Last week I expressed my concern over efforts in Congress to delay, defang and ultimately defund the Consumer Financial Protection Bureau. I called upon consumers to rebel against being treated as little more than pachyderm toe-jam and to send a clear message in 2012 to those in Congress who have been the spear carriers for business.
My consternation over the GOP’s crusade to derail the first truly powerful and focused national consumer protection agency, however, pales in comparison to my concern over the failure of both parties to meaningfully address through federal legislation the issues of data protection and breach notification in the face of a raging pandemic of database compromise.
The numbers are staggering. Since 2005, the credit card data and personal identifying information contained in more than 500 million files have been accessed by countless unauthorized persons. According to the experts, database invaders can be divided into four categories: criminals, hactivists, the “because I can and it’s fun” crowd and warriors (those who hack on behalf of governments). This doesn’t necessarily mean that the sensitive personal information of every American is in the hands of those who operate either outside or on the fringes of the law. However, at the very least, tens of millions of us have won the victimization lottery—meaning, our information resides on multiple exposed databases.
Whatever the motivations of the intruders, their success is undeniable; their victories have been proclaimed and widely chronicled; and the news is only getting worse. Announced compromises have evolved from the Flavor of the Month, to the highlight reel of the week, to “News at Eleven.”
The operative word here is “announced.” Recently, the Obama administration put forward a bill that would standardize, at the Federal level, the manner in which the public is notified of a data breach. It’s an incredibly important issue, and to truly understand it, we have to get our collective psyche around the concept of disclosure. There are three categories here:
Breaches that get announced;
Breaches that don’t get announced; and,
Breaches that are not, and perhaps never will be, detected; thereby foreclosing the option of an announcement.
Heretofore, Washington’s response to the issues of data security and breach notification has been tepid at best. We don’t have a federal breach notification standard and our data security laws are not the stuff of legend. That means that data breaches can and often do occur, and despite being aware of a breach within a company, its officers may never tell the public. There have been a few attempts to create breach notification standards, but historically, state legislatures have been far more aggressive and proactive than the feds in this area. For example, in 2005, Choicepoint, a very large data broker, was forced come clean regarding the breach of one of its databases because of a California law. Otherwise, the public might never have learned of the compromise.
California legislators passed SB 1386 in 2002. Effective in 2003, 1386 was the first state notification law and effectively outed the Choicepoint compromise. It not only forced the company to notify affected Golden State residents of the unauthorized database intrusion, but also provided a catalyst for 38 Attorneys General to unite and demand the same disclosures for their residents. It is nothing short of ironic that but for that multi-state state alliance, the citizens of Choicepoint’s home state of Georgia weren’t entitled to the same right of notification granted to Californians. To date, some 47 states have passed their own interpretations of California’s cutting-edge response to the corporate compromise code of silence.
There have been several false starts on the federal level.
Bills seeking to regulate data privacy and security failed to make it past go in the Senate in 2005, 2007 and 2009. The 2009 version was released by the Senate Judiciary Committee, but was hammered by industry opposition and died before ever getting to a vote in the full Senate. A new bill, introduced by Sen. Patrick Leahy (D-VT), co-sponsored by Charles Schumer (D-NY) and Ben Cardin (D-MD), would criminalize the failure to disclose breaches.
Various pieces of legislation have failed in the House as well. Rep. Mary Bono Mack (D-CA) has introduced her own data protection and notification bill which would force companies to go public with the details of a breach within 48 hours of its discovery. (Read more about these bills in American Banker’s Bank Technology News.)
But, as I alluded to above, the Obama Administration’s newly proposed cyber security and breach notification standards have been getting the most attention of late. Sadly, in many ways their proposal is a step backwards, not forwards, when it comes to disclosure. While the data security provisions in Obama’s bill are more stringent than before, the disclosure provisions are problematic. First of all, for the most part they preempt state laws, which are often more stringent than this federal law.
According to a White House press release, “The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.”
Privacy advocates share my concerns. They have expressed worry that “helping business” here prevents states from enforcing tougher existing laws and might prevent them from enacting more stringent measures in the future if the federal law proves inadequate.
In a recent column that outlines the various problems with Obama’s proposal, Identity Theft 911 Chief Privacy Officer Eduard Goodman writes, “The statute weakens different state laws in an effort to provide a uniform solution to data breach notification policy. Chalk this up to another win for big business and another hit to the consumer.”
In his most recent story on the subject, Credit.com reporter Chris Maag further points out that, “some security experts have criticized this part of the proposed legislation, saying it is significantly weaker than breach notification laws in many states because of its limited definition of personally identifiable information, and the fact that it doesn’t apply to paper documents.” Maag called the White House looking for an explanation, but sadly they dodged him.
Plain and simple, though their hearts may well be in the right place, it seems that neither the Administration nor Washington’s political elite seem to fully grasp the magnitude of the issue and even if they did, they are unwittingly enabling the bad guys by weakening the rules of disclosure. I can understand why the administration wants to consolidate these rules, but a Federal law mandating notification should be either more aggressive than state statutes or represent the floor, not the ceiling, when it comes to toughness. Furthermore, despite the weaknesses with regard to notification, I support many of the provisions in the administration’s bill with regard to security standards. I’ll take a closer look at those in a future column, but in the meantime, I’m worried that all the hemming and hawing in D.C. serves only to extend the window of opportunity for those targeting our personal information.
There must be a paradigm shift in the way we fight our war on economic terrorists. There are no rules of engagement. And, to paraphrase Gorden Gekko, hackers never sleep.
As the ingenuity, sophistication and bravado of those who invade data depositories grows geometrically, we can no longer allow business, government, or consumers to be uninvolved, uninterested, uninformed or outgunned.
While the business lobbies engage in debates with other special interest groups, regulators and legislators as to harm evaluation, the evolving definition of personal identifying information and how much investment in security is too little or too much, the risk of a real cyber apocalypse increases daily. Imagine hundreds of millions of fraudulent transactions representing trillions of dollars can be launched in the equivalent of an economic denial of service attack, leaving tens of millions of consumers and millions of businesses in financial ruin while countless law enforcement agencies desperately search for answers that will never come. And you thought the current economy was ugly? We’re talking about society facing an extinction-level Depression.
Think I’m being a tad hyperbolic? Think the data apocalypse isn’t possible? Well, riddle me this: If more than 500 million files (that we know about) have been breached and about 17 percent of the individuals in those databases have suffered personal compromises, what happened to the other 83 percent?
There is no Identity Fairy. There is no magic trunk into which all uncompromised identities are swept.
Identities are evergreen. They are currency. They get better with age. And somebody or bodies have been banking them for years.
The time for our federal government to enact a comprehensive, tough and uniform data security and breach notification law is now, not next year and not in the next Congress. Unless and until that happens, there is a void that is being filled by the loosely woven legislative patchwork of forty-seven states, those who hack to expose our flaws, and the ultimate regulators of the American economic system—litigators specializing in class action lawsuits.
Originally posted at Credit.com.