JPMorgan Chase early last month disclosed that cyber thieves pilfered account data on 76 million households and seven million small businesses over the summer, one of the biggest breaches ever and only the latest of the many that have made headlines in recent years. Such thefts are beginning to seem as inevitable as death and taxes.
Even worse, while some breaches are widely reported in newspapers, many more occur at small firms and receive hardly any attention at all. Since 2005, there have been more than 4,400 data breaches that have exposed close to a billion records in all, according to Privacy Rights Clearinghouse, a California non-profit that advocates for consumer privacy.
The repeated breaches lead us to ask the obvious questions: why are we seeing so many? Why are firms not protecting our data more aggressively? And what can we do about it?
As more and more data migrates into the digital realm and firms increasingly link with one another and with their consumers on faster and ubiquitous broadband networks, it is inevitable that at least some of this information will leak, whether through carelessness or malintent. But we should be able to expect that firms are investing sufficiently in their network security to keep our data as safe as possible.
Some of this is definitely happening, and firms are increasingly paying more attention. A week after JPMorgan’s disclosure, for example, the bank said it would likely double its US$250 million cybersecurity budget.
It’s important to note that data breaches do not directly hurt the firm; they most directly harm the consumer, whose personal information could then be used for fraud and identity theft. This is what economists call an “externality,” making it less likely that the company will voluntarily fix the problem since it doesn’t bare the cost. Another example of an externality is pollution, which affects not the owner of the facility but citizens living downstream from the carbon-spewing plant.
Shining light on lapses
To deal with externalities, governments generally impose taxes and fines to recoup the resulting costs to society or penalize the behavior. In the case of data breaches, policymakers have generally used transparency as a way to ensure companies suffer some of the costs of information theft.
One of the most popular tools used are data breach notification laws, fashioned after one California passed in 2003. Currently 47 states have passed similar laws that require firms to send notices of any breaches to consumers alerting them to take certain preventive steps. The notifications are also intended to put the firm in an embarrassing position by being forced to disclose its poor security practices and thereby creating incentives to invest to better protect its data.
The Security and Exchange Commission is considering a similar effort to provide guidelines on how and when companies should disclose these risks and actual cyber attacks in their regulatory filings. These types of rules, coupled with the intense media attention following a data breach or security lapse at a firm, are meant to shine light on poor practices in hopes that the market and competition goads companies into taking adequate security precautions.
Holding companies liable
But, looking at the frequency of data breaches, these efforts do not seem to be adequate in stopping or even slowing down the pace of data breaches. So what else can we do? One possibility would be to amend tort laws so that firms that suffer a breach are held directly liable for any harm to consumers and forced to compensate them for any losses. California recently proposed an amendment to its data breach notification law that would also make retailers liable for customer financial losses. It is not clear if the bill will pass though.
A more far reaching approach would be to pass a uniform, national notification law, an idea that is being widely discussed. Currently we have a hodgepodge collection of regulations from one state to the next that seem to be satisfying no one. A federal law focused on strong transparency and penalty for negligence might provide the right kind of incentives for firms to protect customer data without the government dictating the terms.
The weakest links
But even if security at the large banks and retailers became impenetrable, thieves could still find way to steal data via third-party vendors, which do not face the same level of public scrutiny and do not have budgets to hire cyber security people of their own. Thus they are not as secure as the banks and major retailers.
The data breach that hit Target, for example, happened because of a third-party vendor. It is likely that many of these companies will have to get some sort of certification or provide contractual warranties to prove their systems cannot be easily exploited.
Criminals looking to make a quick buck from our data, of course, are not the only ones behind all the breaches. Many fingers have pointed to nation states and it is not clear whether private firms could ever invest enough in cybersecurity to thwart such attacks. It would be prohibitively costly to do so.
Companies likely need the help of their own governments, but private firms naturally find it difficult to share sensitive information, with an agency or in an SEC filing. They have more incentives to cover up data breaches.
There have been attempts to establish public policy that encourages companies to share information on intrusions and data thefts. Some of the newer proposals in the Senate and House outline ways to make it attractive for private firms to share sensitive security breach data with government agencies, even providing liability protection. The question is whether such a bill can pass or how effective it would be in spurring useful data sharing.
It will be a costly if we hope to reduce the frequency of cyber attacks and prevent the loss of our names, addresses, telephone numbers, credit card details and other private data. And those costs will likely be passed onto consumers through higher prices. At the end of the day, if we want more security (just like a safer car), then consumers have to demand it and be willing to pay for it. The hope is that in the long run, security becomes a default rather than an option.
This article is part of an ongoing series on cybersecurity. More articles will be published in the coming weeks.