Author’s Notes and Acknowledgements

It is with great pleasure that I introduce this third edition of the Global Internet Report, covering the economics of data breaches. There have been a regular stream of data breaches in the news – many for financial gain, some to simply to demonstrate hacking prowess, and recently, targeted to impact current events – the US presidential election and world sport. The report aims to identify the causes of the breaches and, through an economic lens, present recommendations for increasing data security.

This topic clearly sits within one of the Internet Society’s two overarching goals, to promote and restore trust in the Internet. However, there is also a relation to the other goal – connecting the unconnected – because without trust in the Internet, those not yet online may find another reason to stay offline.

Like many of us, I bring personal experience to this topic, as one of my relatives was a customer of TalkTalk (the British broadband provider), and I was visiting when its latest and largest breach was announced. In trying to help, I shared in the frustration and uncertainty that these breaches create in users. Luckily, in this case, there was no long-term cost, other than the time needed to switch ISPs.

I can only imagine the dread felt by US government employees when they learned their confidential employment records had been obtained by unknown hackers, the embarrassment felt by Sony executives whose emails were read worldwide, or even the panic of Ashley Madison customers that their spouse would discover their affairs. The financial and non-financial cost of these and other breaches, all described in the report, may never be fully known.

In light of the profound impact of breaches on users, the greatest surprise for me in researching the report was how little users’ interests played a part in studies on breaches. The studies tended to focus on the technical explanations for breaches, and the cost to organisations who have been breached. Users’ direct costs from the breach are usually included, of course, and their business may be understandably lost. But there is little study of the short-term costs imposed on users in time and money of making their claims, the long-run risk and impact of identity theft resulting from the breach, or the non-financial harm. One of the goals of the report is to put users at the centre of the approach to tackling data breaches.

The other surprise for me was that more breaches are preventable than I had initially thought, yet at the same time a determined hacker can even breach the systems of companies whose own business is to provide data security solutions.

This leads to the two parallel questions the report seeks to answer. First, why more steps are not taken to prevent the preventable data breaches, and second, why more steps are not taken to mitigate the impact of the data breaches that do occur. Patches for known bugs are not always implemented; appropriate anti-malware software is not always used; too much personal information may be collected and stored; and it is often not encrypted.

The two questions are answered by examining the economic market failures that explain the current situation, and identifying the economic incentives to reduce the number and impact of data breaches.

The report is not a technical playbook for how to prevent a data breach; nor is it an economics textbook. Rather, it draws on examples we can all relate to. We do not have to be engineers to understand the challenges of passwords and updating our systems, and we do not have to be economists to understand how we respond to economic incentives such as lower costs or increased benefits.

I would like to thank Kathy Brown, Sally Wentworth, Olaf Kolkman, and Raúl Echeberría for their leadership and support for this report. Christine Runnegar provided valuable and insightful input on every draft of every section, along with Olaf Kolkman, Constance Bommelaer, Konstantinos Komaitis, Andrei Robachevsky, and Ryan Polk.

Special thanks and acknowledgements are owed to Christine Runnegar, who led the Internet Society steering committee for the development of the report. Christine leads the Internet Society’s policy agenda on Internet trust, championing privacy for Internet users, and her work was an important input to the development of this report.

The report benefitted from two working groups that provided input throughout the development of the report. First, an internal Internet Society working group included Wende Cover, Noelle Francesca de Guzman, Lia Kiessling, Shernon Osepa, Maarit Palovirta, Bastiaan Quast, Karen Rose, Nicolas Seidler, Robin Wilton, Dan York, and Fernando Zarur.

Another external group was formed from members of ISOC’s Organization Members Advisory Council and Chapters Advisory Council, consisting of Nadira Alaraj, Babu Ram Aryal, Nabil Bukhalid, Jeff Brueggeman, Olga Cavalli, Olivier Crepin-Leblond, Glenn Dean, Avri Doria, Richard Hill, Scott Mansfield, Cheryl Miller, Douglas Onyango, Christoph Steck, Rudi Vansnick, David Vyorst, along with Joyce Dogniez, Ted Mooney and Carly Morris from the Internet Society.

Both groups demonstrated, yet again, the depth and breadth of commitment and knowledge of the Internet Society’s staff and membership, and their insight and knowledge is felt on every page of the report. We note that the views expressed in the report do not necessarily reflect the opinions of the members of the external working group.

I would also like to thank the communications team, including James Wood, Wende Cover, Allesandra de Santillana, Beth Gombola, Lia Kiessling, and Jairus Pryor, as well as Lincoln McNey, Henri Wohlfarth and Brenda Boggs from the IT team, for all their help in putting the report together and online, and organising the launch. And thanks to Erin McGann and Michele Robichaux for expert editing.

Finally, thanks to Blossom Communications for their beautiful interpretation of the new Internet Society brand in the report design, and development of the printed and online versions of the report. The Internet Society would also like to thank Telia Carrier for its sponsorship of the work of Blossom Communications.

Michael Kende
Senior Fellow
Internet Society