When initially reported by Target, it was estimated that
approximately 40 million credit and debit card
customer files had been compromised as a result of a data breach, which
occurred sometime between November 27 and December 15, 2013 (Wall Street Journal, Corporate Intelligence).
After initially being reported by the KrebsOnSecurity on the 18 of December,
Target makes a public acknowledgement of the breach on the 19th,
confirming that customer names, credit or debit card numbers, expiration dates
and encrypted security codes had be compromised. During the course of their investigation, in
conjunction with Department of Justice, the Secret Service and Verizon
Communication, on December 27th, Target discovers that encrypted
debit card PIN information was also compromised as a result of the breach. Two weeks later, on January 10, Target
announces that some additional 70 million customers had their personal
information stolen during the breach. This includes names, mailing addresses,
phone number, or emails (Wall Street Journal, Corporate Intelligence). On January 11, Neiman Marcus confirms that it
too was a victim of a data breach during the same time frame as Target and that
they were working with the U.S. Secret Service to investigate the break
in. Neiman Marcus also informs the
public that they were unable or unwilling to disclose the number of customer
records that were compromised. Today,
according to Reuters, there were at least three other smaller breaches on other
well-known U.S. retailers in a similar fashion as the Target and Neiman Marcus
breaches (Reuters).
Most states (46 out of 50)(National Conference of State Legislatures)
have laws that require companies to notify customers when personally identifiable
information is compromised, such as social security numbers. In Massachusetts, Mass General Law 93H-1 et
seq. states when a breach of security
results in the disclosure of a
resident’s first name and last name, or first initial and last name in combination
with any one or more of the follow data elements( social security number;
drivers license or state –issued identification card; or financial account information with or without required security codes)that
agency must notify the individual. Currently
there is no federal law requiring consumer notification as a result of a data
breach.
The reality of today is that data breaches happen and they
will continue to happen. As new security technologies are brought into the
marketplace, hackers and cybercriminals will continue to test the security
controls looking and exploiting weaknesses in the technology. Organizations will experience temporary
losses as consumers’ confidence waivers as a result of the breach notification,
but those profits are likely to return as the public generally has a short
memory and will eventually forget the incident.
This is short lived until the next round of breaches are discovered and
disclosed.
The real issue is the lack of accountability for organizations
to take meaningful steps to protect consumers, and make them whole. Currently the remedy for consumers caught up
in a data breach is credit monitoring services. While this is an important step
to take to protect consumer credit score, it is woefully inadequate in
protecting consumers from other forms of personally identifiable information abuse. Credit monitoring will not monitor public
record databases, driver license records, criminal records, social security
records, or medical records. There is nothing that compels organizations to
provide meaningful long term protection for victims of data breaches.
It has been floated as an idea that speaks to the need of a
federal law that penalizes organizations that are victims of a data breach who
do not inform consumers. Recognizing
that it is impossible to prevent every type of security issue, I find that
suggestion naïve and overly simplistic.
What I would suggest is a law that requires organizations to contribute
to a superfund, similar to those established to clean hazardous substances, a
monetary fee for each data record breached.
For instance, if organizations were required to submit $1 for each data
record compromised as a result of a data breach, Target would contribute
between $40 and $70 million dollars to the fund. A portion of the fund could be set aside for
future claims of repeat victimization of consumers who were initially
victimized in a breach. After all, once
your personal information is released, it may be years before the extent of the
compromise is personally quantified. The
fund could also be used to provide resources for research and education in the
field of computer security, allowing specifically for research and training in
the prevention, detection and mitigation of cyber threats. Finally, funding could be provided to offset
the cost of investigating, and prosecuting individuals responsible for the breach
and future crimes related to the misuse of disclosed information.
No comments:
Post a Comment