Amplifying victim vulnerability: Unanticipated harm and consequence in data breach notification policy
| Published date | 01 September 2023 |
| DOI | http://doi.org/10.1177/02697580221107683 |
| Author | Dennis Gibson,Clive Harfield |
| Date | 01 September 2023 |
| Subject Matter | Articles |
https://doi.org/10.1177/02697580221107683
International Review of Victimology
2023, Vol. 29(3) 341 –365
© The Author(s) 2022
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/02697580221107683
journals.sagepub.com/home/irv
Amplifying victim vulnerability:
Unanticipated harm and
consequence in data breach
notification policy
Dennis Gibson
The University of Queensland, Australia
Clive Harfield
Australian Catholic University, Australia
Abstract
Loss of control over one’s identity through identity usurpation, or identity theft, results in
victimization characterized by multiple species of harm: material harms such as financial loss;
medical harms such as psychological distress and consequential physiological illness; and moral
harms such as infringement of autonomy. Digital data breaches are a common means by which
identity can be usurped and laws have been enacted requiring data-holders to notify data subjects
when their personal information held on digital databases has been compromised. The intention is
that victims should then be able to undertake their own mitigation measures. This paper explores
the efficacy of this approach as a solution and argues that this policy – particularly in the light of
new digital criminal methodologies – creates a conflict of victims’ interests. It is an unintended
outcome of policy that exacerbates, rather than resolves, identity usurpation and associated
victimization in the digital environment.
Keywords
Data breach notification, digital victimization, harm mitigation, policy, ransomware
Introduction
This paper explores an aspect of cybercrime victimization – a topic of increasing academic interest
(see, for example, Correia, 2019; Henson et al., 2016; Holt and Bossler, 2008; Jansen and Leukfeldt,
Corresponding author:
Clive Harfield, Thomas More Law School, Australian Catholic University, Anthill Street, Watson, ACT 2602, Australia.
Email: Clive.Harfield@acu.edu.au
1107683IRV0010.1177/02697580221107683International Review of VictimologyGibson and Harfield
research-article2022
Article
342 International Review of Victimology 29(3)
2017; Martellozzo and Jane, 2017; Palassis et al., 2021). While many of the adverse impacts on
cybercrime victims are similar to the adverse impacts experienced by victims of crime in the physi-
cal world, cybercrime victimization is also characterized by a nuance and intensity unique to the
digital environment. The digital environment is a new habitat – perhaps not yet fully recognized as
such – an infosphere ecosystem (Floridi, 2013) with its own demands and dangers, in which
humanity is learning to live anew (even adapting physiologically and psychologically: Bhatt, 2019;
Greenfield, 2015), in parallel with the more familiar physical environment (Harfield and Schofield,
2021). In the digital environment, the impacts of cybercrime victimization can be multiple and
accumulative; and cybercrimes are ‘limitless in time and space’ (Notte et al., 2021: 1). In recogni-
tion of the qualitative difference of cybercrime offending and victimization, there have been calls
from the digital and cybersecurity sciences to broaden understanding of cybercrime beyond the
mechanics of computer misuse (Dupont and Holt, 2021).
This paper contributes to the broader understanding of cybercrime victimization by examining
the consequences of the operation of mandatory data breach notification (MDBN) laws. Using the
example of ransomware attacks,1 the paper argues that the rapid development of cybercrime tech-
nologies and methodologies has outpaced policy and legislative developments. Consequently, the
policy of MDBN, enacted in response to one set of circumstances, now applies in different circum-
stances with unintended consequences. These consequences include amplified victim vulnerabil-
ity, in part due to the conflict of victims’ interests – specifically, the conflict between the interests
of the corporate data-holding victim who experienced the ransomware attack (the breached organi-
zation), and the interests of the affected individual (or data subject) whose personal information is
compromised in such an attack. Using Australia as a case study of the problems brought into sharp
relief, this paper considers the legislated policy response (MDBN laws) intended to mitigate the
vulnerability of identity usurpation – a not unproblematic response in itself (Gibson and Harfield,
2021). It then describes the rapid evolution of ransomware and how this has resulted in exacerbated
victimization. Adverse consequence for victims is considered not only in terms of material harms,
but also in terms of harms to moral interests.
MDBN laws address a particular form of digital victimization: specifically, instances in which
data concerning the victim – or affected person – are held by a third party (e.g. a commercial enter-
prise or government entity), and the cybersecurity of the third party is compromised – or breached
– in a manner that enables criminals to access and/or manipulate the data concerning the affected
person.2 (Not only are the data of affected persons compromised, but the separate interests of the
third party holding the data, the breached organization, are also harmed – but the MDBN laws
focus only on the interests of the data subject.) This particular form of consequential victimization
is distinguished from, for example, the direct victimization that arises from criminals hacking
directly into data storage and digital systems operated solely by the affected person (see, for exam-
ple, Morgan et al., 2016). A key feature of the distinction is that a person affected by a third-party
data breach has no direct control over measures to prevent themselves becoming a victim in the
first place; and is reliant upon the actions of the third party in being able to exercise in a timely
manner any control over resolving adverse and harmful consequences arising from a data breach.
More than merely a philosophical consideration is the question as to whether an affected person
whose data are breached but not subsequently misused should be considered a victim? To the
extent that such an individual consequently is placed in a situation of new – potentially open-ended
– vulnerability, the answer is yes. In any given jurisdiction, the circumstances of a data breach may
themselves be criminalized, regardless of whether further crimes are committed using the data that
To continue reading
Request your trial