40 Million? 70 Million? 110 million? We are still not sure how many customer data records have been compromised in the last 12 weeks

When initially reported by Target, it was estimated that approximately 40 million credit and debit card  customer files had been compromised as a result of a data breach, which occurred sometime between November 27 and December 15, 2013 (Wall Street Journal, Corporate Intelligence). After initially being reported by the KrebsOnSecurity on the 18 of December, Target makes a public acknowledgement of the breach on the 19^th, confirming that customer names, credit or debit card numbers, expiration dates and encrypted security codes had be compromised.  During the course of their investigation, in conjunction with Department of Justice, the Secret Service and Verizon Communication, on December 27^th, Target discovers that encrypted debit card PIN information was also compromised as a result of the breach.  Two weeks later, on January 10, Target announces that some additional 70 million customers had their personal information stolen during the breach. This includes names, mailing addresses, phone number, or emails (Wall Street Journal, Corporate Intelligence).  On January 11, Neiman Marcus confirms that it too was a victim of a data breach during the same time frame as Target and that they were working with the U.S. Secret Service to investigate the break in.  Neiman Marcus also informs the public that they were unable or unwilling to disclose the number of customer records that were compromised.  Today, according to Reuters, there were at least three other smaller breaches on other well-known U.S. retailers in a similar fashion as the Target and Neiman Marcus breaches (Reuters).

Most states (46 out of 50)(National Conference of State Legislatures)  have laws that require companies to notify customers when personally identifiable information is compromised, such as social security numbers.  In Massachusetts, Mass General Law 93H-1 et seq.  states when a breach of security results in the disclosure of  a resident’s first name and last name, or first initial and last name in combination with any one or more of the follow data elements( social security number; drivers license or state –issued identification card; or  financial account information  with or without required security codes)that agency must notify the individual.   Currently there is no federal law requiring consumer notification as a result of a data breach.

The reality of today is that data breaches happen and they will continue to happen. As new security technologies are brought into the marketplace, hackers and cybercriminals will continue to test the security controls looking and exploiting weaknesses in the technology.  Organizations will experience temporary losses as consumers’ confidence waivers as a result of the breach notification, but those profits are likely to return as the public generally has a short memory and will eventually forget the incident.  This is short lived until the next round of breaches are discovered and disclosed. 

The real issue is the lack of accountability for organizations to take meaningful steps to protect consumers, and make them whole.  Currently the remedy for consumers caught up in a data breach is credit monitoring services. While this is an important step to take to protect consumer credit score, it is woefully inadequate in protecting consumers from other forms of personally identifiable information abuse.  Credit monitoring will not monitor public record databases, driver license records, criminal records, social security records, or medical records. There is nothing that compels organizations to provide meaningful long term protection for victims of data breaches. 

It has been floated as an idea that speaks to the need of a federal law that penalizes organizations that are victims of a data breach who do not inform consumers.  Recognizing that it is impossible to prevent every type of security issue, I find that suggestion naïve and overly simplistic.  What I would suggest is a law that requires organizations to contribute to a superfund, similar to those established to clean hazardous substances, a monetary fee for each data record breached.   For instance, if organizations were required to submit $1 for each data record compromised as a result of a data breach, Target would contribute between $40 and $70 million dollars to the fund.  A portion of the fund could be set aside for future claims of repeat victimization of consumers who were initially victimized in a breach.  After all, once your personal information is released, it may be years before the extent of the compromise is personally quantified.  The fund could also be used to provide resources for research and education in the field of computer security, allowing specifically for research and training in the prevention, detection and mitigation of cyber threats.  Finally, funding could be provided to offset the cost of investigating, and prosecuting individuals responsible for the breach and future crimes related to the misuse of disclosed information.