Hacking raises concerns about data protection
In 2013, Delaware-based credit agency Experian discovered a hacker posing as a private investigation company used one of its subsidiaries to gain access to Social Security numbers, birth dates and financial account information for more than 200 million Americans.
This year, the U.S. Office of Personnel Management discovered a breach that was initially believed to have exposed Social Security numbers and other personal data from 4.2 million government employees but in fact exposed background check details for 21.5 million employees as well as spouses and friends. An additional 1.1 million could have had their fingerprint data compromised. As the nature of data breaches swiftly evolves from stolen PIN numbers to stolen identities, befuddled consumers and appalled industry insiders alike are raising questions about how institutions are protecting the data entrusted to them.
“If Target gets breached again, a credit card can be reissued and you can pick up a credit monitoring service. If you have your home address, billing records, birth date, Social Security numbers stolen, that kind of stuff can’t be easily replaced,” said Eric Wan, CEO of Arizona-based cybersecurity firm Simple Wan.
Given hacking at Experian, the Office of Personnel Management and a February breach of
health care company Anthem that affected 80 million, the idea that companies collecting personal information should have heightened levels of data security is gaining steam.
The question is, will it take a federally mandated cybersecurity policy to force change? Or can court-ordered financial penalties result in stronger self-policing among corporations?
In American courtrooms seeing the first wave of lawsuits related to cybersecurity breaches, injured consumers have received awards, but it’s not clear the damages to companies have been enough to encourage change.
A class-action lawsuit filed against the Office of Personnel Management in July alleges that the agency ignored warnings of deficiencies in its network security system and failed to adequately secure its servers and databases.
The plaintiffs in the suit are asking for lifetime credit monitoring, upgrades to the agency’s IT security and an exemption from having personal information collected digitally until security upgrades are complete.
Also in July, Experian was hit with a $5 million class-action lawsuit claiming the company failed to thoroughly investigate subsidiary Court Ventures Inc. before acquiring its assets and accepted payments from the hacker with “no questions asked.”
According to court documents, the Experian suit was filed in large part “to hold the defendant accountable” and “to ensure Experian never engages in this type of conduct again.”
But with the company bringing in $1.05 billion in — David Thaw, assistant professor of law and information sciences
at the University of Pittsburgh profits before taxes last year, some doubt a $5 million payout will be a catalyst for systemic change.
“That’s chump change to them. That’s ‘we’ll give you $5 million to go away,’” said Ed Mierzwinski, consumer program director of Washington, D.C.-based U.S. Public Interest Research Group.
Mr. Mierzwinski, who has co-authored numerous reports on privacy and identity theft, noted that larger awards have been granted in settlements from Target and other companies involved in breaches but said none were large enough to put a dent in a company’s operations.
He said part of the reason for the small awards is difficulty proving to the court exactly how much damage has been done when a breach affecting millions could result in only a few thousand identity thefts initially. If a consumer experiences another breach and is hit with identity crime years down the road, he or she may have no idea which breach led to the intrusion.
“Three years from now I wouldn’t know if I was an OPM victim, a Target victim, an Anthem victim or a Neiman Marcus victim,” Mr. Mierzwinski said.
Beyond the 47 states, including Pennsylvania, that have enacted laws requiring swift notification of consumers affected by data breaches, David Thaw, assistant professor of law and information sciences at the University of Pittsburgh School of Law, said the Health Insurance Portability and Accountability Act, state attorneys general, the Federal Trade Commission and other federal statutes allow for some degree of oversight over data breaches.
In terms of legislation, the Cybersecurity Information Sharing Act encourages an increased exchange of information between public and private enterprises hoping to curb cyber attacks but does not require private companies to adopt cybersecurity plans.
President Barack Obama’s Comprehensive National Cybersecurity Initiative, a long-term initiative to promote information sharing and cybersecurity awareness, follows the same path.
Mr. Thaw said comprehensive data breach legislation mandating that companies have clear security plans is the obvious next step. However, deciding what needs to be kept secure will be an uphill and ongoing battle.
“They have to decide what is sensitive information and what needs to be protected, because that’s not a static concept and it changes over time,” said Mr. Thaw. “Fifty years ago if someone knew my Social Security number, it’s no big deal because only a certain type of person knew what to do with it. Today it’s critical.”
Matt Butkovic, technical manager of cybersecurity at the Computer Emergency Response Team in Carnegie Mellon University’s Software Engineering Institute, said any law should require the bare minimum of encryption, secure passwords and continued patching of known security gaps.
He said some privatesector companies have begun adopting tactics such as keeping information offline and limiting the number of employees able to access the data.
Beyond copying security measures Mr. Butkovic said are used by the Defense Department, a law should require companies to collect less personal information and should require those who access sensitive information to undergo background checks, said Mr. Knight.
Noting that lawmakers have been discussing the possibility of intervention for quite a while, Mr. Butkovic said time for action has long since passed.
“If your credit card is compromised, it’s bad, but they can issue you a new credit card. If something like your medical records are compromised, there is no way to pull that back,” he said. “They can’t issue a new you.”
“They have to decide what is sensitive information and what needs to be protected, because that’s not a static concept and it changes over time. Fifty years ago if someone knew my Social Security number, it’s no big deal because only a certain type of person knew what to do with it. Today it’s critical.”