Governments must do more to ensure protection of users' data in wake of worrying Yahoo theft
Published 24/09/2016 | 02:30
If you're a user of the beleaguered internet firm Yahoo, then you'll have woken up this week to the news that your personal information has been stolen.
It won't be much consolation, but at least you're in good company. Around 500 million users also had their passwords compromised along with names, addresses, telephone numbers, dates of birth and, ironically, the answers to security questions.
What does this mean for you? Until you change your password, any Yahoo services you use are at risk. Anyone with access to the stolen data may be able to read your email or download your private files. This is a particular concern for anyone who uses Yahoo for work - for example, quite a few barristers and solicitors list Yahoo emails in their contact details.
But even if you only use Yahoo for personal emails, it's still a headache. Remembering multiple passwords is difficult, and nearly half of all users reuse the same password for different sites. For these users, the Yahoo breach may put their other accounts at risk also - opening up attacks on services such as online banking or eBay accounts.
Because of these risks it is vital that users should know as soon as possible that their accounts have been compromised - giving them the chance to protect themselves by changing passwords, closing accounts and watching out for suspicious activity.
But in this case there are worrying reports that Yahoo knew of the attack much earlier - possibly at the start of August - and didn't warn users until now. If true, this irresponsibly exposed users to unnecessary risk.
Yahoo's European headquarters are located in Dublin, meaning that there's an important role for the Irish Data Protection Commissioner to play in investigating this incident. The case is likely to highlight two significant issues in Irish data protection law.
The first is that there is no sanction for carelessness. As things stand, there is no possibility of fining Yahoo if it turns out that it failed to take adequate care of your personal information. Bad publicity is effectively the only punishment available. In 2010, a government-appointed review group recommended that there should be a criminal offence of reckless handling of personal data - but the Department of Justice has not acted on this recommendation.
Second, Irish law doesn't require firms to notify users that their information has been compromised. In 2011, the Data Protection Commissioner adopted a code of practice on notifying users of data breaches, but the Department of Justice has failed to take the necessary steps to make this legally binding. The result is that breach notification is voluntary only - permitting firms to cover up incidents to avoid reputational damage.
Despite these failings at national level, the EU is steadily moving towards better protection of personal data and these issues will partly be addressed in 2018 when two new European laws come into force.
The most important is the General Data Protection Regulation, agreed in April 2016. This provides that firms can be fined up to €20m or 4pc of global annual turnover where they fail to provide appropriate security for your personal data, and requires firms to notify breaches to data protection authorities and affected individuals.
The EU Network and Information Security Directive is also important. Adopted in July 2016, this requires member states to establish better security safeguards around communication networks and digital services. It essentially treats digital infrastructure as of the same importance as physical infrastructure, and sets out for the first time to give it equivalent protection.
These European responses are important - but 2018 is still some way away, and there are things which can be done at national level in the meantime.
For example, the Minister for Justice could make breach notification mandatory within a matter of weeks by asking the Dáil and Seanad to approve the existing code of practice.
Finally, the Yahoo hack highlights another point - cybersecurity is already difficult, and governments must not be allowed to further undermine it. Strong encryption on our mobile devices and communications is the best protection we have against hackers. This is put at risk by recent government demands that companies build in deliberate security flaws - backdoors - into their products to make surveillance easier.
Despite the rhetoric, there is no such thing as a "golden key" which can only be used by law enforcement and not by criminals. If we deliberately weaken our security then data breaches will only become more common.
Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law and chair of Digital Rights Ireland