SDGs by 2030 – are we on track?
Building trust in digital infrastructure
All of us have a digital self, an online persona who engages with the cyber world.
Even those without internet access often have a digital identity created for them by a third party. You could live in a village without electricity, for example, but if you’ve received assistance from a Non-Governmental Organisation (NGO), that organisation has likely created a digital record for you.
Nowhere in the Sustainable Development Goal (SDG) manifesto is the term ‘digital’ used. Yet in aiming to achieve Target 9.1 – quality, reliable, sustainable and resilient infrastructure – we must ensure the world’s digital infrastructure can also uphold these qualities.
Often our dealings with banks, the tax department, airlines, even something as innocuous as buying a sandwich at our local café, requires us to hand over phenomenal amounts of digitised personal information. Increasingly, our data is held by third parties standing between us and the actual service provider: when booking an appointment with a doctor we can be obliged to do so via an organisation that is not a medical facility, but which demands all manner of deeply personal information, including a summary of our health concerns. How securely is this information held, for how long, and ultimately, by whom?
I research how organisations can strengthen their data related communication to help ensure individuals’ information can be rendered more resilient against theft, misuse, and exploitation by bad actors.
Cybersecurity is now a major infrastructure challenge for every organisation. Small business and NGOs are particularly weak portals, often lacking sufficient resources to install resilient systems, whilst at the same time dealing with the most vulnerable members of our community.
As customers, consumers, or unwilling cyber participants, we are all at risk of a data breach. Generally, there is an asymmetry in the power relations between individuals and the organisations demanding our personal information.
Our research is looking at two changes that would improve the security of data infrastructure. These focus on the issue of appropriate disclosure with the aim of facilitating public conversations that elevate people’s sense of safety and participation. A well-designed disclosure regime is also likely to encourage improved data practices as organisations work to maintain trust.
The first improvement would be to mandate annual public disclosure of data breaches and digital risks. This annual digital health check would contribute to a historical repository, serving as a central portal of information that all organisations could reference for self-assessment.
The second improvement would require hacked organisations to inform their customers precisely which of their personal information has been breached, enabling individuals to take appropriate remedial actions. Currently individuals are at the mercy of the organisations regarding the information shared with them about the cyber breach. This includes whether or not the breach reaches the legal threshold that requires individuals be informed if the information used to establish their digital identity has been stolen.
We need to move to a situation where once an organisation has verified a person’s identity, that information is wiped from the organisation’s database. This will limit the amount of information available to criminal networks and hence their ability to identify (and exploit) individuals. A legislated limit on the length of time organisations can hold identification data will also help reduce the amount of personal information that can be stolen by bad actors.
The primary means of improving infrastructure resilience is via legislation. Governments must compel organisations to deal more robustly with our data. That includes requiring organisations practice good digital hygiene and exercise a duty of care in helping their customers, in the event of a data breach.
Our future will be digital. We need agile digital infrastructures backed by robust regulation to participate safely in that future. To achieve that, data related disclosures that encourage informed public discussions about organisational practices will be critical.
Sustainable Development Goal (SDG) target addressed:
Target 9.1 Develop quality, reliable, sustainable and resilient infrastructure, including regional and trans-border infrastructure, to support economic development and human well-being, with a focus on affordable and equitable access for all
Resources
Should data breach related disclosures form part of the routine reporting requirements expected of reporting entities?
Are there other modes of disclosure beyond the annual report that would assist organisations communicate their data related practices to various stakeholders? To answer this question, it is worth thinking about the impact the organisational form (for example: private, public, NGOs), the jurisdictional boundaries (for example: transnational, domestic), and the stakeholders (for example: capital markets, individuals, regulators) might have on the design of an appropriate disclosure regime.
Articles
- Andrew, J., Baker, M., Huang, C. (2023). Data breaches in the age of surveillance capitalism: Do disclosures have a new role to play? Critical Perspectives on Accounting, 90, 102396-1-102396-16.
- Thomas, L., Gondal, I., Oseni, T., & (Sally) Firmin, S. (2022). A framework for data privacy and security accountability in data breach communications. Computers & Security, 116, 102657-.
- Andrew, J. Baker, M. Sheehan, M. (2022) After the Optus data breach, Australia needs mandatory disclosure laws. The Conversation.
Podcast
Websites
- Australian Government: Notifiable date breaches
- Have I been pwned?
- IBM Security: Cost of a Data Breach Report 2023
- Cybercrime Magazine:The World Will Store 200 Zettabytes Of Data By 2025
- World Economic Forum
- ISC2: Cybersecurity Workforce Study 2023: How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce
Jane is Professor of Accounting at the University of Sydney Business School. Her research explores the relationship between accounting information and public policy, with a particular focus on climate change and public service delivery.
