Guard­ing the new oil

Con­sumer data is now the most pre­cious com­mod­ity.

The Washington Post Sunday - - SUNDAY OPINION -

AMASSIVE data breach at Mar­riott In­ter­na­tional is a re­minder that the de­bate over pro­tect­ing per­sonal in­for­ma­tion is much big­ger than the tech in­dus­try. Un­til Con­gress acts, busi­nesses across the coun­try will re­main un­pre­pared for per­sis­tent at­tacks, and Amer­i­cans will re­main at risk.

Mar­riott an­nounced Fri­day that its Star­wood reser­va­tions data­base had been in­fil­trated start­ing in 2014 by uniden­ti­fied ac­tors, ex­pos­ing the data, from names and ad­dresses to pass­port and credit card num­bers, of up to a stag­ger­ing 500 mil­lion guests. That makes this the sec­ond-largest breach in his­tory — that we know of. Mar­riott is only one ca­su­alty in an epi­demic en­abled by cor­po­rate un­pre­pared­ness for the cy­berthreats of the 21st cen­tury.

It is no sur­prise that con­ver­sa­tion about safe­guards fo­cuses on In­ter­net sites that have in­cen­tives to col­lect and sell as much per­sonal data as pos­si­ble. But cus­tomer in­for­ma­tion is key to day-to-day op­er­a­tions in count­less in­dus­tries, and firms spend lit­tle time think­ing about how to keep it safe. An in­ter­na­tional sur­vey of thou­sands of busi­nesses this year found that 7 out of 10 ad­mit­ted they are un­pre­pared to cope with an at­tack.

Con­gress can change that. The first step is a fed­eral pri­vacy frame­work that fo­cuses on the min­i­miza­tion of con­sumer in­for­ma­tion a com­pany stores to what is es­sen­tial to ev­ery­day op­er­a­tions. Fights are sure to arise over what “es­sen­tial” re­ally means; Mar­riott, for ex­am­ple, has le­git­i­mate rea­son to store data on clients in its loy­alty pro­grams even af­ter stays have been com­pleted. But cus­tomers should con­sent to the col­lec­tion of their data for de­fined pur­poses, and com­pa­nies should scrub data from their records when it no longer serves that pur­pose.

As im­por­tant is what com­pa­nies do to pro­tect the data they are al­lowed to store. Con­gress could lay out those stric­tures, or it could give the Fed­eral Trade Com­mis­sion rule­mak­ing au­thor­ity. Th­ese rules could be pre­scrip­tive, telling com­pa­nies ex­actly what mea­sures to take to pro­tect each cat­e­gory of data, or they could hinge on per­for­mance — iden­ti­fy­ing pre­ventable vul­ner­a­bil­i­ties and hold­ing com­pa­nies to ac­count when they fail to guard against them. In any case, the FTC needs the au­thor­ity to levy mean­ing­ful fines for ini­tial vi­o­la­tions. Right now, it may well cost a com­pany less to re­spond to a breach than it would to put in place the mea­sures nec­es­sary to pre­vent one. Those in­cen­tives need an over­haul.

To­day’s wis­dom is that data is the new oil — a valu­able re­source. But this as­set be­longs as much to con­sumers as the com­pa­nies who use it for profit. Gov­ern­ment has an im­per­a­tive to reg­u­late not only the mod­ern mag­nates in Menlo Park, Seat­tle and Moun­tain View, but also ev­ery­one else who leaves un­guarded bar­rels be­hind un­locked doors.

Comments

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.