When the personal information for some of the planet’s most powerful leaders gets e-mailed to an organizer of the Asian Cup football tournament, that’s a data breach, right?
The answer is: it depends. At least, that’s the conclusion one might draw from the story this week that personally identifying information of attendees to the G20 summit in Australia was accidentally exposed by that country’s immigration services.
An employee there sent an e-mail containing passport numbers, visa details and other personal identifiers of the summit’s attendees to the organizers of the Asian Cup football tournament. Those affected included U.S. President Barack Obama, Russian president Vladimir Putin, German chancellor Angela Merkel, Chinese president Xi Jinping, Indian prime minister Narendra Modi, Japanese prime minister Shinzo Abe, Indonesian president Joko Widodo, and British prime minister David Cameron.
The leaked data included each leader’s name, date of birth, title, position nationality, passport number, visa grant number and visa subclass.
According to this article in The Guardian, the Australian privacy commissioner was contacted by the director of the visa services division of Australia’s Department of Immigration and Border Protection about the data breach on November 7, 2014. The Department of Immigration was looking for guidance on how to respond to the incident, which occurred that day, while also looking to keep the details of it private.
“Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach,” reads a memo from the Director of Visa Services Support and Major Events in the Department of Immigration.
The justification? The recipient of the e-mail indicated that they deleted the offending message and did not forward a copy to anyone in the meantime. Also, as this article indicates: much of the leaked information is already public, while “passport and visa info cannot be effectively misused because the individuals in questions are so prominent.”
In other words, if you’re going to make a dummy passport and try to pass yourself off as someone else, it probably isn’t going to be President Barack Obama.
It isn’t clear whether Australia’s Immigration Department subsequently informed the world leaders about the breach. Regardless, the incident raises important questions about what does and does not constitute a “data breach,” and when authorities should be required to report incidents such as the inadvertent e-mail in this story.
As the Guardian points out, the security lapse almost certainly violated data breach notification laws in the home countries of many of those leaders, including Britain, Germany and France. The U.S., of course, lacks a federal data breach law, but its safe to assume that it violates Illinois’ 815 ILCS (Mr. Obama’s home state) and D.C. Code 28-3851 (his place of residence).
For those laws, the likelihood of the leaked information being misused is irrelevant. A data breach is a data breach, no matter how sure you are that the data in question is erased for good.
The question of whether data that is already in the public domain can properly be considered “leaked,” is also an important one. Here, I think the question needs to be asked about what is meant by a “public” record? There is lots of information that is in the public domain, but that isn’t floating around on the Internet. “Sunshine” and “freedom of information” laws in the U.S. and elsewhere allow citizens to request and view these records, provided they meet the requirements of those laws.
But that’s a higher bar for access than searching a site like Pastebin.com for whatever is posted there or – as in the recent case of former Florida Governor Jeb Bush’s stab at “transparency” – downloading an entire Microsoft Outlook e-mail spool and browsing its contents.
As the Bush incident indicates, personal information concerning an individual that is buried in an email message that might someday be discoverable in a public records search is very different from the sum of all personal information in tens or hundreds of thousands of e-mail messages lumped together in one place.
In the end, that kind of fuzziness is what data breach laws are designed to clear up. They make clear what does and doesn’t constitute a breach, and when disclosure is mandatory. It is then up to governments to enforce those laws and make them bite. Wishing away harm may feel good – and in the case of the G20, it may have been based on correct assumptions. But it’s a dangerous habit to get into.
Left up to individuals to decide what is a “serious” incident and what isn’t, we are likely to hear about very few serious incidents, at great harm to everyone, I’m afraid.
Paul F. Roberts is the Editor in Chief of The Security Ledger.
Image via Whitehouse.gov.
