I’ve noticed a bit of a trend in some recent comments I’ve received on my blog that amount to this: people who have personal information exposed in data breaches are stupid for entering legitimate details into the website. The rationale is that we must expect sites to be breached and therefore not trust them with anything. Failing to provide fictitious information is, apparently, “foolish”.
The most recent example of this was in a comment on my piece about VTech’s revised terms and conditions which set the following outlandish expectation:
YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES
Like the commenter on that post, this seems to be taking the position that breaches are just something that happens and it’s the consumer who should ultimately be taking responsibility for protecting their data. In the wake of the extensive media coverage the above blog post got, VTech defended their position by saying that "No company that operates online can provide a 100 percent guarantee that it won't be hacked".
But consumers aren’t looking for a guarantee and they’re rarely going to read the terms and conditions before “agreeing” with them anyway. They want online businesses that don’t just say “we take security seriously” after they’ve been compromised, but actually take it seriously before they are. In fact, I’d say that it’s not even something people consciously think about, it’s just an implicit expectation; don’t lose my data.
In my view, this expectation is perfectly reasonable; consumers should be able to enter their legitimate contact details into a registration form or their kids’ names into an online game without the expectation that it will end up in the public domain. Certainly there are practices which can put people at undue risk and should be avoided (photos of “intimate moments”, for example) but faking basic personal data isn’t one of them. Very often this information is needed for warrantees, support or communication with other members of the platform and consumers have a right to expect it to remain secure.
Fortunately, moves are afoot to hold organisations more accountable for such egregious oversights as VTech’s. There was a good post just yesterday on the General Data Protection Regulation in the EU which when it comes in effect in a couple of years, could see incidents like VTech’s costing them €20,000,000. Further to that and since the coverage of VTech’s revised T&Cs, the UK’s data watchdog has also quite explicitly said that the new clause “would not absolve it of liability in the case of future hack attacks” which is good news for both common sense and consumer protection alike.
When you start descending into blaming the users themselves in the wake of a data breach, you’ve completely lost sight of the problem. You’ve gone so far down the path of accepting that data breaches are the new normal that the blame is misdirected not at the culprit, but at the victim. Whether this is the organisation attempting to absolve themselves of responsibility or the peanut gallery accusing victims of being reckless, it’s a sure sign that they’ve totally lost the plot.