Security failures are often viewed as a way of life by the public, but they don’t have to be. If companies won’t lock up their own henhouses from the fox, it’s time to take a proactive role in creating reasons for building better security systems.
In this case, tougher regulations may be the most effective route.
As the system currently stands, a company forced to admit that a data breach has occurred faces considerable cleanup, but one thing it doesn’t face in most cases is monetary consequences. Dean pointed out that the costs of breaches are actually relatively low for most companies: “The actual expenses from the recent and high-profile breaches at Sony, Target, and Home Depot amount to less than 1 percent of each company’s annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less.” In a cost-benefit analysis, sloppy security may be worth more than the cost of installing a more extensive system to protect clients and internal systems.
That would change if companies faced fines paid on the basis of the number of customers affected or other metrics. A framework for fining companies who experience security breaches is in place, but it’s rarely used. In the case of medical information alone, healthcare organizations reported 1,140 data breaches since 2009, and just 22 were fined. Such monies could go directly into various government agencies and general funds, as seen with the $13 billion JPMorgan Chase settlement. Consequently, companies that expose customers to data breaches might find themselves paying for new streets, better prostheses for veterans, and infrastructure improvements for schools, while experiencing severe cuts to their bottom line.
2) Liability for costs incurred by credit card issuers
Credit and debit card issuers end up eating the consequences of financial breaches between issuing new cards, notifying customers, and dealing with any fraudulent charges on cards. They can and do sue companies who don’t adequately secure their point-of-sale systems, and sometimes succeed in leveraging at least partial judgments to compensate them for their expenses. Requiring companies to automatically compensate for breaches would create a strong incentive to prevent them in the first place.
Writing at the Wall Street Journal last year, Ryan Tracy described the fight between banks and retailers over the subject: “Banks and credit unions have been pushing for years for legislation that would explicitly require the company responsible for a breach to cover its costs, but they have run into resistance from the retail industry, which argues that card issuers should improve their technology so cards can’t be compromised.”
Critics of this complaint, however, argue the bottleneck for new credit card technology actually lies with retailers who are still relying on outdated point-of-sale technologies.
3) No government or insurance compensation
Firms losing money as a result of breaches shouldn’t receive compensation—including tax deductions—unless they can adequately demonstrate that their security systems were up to date and met the standards of cybersecurity experts. Denial of compensation extends not just to direct losses, but also to expenses incurred on tasks like cleaning up after hackers, hiring consultants to update cybersecurity, and more.
For insurance firms, assumption of liability in cases where clients have clearly not taken common-sense precautions is not reasonable. Just as insurance companies refuse to pay out on fire insurance claims when fires were caused by faulty wiring, poor maintenance, or deliberately careless practices, they should reject claims from companies that failed to secure their data adequately.
It’s not the government’s responsibility to protect the income of private companies, and such breaches shouldn’t be treated as a national security issue unless they genuinely are. Hacks on Wall Street trading systems are a significant security problem, because they could be used to manipulate the market and damage the American economy. Leaking embarrassing emails, however, isn’t. It’s just awkward for the parties involved.
4) Transparency on information collection
Firms from Facebook and Google to JCPenney collect and use information about their customers for targeted advertising, sale to third parties, and data analysis. Many customers are not aware of the breadth of information collected, how it can be used, when it can be transferred to other parties, and how long it may be held on file. Requiring companies to disclose such details and provide information about the level of security used for storage databases and related infrastructure supports makes it easier for members of the public to make informed decisions about where they invest their resources.
Without being able to adequately demonstrate sufficient security measures, firms might find themselves losing customers after people find out how much of their private information is being retained and used. That could be a game changer for information security.
5) Mandatory public accountability reports after breaches
Companies shamefacedly admitting that they’ve experienced breaches are often cagey about the circumstances. This status quo needs to change, with outside auditors evaluating the company’s cybersecurity and records to develop a complete report on how and when a breach occurred, how the company dealt with it, and what steps the company is taking to prevent similar incidents. Such reports should also include discussions of where the company’s cybersecurity controls failed and recommendations for the future.
Once generated, these reports need to be publicly available, allowing people to trace the creation and history of breaches for themselves. While some may need to be partially redacted for security reasons—for example, a company doesn’t want to openly discuss the new security measures it’s implementing—they should provide enough information to hold companies accountable for slapdash practices.
6) Transparent cybersecurity auditing processes
Companies handling sensitive information, including retailers, hospitals, and others, need to submit to spot-check, unscheduled audits of their security procedures, performed by third parties such as regulatory agencies like the Federal Trade Commission (FTC) . Those unwilling to participate in such audits would need to prominently advertise the fact that their cybersecurity is not periodically evaluated, just as banks without FDIC insurance on some of their financial products are required to post prominent notices regarding the lack of security.
Auditing could require a review of existing systems and a comparison with the most current security recommendations from experts, along with detailed documentation describing specific issues a company needs to address. In the event of regulations regarding cybersecurity, firms would need to be able to demonstrate compliance above or beyond the level of existing requirements. Auditing failures would be publicly disclosed, just like restaurant grades in New York.
7) Immediate disclosure of data breaches
Companies may conceal data breaches for weeks or months; sometimes they’re discovered and outed not by retailers themselves, but by banks. Requiring firms to immediately disclose breaches and provide updates on their investigations creates a strong incentive to prevent such events in the first place, as the disclosures shake consumer confidence and drive clients to take their business elsewhere. Should firms fail to do so, they could face additional fines.
With immediate disclosure also comes a reason to update systems to better monitor signs of compromises, in order to ensure that companies can act quickly when breaches occur to stop them and notify the public. If a company isn’t required to talk about breaches, it has no incentive to address lax security and data monitoring practices.
A version of this story originally published on the Daily Dot on March 6, 2015.
Photo via Mr. Cacahuate/Flickr (CC BY 2.0)