Publication of TurgenSec Ethics & Culture Guidance
TurgenSec publishes this document to the TurgenSec Community and to the Trust and Confidence section of TurgenSec’s website. TurgenSec will update this document in line with developing business practice and disclosure methodology.
Comments and feedback are welcome at [email protected].
Archive update log:
1.0 Purpose of this Document
This document outlines the business ambitions, motivations and approach of TurgenSec Ltd. TurgenSec interacts with companies, clients and governments as an independent party acting in the interest of national security, privacy under GDPR and other data protection legislation, the reduction of information asymmetry and in the interest of its clients.
This document outlines TurgenSec’s motivations for disclosing breaches in line with its practice governing responsible disclosure (see Trust and Confidence), the actions TurgenSec takes to issue public statements to disclose breaches and cyber security information, and the motivations behind its ongoing research and development projects.
1.1 This document:
- Lays out the goals and ethics of TurgenSec.
- Explains the motivations behind breach disclosure practice.
- Is a frame of reference for evaluating future and existing policies.
- Outlines the intended impact of TurgenSec’s business activities.
We encourage constructive criticism of this document and feedback on how it could be improved. Feel free to reach out to us through our ‘About’ page or on Twitter.
Breach Disclosure: Notification of regulators and/or victims of incidents that affect the confidentiality or security of personal data. (Breach Disclosure)
Public Disclosure: Revealing the fact(s) of an information breach to any party not the owner of the breached system or data.
Exosystem: Structures that function largely independently of the individual but nevertheless affect the immediate context within which the individual develops. These include the government, the legal system, and the media.
Information asymmetry: Asymmetric information, also known as “information failure,” occurs when one party to an economic transaction possesses greater material knowledge than the other party (https://www.investopedia.com/terms/a/asymmetricinformation.asp). In the context of data breaches information asymmetry relates to the imbalance of power over data between organisations, data controllers and individuals.
NCSC: National Cyber Security Centre. “We support the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public. When incidents do occur, we provide effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future.” https://ncsc.gov.uk
ICO: The Information Comissioner’s Office. “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” https://ico.org.uk
CMA: Computer Misuse Act 1990. UK law against misuse of computers. In the 30 years since it was passed, ethical hackers have never been prosecuted for criminal charges under it.
GDPR: The General Data Protection Regulation 2016/679 is a European regulation on data protection and privacy. It addresses, amongst other matters, the transfer of personal data outside the EU and EEA.
2.0 TurgenSec Vision
Our social and business goals springboard from a belief in individual data rights, in particular the following principles laid out in the GDPR.
- Lawfulness, fairness and transparency
- Integrity and confidentiality (security)
2.1 Social Goals
The company’s social goals are:
- Creating a world where people can accurately understand the extent of their publicly exposed data. In particular:
- Consumers are aware of the personal data that companies hold.
- Consumers are aware of breaches of their personal data.
- Consumers are aware of illegal trading of their personal data and its uses to malicious actors.
- Consumers are aware of which companies have sustained breaches, such that they can make informed decisions about which organizations to trust with their data.
- Promoting the legitimate expectation that personal data is treated with care.
- Empowering people to use their data to make change as an individual.
People should be aware of their personal data that exists on the open web. This data is a crucial resource exploited by bad actors to breach organizations and steal from individuals (93% of successful attacks leverage pretexting).
TurgenSec supports the principle of access to appropriate compensation following breaches of privacy and mistreatment of personal data. Similarly, breached organisations should be made aware in order to activate incident and crisis response plans and to comply with relevant contractual obligations.
2.2 Business Goals
Creating a world where people can accurately understand the extent of their publicly exposed data. In particular:
- When TurgenSec’s research and development activities bring to light breaches, the company activates its responsible disclosure policy. Responsible disclosure represents a value proposition for TurgenSec’s services (as outlined under 4. Breach Disclosure Ethics).
- TurgenSec’s Exosystem Monitoring service monitors third party breaches for corporate clients, providing the necessary information, resources and tools to reduce the risk and impact of breaches affecting the supply chain and other third parties.
- TurgenSec’s Data Shadow service provides clients with tools and information to monitor their personal and third party information online. Partnered with Ethi.me (https://ethi.me/) the Data Shadow service empowers clients to monitor, remove and evaluate the personal information that could be used against them to phish, extort and make opposition market gains.
Promoting the legitimate expectation that personal data is treated with care.
- TurgenSec’s business services and responsible disclosure practices ensure personal data privacy for clients and individuals impacted by data breaches.
- TurgenSec treats all personal data with which it interacts with care.
- Responsible disclosures and public disclosures encourage organisations and companies to treat people’s data with care as well as educating the public on the value of their personal data.
- Public disclosures further encourage companies to take positive, demonstrable and effective steps in preventing data breaches from occurring again in future.
