Have you ever heard the expression “once on the Internet, it's there forever?” Well, that isn't so true any more due to new laws such as the CCPA. The CCPA (California Consumer Privacy Act) was passed in 2018 and put into effect in 2020. It contains many important rights such as the Right to Delete, Right to Know, and Right to Opt-Out.
Specifically, the Right to Delete states that companies must completely delete personal data when requested by an individual within a certain period of time (e.g. 45-60 days). This has caused large losses to data-centric companies. For example, the General Data Protection Regulation (GDPR) is the UK’s version of the CCPA and was promulgated on May 25, 2018. Under the GDPR, Amazon lost $877 M, Whatsapp lost $255 M, and other companies lost over $1.2 B in total between January 2020 and January 2022. But why would these companies lose billions of dollars instead of simply deleting user data? Because they can’t. Data from databases suffer from data persistence, meaning that the data remains long after use and is only deleted much later. This quality is true for almost all modern hard drives, such as the ones in your computer, laptop, and even phone. Because of this flaw, reliant systems like data structures, data management systems, and other relevant data management tools have been developed without sufficient means to delete data. Instead, companies are forced to run third-party programs through their databases to delete specifically requested data every few weeks. This is extremely costly and time-consuming as well as causes servers to be slow and/or unavailable.
Data never dies
The default assumption is that when a person dies, it doesn’t matter what happens to their digital assets. They aren’t going to need them. Managing someone else’s digital remains is a huge undertaking, often requiring death certificates and proving your relationship. Even then, you may just be scraping the surface of what’s actually out in the wild. And what do you do with the data you recovered? The task is so overwhelming, and there is nothing tangible to collect or defend.
Your loved one will die. Their digital assets will live on. Without the ability to monitor accounts or put surroundings around their personal data, a dead person’s PII becomes an appealing target for identity thieves and account hijackers. Overall, attacks due to account takeovers increased by 131% in 2022, according to research from Sift.
“The nature of account takeover attacks also makes them easy to scale — having access to one set of compromised credentials often opens the door to multiple accounts, giving fraudsters several sources to steal from,” a Sift blog post stated.
Digital accounts once belonging to someone who has passed away become literal ghost accounts. They are dormant and unwatched. No one keeps a vigilant watch on inactive accounts, and threat actors know that. This becomes a serious cyber risk for whoever holds the data. A single compromised account can offer long-term access to the corporate network, opening the door to ransomware attacks or financial theft.
Most data privacy regulations won’t offer any protection, either. They offer privacy coverage for identifiable persons; a dead person does not qualify as identifiable. An exception to this is health care information because that often includes records for another (living) person.
Protecting your deceased customers and employees
You can’t protect what you don’t know. Yes, that’s a cliche by now, but it’s also easy to forget. So while everyone in the company is alive and well, it is time to begin a comprehensive inventory of assets.
This must be a lifelong process, said Demeter and Preuss, because building one’s digital assets is a lifelong process.
Users need to create an inheritance plan. Maybe no one is going to physically inherit your digital assets, but chances are, someone will need to access accounts. Within the work environment, this is especially true for business continuity. Passwords, user names and MFA keys must be available.
The privacy gamechanger: AI
Artificial intelligence is going to force lawmakers and organizations to rethink the rules around data privacy for dead people. Any type of digital asset can be turned into fake information or regenerated to bring someone digitally back to life. Generative AI is already being used to build avatars of the deceased, called ghostbots, using available data to recreate their voice and personalities to make it seem like they are alive. But while dead people don’t have privacy rights, ghost bots are clearly blurring the lines of when data privacy should end.
While currently, ghostbots don’t seem to be a security risk; it really is just a matter of time until threat actors use AI to take identity theft to the next level. Organizations are better off without ghost data that could put them at greater risk of a data breach. But is that data handed off to the next of kin, or is it deleted?
Everyone has a digital legacy to protect. We just need to figure out the best way to do it while protecting the privacy of the deceased and their loved ones.