As the nature of data breaches swiftly evolves from stolen PIN numbers to stolen identities, befuddled consumers and appalled industry insiders alike are raising questions about how institutions are protecting the data entrusted to them.
“If Target gets breached again, a credit card can be reissued and you can pick up a credit monitoring service. If you have your home address, billing records, birth date, Social Security numbers stolen, that kind of stuff can’t be easily replaced,” said Eric Wan, CEO of Arizona-based cybersecurity firm Simple Wan.
Between Experian, the Office of Personnel Management and a February breach of health care company Anthem Inc. that affected 80 million, the idea that companies collecting personal information should have heightened levels of data security is gaining steam.
The question is, will it take a federally mandated cybersecurity policy to force change or can court-ordered financial penalties result in stronger self-policing among corporations?
In American courtrooms seeing the first wave of lawsuits related to cybersecurity breaches, injured consumers have received awards but it’s not clear the damages to companies have been enough to encourage change.
A class-action lawsuit filed against the Office of Personnel Management in July alleges that the agency ignored warnings of deficiencies in its network security system and failed to adequately secure its servers and databases. The plaintiffs in the suit are asking for lifetime credit monitoring, upgrades to the agency’s IT security and an exemption from having personal information collected digitally until security upgrades are complete.
Also in July, Experian was hit with a $5 million class action lawsuit claiming the company failed to thoroughly investigate subsidiary Court Ventures Inc. before acquiring its assets and accepted payments from the hacker with “no questions asked.”
According to court documents, the Experian suit was filed in large part “to hold the defendant accountable” and “to ensure Experian never engages in this type of conduct again.”
But with the company bringing in $1.05 billion in profits before taxes last year some doubt a $5 million payout will be a catalyst for systemic change.
“That’s chump change to them. That’s we’ll give you $5 million to go away,” said Ed Mierzwinski, consumer program director of Washington D.C.-based U.S. Public Interest Research Group. Mr. Mierzwinski, who has coauthored numerous reports on privacy and identity theft, noted that larger awards have been granted in settlements from Target and other companies involved in breaches but said none were large enough to put a dent in a company’s operations.
He said part of the reason for the small awards is difficulty proving to the court exactly how much damage has been done when a breach affecting millions could result in only a few thousand identity thefts initially. If a consumer experiences another breach and is hit with identity crime years down the road, he or she may have no idea which breach lead to the intrusion.
“Three years from now I wouldn’t know if I was an OPM victim, a Target victim, an Anthem victim or a Neiman Marcus victim,” Mr. Mierzwinski said.
Beyond the 47 states, including Pennsylvania, that have enacted laws requiring swift notification of consumers affected by data breaches, David Thaw, assistant professor of law and information sciences at the University of Pittsburgh School of Law, said the Health Insurance Portability and Accountability Act, state attorneys general, the Federal Trade Commission and other federal statutes allow for some degree of oversight over data breaches.
In terms of legislation, the Cybersecurity Information Sharing Act encourages an increased exchange of information between public and private enterprises hoping to curb cyber attacks, but does not require private companies to adopt cybersecurity plans. President Obama’s Comprehensive National Cybersecurity Initiative, a long-term initiative to promote information sharing and promote cybersecurity awareness, follows the same path.
Mr. Thaw said comprehensive data breach legislation mandating that companies have clear security plans is the obvious next step. However, deciding what needs to be kept secure will be an uphill and ongoing battle.
“They have to decide what is sensitive information and what needs to be protected, because that’s not a static concept and it changes over time,” said Mr. Thaw. “Fifty years ago if someone knew my Social Security number it’s no big deal because only a certain type of person knew what to do with it. Today it’s critical.”
Matt Butkovic, technical manager of cybersecurity at the Computer Emergency Response Team (CERT) in Carnegie Mellon University’s Software Engineering Institute, said any law should require the bare minimum of encryption, secure passwords and continued patching of known security gaps. He said some private sector companies have begun adopting tactics such as keeping information offline and limiting the number of employees able to access the data.
Beyond copying security measures Mr. Butkovic said are used by the Department of Defense, a law should require companies to collect less personal information and should require those who access sensitive information to undergo background checks, said Mr. Knight.
Noting that lawmakers have been discussing the possibility of intervention for quite a while, Mr. Butkovic said time for action has long since passed.
“If your credit card is compromised it’s bad but they can issue you a new credit card. If something like your medical records are compromised there is no way to pull that back,” he said. “They can’t issue a new you.”
©2015 the Pittsburgh Post-Gazette, Distributed by Tribune Content Agency, LLC.