Empowering people to use their data to make change as an individual.
- TurgenSec’s partnership with Ethi.me (https://ethi.me/) lays the groundwork for the monetisation and responsible use of personal data reclaimed from companies through GDPR and other data protection legislation. Ethi is not alone in this endeavour and TurgenSec is open to collaboration with other companies working towards the same ends.
3. Business Culture
Workplace and business culture is hugely important. TurgenSec believes an incredible culture is a valid purpose in itself for an organisation, and the foundation of culture lies in ethics. Fortunes can change in an instant; an organisation is its people, not its bottom line.
It is no accident that a person-centric approach supports business success metrics. A healthy company culture:
- Improves employee happiness and motivation
- Reduces turnover
- Encourages excellent work
- Attracts assistance
- Fosters collaboration
This offers an organisation its best chance of longevity and of succeeding financially. If colleagues are happy in their work, understand why we do what we do and are fulfilled by doing good in the world, we have created something worthwhile.
4. Breach Disclosure Ethics
4.1 Background for Producing an Ethical Framework
One of the biggest problems facing security researchers is a choice between serious effort and potential legal threats while working in the public interest, versus making some money and taking the credit through an alias. This unfortunately is part of the reason certain ‘black hat’ markets boast over a million registered users. In the view of TurgenSec, a world where security researchers are incentivised to make the choices that benefit society is one that we should all work towards.
Ethical disclosures foster further ethical disclosures. Cases where researchers are discredited, abused or worse, end up serving jail time undoubtedly contribute to the culture that has seen the personal data of hundreds of millions of people leaked online. Each organisation that mistreats security researchers reduces the likelihood of future ethical notification to other breached organisations.
Ultimately, for as long as there is no financial incentive to behave ethically, there is little hope of change for the better. Before the introduction of fines under data protection legislation, there were few circumstances in which a company would suffer significant ramifications for leaking their users’ data (and there were no legal obligations to notify). The users impacted would bear the cost of these mistakes, through fraud enabled and enhanced by the data leaked without their knowledge. This lack of transparency was coupled with the fact that the individuals exploited were disproportionately vulnerable people. Previously, responsible organisations were not held accountable.
With data protection legislation becoming increasingly widespread, GDPR has been a game-changer, allowing individuals far more power than before, and increasing organisations’ accountability for the handling their data. Now that people have the right to claim compensation when their data is mishandled, and the fines are enshrined in European law, individuals and data protection authorities now have real power to hold data controllers and processors to account.
By increasing the responsibility and accountability taken on by organisations handling data will mean significantly better cybersecurity for us all, allowing us to fight fraud (which has risen year on year, and mostly involves exploiting data) on a level playing field, rather than against the tide.
As no internationally accepted set of ethical principles upon which individuals and organizations can be informed of data breaches exists at present, we have based our policies on NCSC advice, the main GDPR principles, the CMA’s definition of public good, and existing standards within other industries, including how breaches of confidentiality are dealt with within the medical industry.
4.2 Universal Disclosure Principles
- The lawful, timely discovery of datasets containing sensitive information disclosed publicly in error, inadvertently or maliciously.
- The protection of the rights of individuals, in particular the right to privacy enshrined in data protection legislation internationally. Privacy is a fundamental human right in accordance with the UN Declaration of Human Rights, we seek to protect it. Organizations that value their privacy and confidentiality protect their employees indirectly through their bottom line, but also personally as they have entrusted their private data to the care and due diligence of their employer.
- Timely and consistent communication with organisations found to be suffering from a security or data breach, however caused. Efforts will be made to make contact with the individuals or organisations affected by the breach in as timely and consistent fashion as possible.
- The application of fair and ethical standards, which balance the rights of individuals and organisations. We look to work with organisations to create a more secure digital world where data rights are upheld and the security and correct handling of individuals’ data is performed in a transparent and informative way.
- Transparency with impacted parties as to the extent and content of the information breached.
- Adherence to the letter and spirit of legislation protecting personal data and the rights of individuals.
4.3 Public Disclosure
4.3.1 Public Disclosure Goals
- Bring the breach to the attention of affected individuals, without any semblance of doubt.
- Incentivise appropriate behaviour by demonstrating the outcomes when organisations do not act in line with ICO and NCSC guidance.
- Raise awareness and scrutiny of data breaches and data security.
- Act transparently with the public and involved parties.
- Prevent the spread of false information about the nature of the breach.
4.3.2 Why is Public Disclosure important?
The above goals are motivated by the following:
- When it is impossible to identify the organisation responsible for the data breach, public disclosure brings more people into identification efforts so that the breach can be resolved.
