Last week I expressed my concern over efforts in Congress to delay, defang and ultimately defund the Consumer Financial Protection Bureau. I called upon consumers to rebel against being treated as little more than pachyderm toe-jam and to send a clear message in 2012 to those in Congress who have been the spear carriers for business.
My consternation over the GOP’s crusade to derail the first truly powerful and focused national consumer protection agency, however, pales in comparison to my concern over the failure of both parties to meaningfully address through federal legislation the issues of data protection and breach notification in the face of a raging pandemic of database compromise.
The numbers are staggering. Since 2005, the credit card data and personal identifying information contained in more than 500 million files have been accessed by countless unauthorized persons. According to the experts, database invaders can be divided into four categories: criminals, hactivists, the “because I can and it’s fun” crowd and warriors (those who hack on behalf of governments). This doesn’t necessarily mean that the sensitive personal information of every American is in the hands of those who operate either outside or on the fringes of the law. However, at the very least, tens of millions of us have won the victimization lottery—meaning, our information resides on multiple exposed databases.
Whatever the motivations of the intruders, their success is undeniable; their victories have been proclaimed and widely chronicled; and the news is only getting worse. Announced compromises have evolved from the Flavor of the Month, to the highlight reel of the week, to “News at Eleven.”
The operative word here is “announced.” Recently, the Obama administration put forward a bill that would standardize, at the Federal level, the manner in which the public is notified of a data breach. It’s an incredibly important issue, and to truly understand it, we have to get our collective psyche around the concept of disclosure. There are three categories here:
Breaches that get announced;
Breaches that don’t get announced; and,
Breaches that are not, and perhaps never will be, detected; thereby foreclosing the option of an announcement.
Heretofore, Washington’s response to the issues of data security and breach notification has been tepid at best. We don’t have a federal breach notification standard and our data security laws are not the stuff of legend. That means that data breaches can and often do occur, and despite being aware of a breach within a company, its officers may never tell the public. There have been a few attempts to create breach notification standards, but historically, state legislatures have been far more aggressive and proactive than the feds in this area. For example, in 2005, Choicepoint, a very large data broker, was forced come clean regarding the breach of one of its databases because of a California law. Otherwise, the public might never have learned of the compromise.
California legislators passed SB 1386 in 2002. Effective in 2003, 1386 was the first state notification law and effectively outed the Choicepoint compromise. It not only forced the company to notify affected Golden State residents of the unauthorized database intrusion, but also provided a catalyst for 38 Attorneys General to unite and demand the same disclosures for their residents. It is nothing short of ironic that but for that multi-state state alliance, the citizens of Choicepoint’s home state of Georgia weren’t entitled to the same right of notification granted to Californians. To date, some 47 states have passed their own interpretations of California’s cutting-edge response to the corporate compromise code of silence.
There have been several false starts on the federal level.
[Identity Theft: Free Identity Risk Score and profile from Credit.com]
Feds Fail with Cyber Security Proposal (cont.) »
Image: Phillipe Put, via Flickr.com