Ethical positions in breach handling
06 November 2014
You can tell that a subject has matured when ethical considerations become part of 'business as usual activities'. Where the 'human condition' is central to BAU, particularly in situations of heightened sensitivity, it is possible for ethical situations to rise to the very top of the agenda. Ask any doctor or surgeon and they will tell you the importance and impact of medical ethics; it is drummed into them from day one at med school. Not surprisingly, Codes of Ethics are paramount in other professions, like accountancy and law.
In data and cyber security breach situations that I handle, I am seeing increasing consideration being given to the ethical issues within the situation. Often this is expressed as a concern to 'do the right thing', and it involves a discussion that is fundamentally different in nature to the ones about doing the right thing for the immediate purposes of containment, recovery and mitigation. The latter discussion is conducted by reference to relatively clear benchmarks, hence it is fundamentally objective in nature. The ethical considerations are much more subjective, with the questions being 'what would people expect us to do?' and ‘how will our decisions be judged in six months’ time, in a year, or in five years?’
The emergence of ethical considerations within the aftermath of a serious security breach or data mishandling situation would seem to be an obvious development. Of course, it is obvious, once it is pointed out! But this is a new phenomenon. Two or three years ago questions of ethics were invisible in these cases. Indeed, when ethics did appear as issues, they were more like 'anti-ethics'. The 'anti-ethics' generally consisted of a focus on how to withhold news about incidents from the public and from the authorities. The desire for containment and a fear of unknown legal consequences often pushed organisations into situations where self-preservation overrode the wider ethical considerations. Even now, prominent lawyers from the US can be heard at industry conferences talking about how they have found very technical and highly nuanced legal arguments to help get clients around the immediate breach disclosure rules that apply over there.
Of course, it is always important to focus on the minutiae and the details within incident response, but that should not be at the cost of the bigger picture. And that is what ethics do. They remind you of the bigger picture, helping you to do the right thing in a way that can withstand durable scrutiny.
Returning to the example of breach disclosure and the question of giving of notice to regulators and individuals, the narrow legalistic view would be that the Data Protection Act does not contain an express requirement for notice. Thus, in a narrow sense that can provide a complete answer to the question ‘should we be transparent?’. But how does an ethical view alter the situation? The answer might be that regardless of the legal detail within the legislation, the ethically correct thing to do is to give notice, perhaps based on the rationale that notice will reduce the risks of harms.
Thus, at this stage of the analysis the legal view and the ethical view deliver different responses.
But surely that can't be right? The law and ethics cannot deliver conflicting judgments on matters of fundamental importance? Surely the bigger picture requires convergence of results?
When these questions are posited, the picture starts to improve considerably. As you step back from the issues you see less of the separated pointillist dots and more of the harmonious landscape.
The bigger picture on breach disclosure gets you into the minds of the regulators and the judges. Unlike printed words in legislation, the people who oversee us and sit in judgment over us have ethical content and context. Yes, they listen to the technical legal argument, but they also apply a purposive approach to the interpretation of the law when that is required to deliver just results. Thus, they can take the view that the legally correct thing to do is the ethical one. At that point breach disclosure is seen as being part of the law, regardless of the narrow picture within the text of the Data Protection Act.
These points are not idle meanderings and musings. If you read the acres of regulatory guidance and the enforcement decisions issued by the Information Commissioner's Office you will find that their view of the law is influenced by the ethics surrounding breach disclosure. If you dig into the law of negligence, you will see very clear signposts to support the view that breach disclosure is already part of the law.
So in my view, organisations that take account of ethical considerations during incident response are the ones who are most likely to do the right thing on all of the issues, from forensics, to remediation and to law. And perhaps most importantly, these are the ones who will do the best for their customers, their business partners and for their brands and reputations. Ethics and breach handling go hand in hand.