- Where companies eschew their obligations in the run up to, and in the aftermath of, a data breach, Public Disclosure increases awareness of the costs of doing so, a vital contributor to global efforts to ensure appropriate care is taken to secure data and protect the rights of individuals
- So that individuals are aware of the dangers of the services they use and are able to more appropriately judge when to share potentially compromising data, and what standard of care to expect from those they entrust with their data.
- To earn the trust of the public, and any involved parties, by clearly outlining the truth of what has occured.
- Public Disclosure protects individuals being exploited by malicious parties looking to take advantage of the news by providing a ground-truth to the extent of leaked data. Further, it protects TurgenSec and others from bribery, threats, gag orders, manipulation and legal coercion to conceal the existence of or downplay a data breach.
4.4 Corporate Disclosure Ethics
Corporate breaches are breaches that involve corporate information (sometimes alongside personal information). Information in corporate breaches can often contain confidential business information exposing the details of employees, business practices, contracts and agreements, amongst other things.
This information is extremely useful to malicious actors who can then attack the business and its clients using insider information.
4.4.1 Corporate Disclosure Goals
- Building positive relationships and open communication channels with the companies impacted.
- Providing verifiable transparency on the principle that organizations and individuals have a right to know what has been breached about them in objective and precise terms.
- Through transparency, allowing individual and organizational consumers to make informed decisions on who to trust with their sensitive data.
- To bring attention to the wider debate of why breaches need transparency to reduce the costs of all involved.
- To bring attention to the work of TurgenSec, demonstrating and proving our value proposition.
4.4.2 Why is Corporate Disclosure important?
Every company in the world interfaces with third parties that hold information about them and their customers. Rigid security and regular testing mean nothing if the third parties you rely upon are leaking information that endanger your business. (Exosystem Monitoring – The Problem).
Supply chain cyber security (https://www.ijtre.com/images/scripts/2019061017.pdf) is an undervalued area of cyber security that causes a huge number of breaches every month.
Businesses are under no legal obligation to disclose if they have breached a third party’s business information unless it is stipulated in a contract unless personal data has been breached. The damage to society and businesses of breached company data can in many cases be more significant than personal data breaches affecting consumers.
4.4.3 Contributions to Global Information Security
Part of our public offering involves monitoring leaks in third party suppliers that put organizations, employees and customers at risk, helping to protect organizations, their customers, and their revenues from bad actors. Exosystem Monitoring – The Solution.
The exposure and responsible disclosure of data breaches is beneficial to both TurgenSec’s business as a clear indication of the value TurgenSec can offer to businesses, and raises awareness to businesses of the risks they take with third parties. Further, this reduces information asymmetry of data security, making existing cyber security solutions relied upon by most individuals, institutions and organizations more effective, and for lessons to be learned more widely across organisations.
Where possible, we aim to align our goals and business activities with those of the NCSC, linked below.
4.5 Breach Disclosure Ethics Analogies
To relate the framework given above to existing accepted ethical philosophy, we have provided the following analogies below, which run in parallel with our disclosure principles.
4.5.1 Computer Misuse Act:
First, we must address the CMA as it relates to our research activities, due to the common misinterpretation of what we do. It is not hacking.
- Open up a web browser.
- Go to https://turgensec.com
- Did you just hack us to access the information on our server?
4.5.2 On finding a dropped wallet:
- Try to identify the owner.
- Return the dropped wallet.
- Don’t take any money from the wallet.
- If other people’s credit cards are within, try to return those.
- If you can’t identify the owner, ask “has anyone lost this wallet?”
4.5.3 On finding an open storage warehouse filled with goods:
- Try to identify the owner and notify them.
- Report the breach to the responsible authorities.
- Don’t take any money from the warehouse.
- If you cannot identify the owner of the warehouse, and the authorities cannot assist in resolving the situation, report the breach to the users of the warehouse.
- If you can’t identify the owner, or users, ask publically “whose warehouse is this?”.
- Tell those who had stored things there that it had been left unsecured, so they have an option to change their minds about storing things there in the future.
4.5.4 Dropping the house key of your friend down the drain, through a hole in your trousers.
- Tell them about it.
- Do not claim you have been robbed.
- Do not claim you never lost the key, or have never even heard of such a key.
- Let them know that while you can’t get them their key back, you can offer them X as a form of apologizing.
- Let them know that you have in fact patched up the hole, or indeed purchased entirely new trousers, so as to ensure that this situation does not happen again and reassure them that the rest of their keys in your possession are safe.
- Give them the chance to at least know this happened and reconsider their decision to trust you with keys in the future.
5. Document control
|Title||Ethics & Culture||Version||1.0|
|Validity||Until next issue||Classification||Public|
|Effective||27th April 2020||Review date||27th April 2021|
|Owner||Peter Hansen, Founder||Sponsor||Nathaniel Fried, Founder|
5.2 Document history
|20/04/2020||1.0||Peter Hansen||First draft|