Aggregate risks of harm from data breaches: A notified person perspective

The breach of personal information continues to impact many millions of people every year. Government regulation in this environment prioritises reporting to regulators and separate reporting to notified persons where serious harm is assessed as likely for each individual event. Little is known or managed in terms of the aggregate risk of serious harm to individuals. It is common for breached data to remain widely accessible well after notification and the risk of serious harm to individuals is likely to grow and accumulate.

What we do know with confidence is that breaches continue to occur at spectacular scale, serious harm is experienced, and a market is being conditioned on a regulatory requirement which may or may not be making a real difference to those actually impacted.

Research in this field needs to contribute to understanding how the accumulative risk to individuals is best managed and treated. Key questions future research could address on this theme, include:

RP2.1 In these contexts what is meant by ‘effective’ breach response and from who’s perspective? How effective are these models in mitigating serious harm to persons who confront an accumulating risk?

RP2.2 Does the type of breach matter (such as ransomware) or impact effective response? What are the real risks and what affordances exist within the response system to address these risks?

RP2.3 Are notifiable breach regimes that centre upon reporting to regulators the most effective models to respond to the risk of and from breach events? What are the legislative inhibitors to effective beach response? How can effective breach response be achieved if there is asymmetrical understanding of the risks of serious harm?

RP2.4 What are the real risks of serious harm to impacted persons and do treatments work against an evolving threat and response system?

‍