In recent years, ransomware attacks have become a persistent nightmare for Chief Technology Officers (CTOs) and Chief Information Officers (CIOs) of major tech companies, especially those in the Fortune 500. These attacks, often financially devastating, have created an ongoing sense of vulnerability for companies, even those with robust cybersecurity frameworks. Despite efforts to prevent or mitigate these attacks, it seems there is no escape.
A major factor contributing to this uncertainty is the complex nature of ransomware demands. Simply banning cryptocurrency as a means of payment for ransomware ransoms has proven ineffective, as it does little to deter cybercriminals. Not paying the ransom doesn’t always yield positive results either. In fact, in cases of double or even triple extortion, where attackers not only encrypt data but also threaten to release or sell sensitive information, companies are left with few viable options.
Compounding the issue are the slow-moving data regulators. In many cases, data watchdogs take years to issue penalties or provide compensation to the customers whose data has been compromised. This delays the necessary actions that could help mitigate the impact on affected individuals, leaving both businesses and consumers in a state of uncertainty.
A Potential Solution from Professor Ryan Ko
In response to the escalating issue of ransomware and data breaches, Ryan Ko, a Professor at the University of Queensland, has proposed an interesting solution aimed at curbing the increasing threats posed by file-encrypting malware. Professor Ko highlights a crucial concern—once a breach occurs and sensitive data is compromised, it is often impossible to fully understand what the attackers will do with the stolen information. Hackers can exploit this data in numerous ways, such as launching targeted social engineering attacks at specific individuals or organizations.
To address this, Ko advocates for empowering individuals with the right to demand the deletion of their personal data from online businesses’ servers. According to Ko, this could be particularly effective in reducing the amount of sensitive information that is stored for purposes like user experience enhancement, research and development, or marketing.
The Right to Be Forgotten: A Global Perspective
Interestingly, the concept of granting individuals the right to demand the deletion of their data is not new. It has been in effect in Europe since 2018, under the General Data Protection Regulation (GDPR). This rule allows EU residents to request that businesses erase their personal data after a specified period, providing them with more control over their information. Customers can set preferences on how long they’re willing to have their data stored, whether it be 30, 90, 180, or even 365 days.
A comparable model is already in place for tech giants like Google. For example, users can request the deletion of data related to their activities on Chrome, YouTube, or Google search after a set period. This could be an encouraging precedent for Australia to adopt similar practices, as it offers individuals more autonomy over their digital footprints.
If implemented, this concept could potentially alleviate many of the anxieties surrounding data breaches. With more control over how long their information remains stored online, users may no longer feel as vulnerable to major data leaks like those seen with Qantas, Medibank, or Optus. If businesses were required to delete data after a given timeframe, the chances of hackers accessing large, compromising datasets would decrease significantly.
Challenges to Implementation
While the proposal is promising, there are significant challenges to implementing such a rule effectively. For one, it’s unclear how well businesses in Australia would comply with such regulations. Many companies are unwilling to have their data centers audited by third parties, especially when it comes to verifying what information is being stored and how it is being handled. Even if the rule were implemented, there is no guarantee that businesses would adhere to the guidelines in a transparent and scientifically sound manner.
Furthermore, the enforcement of data deletion is fraught with complexities. Will businesses be required to delete all data upon request, or just specific types of information? And how would compliance be monitored? These are questions that remain largely unanswered.
Despite these uncertainties, there is a silver lining. Australia ranks as the number one country in cyber defense, according to the Hayward University report from September 2022. This strong ranking indicates that Australia is well-equipped to lead the way in cyber defense and data protection. However, many Australians who are in favor of the data erasure rule remain skeptical, unsure whether it will be a true “silver bullet” solution to the problem.
The Path Forward: Change is Possible, but it Takes Time
The reality is that while this proposal may not be an all-encompassing fix, it represents a step in the right direction. In a world where cyber threats are constantly evolving, any form of progress is valuable. Empowering consumers to have more control over their personal data could help foster a more secure and transparent digital environment.
As the conversation around data security continues to evolve, it’s clear that the path forward will require collaboration between governments, businesses, and individuals. Perhaps most importantly, it will require a shift in mindset—from viewing data as an asset to be exploited to recognizing it as a personal right that needs to be protected.
Ultimately, though it may take time for these ideas to fully take root, they could inspire a future where consumers are better protected in the digital world. After all, as the saying goes, “Something is better than nothing.” With increasing public awareness and demand for stronger data protection policies, the implementation of such rules could lead to a safer and more secure online environment.
Join our LinkedIn group Information Security Community!
