We’re constantly hearing about data breaches in the context of financial losses – this company lost $40m, this one’s market value dropped by 3% – but what about the softer losses? What about the people who lose their privacy and have their most intimate details exposed?
In this blog post, we guest interview Dana Turjeman, Ph.D. Candidate in Quantitative Marketing in University of Michigan, and look at the implications on individuals who have suffered the consequences of a data breach.
About Dana Turjeman
Dana Turjeman is a Ph.D. Candidate at the Ross School of Business, University of Michigan, and her research focuses on privacy and impression management.
After working with an online match-making website (specifically for those seeking an extramarital affair) that suffered a severe data breach, Dana and her team wanted to learn more about the short term changes in the behavior of users following the announcement of a breach.
When she started to investigate the consequences of the data breach, she realized there was a lack of research on how such breaches affect users. Almost all work in this field was on financial damages suffered by public companies – simply because financial data on public companies are more available.
BitDam (BD): What’s the impact of data breaches on individuals?
Dana Turjeman (DT): Data breaches differ based on their level of sensitivity of the data, number of records, where the data ends up (public or not), and whether people can be protected from damage or not. On many occasions, data breaches cause financial harm to individuals; in many countries, these effects can be minimized by using financial identity and fraud detection services.
In other cases, sensitive information about habits, sexual preferences, and illegal behavior have been revealed. In the case of one of the affair-seeking websites that was breached, individual users got divorced, had their reputation severely harmed, and in extreme cases – committed suicide. This example of a breach is one of the most extreme in terms of the sensitivity of the data.
Usually, even though data breaches receive a lot of media attention, individual users do not have many ways to protect their identity, and even if they do have a way to protect it, they neglect to do so; this is often referred to as the “privacy paradox“. This might be for several reasons: optimism bias, laziness, uncertainty as to what can be done, and habituation (getting used) to data breaches. Measurement of changes to users’ engagement with companies is hard to achieve, following a data breach, and my research aims to solve this problem.
BD: Can you tell us more about your research?
DT: I have several projects on privacy; one of them focuses on the consequences of the data breach on the affair-seeking website, as I mentioned. Another relevant one is on the positive and negative sides of data collection, specifically in marketing practices.
In a different stream of my research, I look at impression management. In one relevant project, I observe changes people make on online dating websites (not only those seeking an affair) and investigate the “optimization” they make to their appearance on the website. Some users change details such as date of birth, height, and ethnicity – which can clearly never change. It doesn’t mean they lie in order to deceive. Rather, there are several reasons that have been discovered – personal security, ability to hide personal information and “hold the cards”, and yes, also – desire to attract more.
BD: It seems like the main focus when it comes to data breaches is on financial losses rather than customer behavior. Can you comment on that?
DT: Most research on the consequences of a data breach focuses on the stock market valuation of companies that suffered a breach, and customer surveys. It is hard to measure actual changes in customer behavior, for two main reasons:
(1) Companies don’t easily provide data following such instances (very naturally so – they want to share less, and not more, data, after a data breach), and (2) it is hard to measure users’ reactions, especially when there’s no “control group” (i.e., usually, in a data breach, all users/customers of the company are affected, and there is no clear group that can be used for comparison).
BD: How do you deal with these constraints?
DT: We solve both of these problems by having a rich data set that we received directly from the company (under a Non-Disclosure Agreement, and only for academic purposes), and by using advanced quantitative and causal inference methods.
BD: Why are the “softer” effects being overlooked in your opinion?
DT: Some of the consequences of data breaches that I mentioned above – loss of privacy, reputation, etc., are hard to measure. Usually, it is easier to look at stock market valuation and assess what the damage is from there.
BD: Any idea on how to avoid such privacy violations?
DT: The easiest thing is to collect only the data that is really needed and hold it for the least amount of time necessary. But even with data that is collected, companies should:
- – Update their security practices all the time
- – Encrypt every piece of the data, and obviously the sensitive parts of it
- – Grant access to only those who must access the data
- – If using third-party code:
- – Be sure to use it only if it is from a reputable source
- – If it is an open-source, use open source that is well maintained and validated
- – Data protection should be discussed from the very first step of product development
- – Apply advanced cybersecurity solutions and keep up-to-date with new solutions and technologies
The Key: Stay Protected
Data breaches can take a massive financial toll on businesses. What’s less known, is the tremendous negative impact these breaches have on individuals. Thanks to researchers like Dana Turjeman, we’re starting to find out more about the effects these breaches have.
A key takeaway is how imperative it is to ensure that all content and applications are secure. Organizations and individuals should make sure they are protected and deploy sophisticated solutions to deal with these advanced threats before it’s too late.