More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile.
Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere.
When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights around that information? What is an organization’s level of responsibility to follow data privacy regulations when the owner is deceased, and does that change if the person was a customer, a client or an employee?
Data as property: Who owns it?
The first hurdle in posthumous data protection is defining ownership. Any organization with data stored in a public cloud has had to address the question of data ownership in relation to cybersecurity: Whose job is it to protect data in the cloud?
“When using a cloud-based vendor, many businesses think that they are retaining ownership of their data in these third-party services agreements — but this is often not the case,” Jon Roskill wrote in Forbes. End-user licenses often have wording that shifts data ownership away from the consumer and passes it along to the vendor.
Data ownership is a very slippery slope. Businesses are frequently sold, and when that happens, the data is business collateral. It doesn’t matter if the data was generated by customers; it becomes the property of the new owners.
If we can’t define data ownership, we also can’t allow data to be inherited. The idea of digital inheritance is still in its infancy, Dan Demeter, senior security researcher, and Marco Preuss, deputy director of GReAT, both with Kaspersky Lab, told an audience at RSA Conference 2023, but right now, there are no clear sets of procedures or laws around how to pass your digital rights to the next of kin.
Perhaps the biggest obstacle to defining data as property is that data can be anywhere and is often redundant. When a user shares personally identifiable information (PII) with a vendor, they’ll never know for sure where that data ends up or how often the data may have been replicated. Sets of data that specifically identify an individual could be stored on-premise with one company but are backed up and replicated on four off-site data centers in different countries. Now you aren’t just dealing with the vendor’s right of ownership but also laws governing data in each location.
Data never dies
The default assumption is that when a person dies, it doesn’t matter what happens to their digital assets. They aren’t going to need them. Managing someone else’s digital remains is a huge undertaking, often requiring death certificates and proving your relationship. Even then, you may just be scraping the surface of what’s actually out in the wild. And what do you do with the data you recovered? The task is so overwhelming, and there is nothing tangible to collect or defend.
Your loved one will die. Their digital assets will live on. Without the ability to monitor accounts or put surroundings around their personal data, a dead person’s PII becomes an appealing target for identity thieves and account hijackers. Overall, attacks due to account takeovers increased by 131% in 2022, according to research from Sift.
“The nature of account takeover attacks also makes them easy to scale — having access to one set of compromised credentials often opens the door to multiple accounts, giving fraudsters several sources to steal from,” a Sift blog post stated.
Digital accounts once belonging to someone who has passed away become literal ghost accounts. They are dormant and unwatched. No one keeps a vigilant watch on inactive accounts, and threat actors know that. This becomes a serious cyber risk for whoever holds the data. A single compromised account can offer long-term access to the corporate network, opening the door to ransomware attacks or financial theft.
Most data privacy regulations won’t offer any protection, either. They offer privacy coverage for identifiable persons; a dead person does not qualify as identifiable. An exception to this is health care information because that often includes records for another (living) person.
Protecting your deceased customers and employees
You can’t protect what you don’t know. Yes, that’s a cliche by now, but it’s also easy to forget. So while everyone in the company is alive and well, it is time to begin a comprehensive inventory of assets.
This must be a lifelong process, said Demeter and Preuss, because building one’s digital assets is a lifelong process.
Users need to create an inheritance plan. Maybe no one is going to physically inherit your digital assets, but chances are, someone will need to access accounts. Within the work environment, this is especially true for business continuity. Passwords, user names and MFA keys must be available.
The privacy gamechanger: AI
Artificial intelligence is going to force lawmakers and organizations to rethink the rules around data privacy for dead people. Any type of digital asset can be turned into fake information or regenerated to bring someone digitally back to life. Generative AI is already being used to build avatars of the deceased, called ghostbots, using available data to recreate their voice and personalities to make it seem like they are alive. But while dead people don’t have privacy rights, ghostbots are clearly blurring the lines of when data privacy should end.
While currently, ghostbots don’t seem to be a security risk; it really is just a matter of time until threat actors use AI to take identity theft to the next level. Organizations are better off without ghost data that could put them at greater risk of a data breach. But is that data handed off to the next of kin, or is it deleted?
Everyone has a digital legacy to protect. We just need to figure out the best way to do it while protecting the privacy of the deceased and their loved ones.