" is in no way an acceptable outcome. Think about how much further along we would be today if any new product was confirmed (reviewed? validated? certified?) as secure for the purpose(s) it was created. Dropping that confirmed-at-launch-as-secure product into the data ecosystem may not fully prevent a later compromise downstream, but it would cut out a lot of the noise and finger-pointing present in the system today. The great investor and master of mental models Charlie Munger said it best: "Show me the incentives and I will show you the outcome."

"Good data security involves determining the appropriate level of risk." Another important reminder to us all that security is a subset of a larger risk management world. And when we decide to spend money on one security solution over another, there is (should be!) a holistic assessment of the cost of addressing risks: a balancing act. It's the old "you don't spend $100 on a fence to secure a single $5 horse" argument. But throw several dozen horses into that enclosure, and then you have a cost equation that makes more sense. Our current legal approach doesn't provide enough focus on risks introduced or exacerbated by upstream members of the data ecosystem. This is another example of how today's technology is outstripping laws which may no longer be appropriate or even relevant given their legacy goals.

This is a very readable and relevant book, but not one that rises to the level of a recommendation for the Cybersecurity Canon Hall of Fame, which seeks to identify books that if left unread "will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete." This strong book is more narrowly targeted as a policy resource and thus most appropriate for governments, regulators, legislators and some practitioners to consume. But there are several other audiences who will benefit, including anyone (technical or otherwise) involved in the breach response process for a company, anyone who is looking for ideas on how to balance data security requirements with privacy concerns, and perhaps most broadly, anyone seeking to build better bridges between information security and risk management.