|Burning Mystery Phoenix|
Posts : 243
Join date : 2013-06-17
Age : 37
|Subject: Weak Data-Breach Laws Leave Us All In A Compromised Position Wed Jan 29, 2014 3:12 am|| |
If todayâ€™s tech headlines follow the pattern of the rest of this monthâ€™s news, weâ€™ll be able to celebrate the sixth anniversary of Data Privacy Day with a report that yet another company has seen its customersâ€™ information exposed through some massive, preventable data breach .Fortunately, strong federal laws ensure that we know about these incidents in time to protect ourselvesâ€”and ensure that retailers, banks and other organizations can share secrets about threats and vulnerabilities.Oh, wait, that last sentence is from the 2024 version of this post. This, however, is the 2014 edition, and so it must report that no such nationwide legal umbrella covers you and your various digits. You often have to hope that companiesâ€™ own self-interests lead them to do the right thing.Most of the time, nothing too bad happens if they donâ€™t. Your credit-card firm refunds phony charges and sends you a replacement, the free credit monitoring offered to make up for the breach doesnâ€™t reveal subsequent mischief, and life goes on.But for an unlucky few, identity theft becomes an expensive and prolonged problem . Third parties can suffer too: A community theater in Redlands, Calif., saw its site used to test stolen credit-card numbers from across the country and then atealmost $30,000 in service fees levied by its payment-processing service after it refunded the bogus transactions.And we all wind up paying a little extra when poor security in credit-card terminals, subscriber databases and Web serversâ€”none of which you have any power to fix on your ownâ€”increases the cost of doing business everywhere.Washingtonâ€™s rules on the subject largely consist of privacy laws governing the health-careand finance industries. That leaves out a mallâ€™s worth of companiesâ€” Target , Neiman Marcusand Michaelâ€™s , to name the last few big cases of retailers that had their networks hacked.Firms that do an especially bad job safeguarding peopleâ€™s data risk an investigation and fine by the Federal Trade Commission. But one of the highest-profile FTC targets, Wyndham Hotels , isquestioning the commissionâ€™s authority in courtâ€”and considering the last legal challenge of a regulator acting on less-than-clear authority , it could win.In effect, Washington has outsourced this work to the states. â€œMost kind of run-of-the-mill data-breach reporting obligations are driven by state regulations,â€� said Jim McCullagh , a partner with Perkins Coie in Seattle and co-chair of its privacy and security practice group.But the problem with state laws is that there are so many of them. Forty-six states have passed laws with varying definitions of â€œpersonal informationâ€� and requirements for disclosure(the holdouts being Alabama, Kentucky, New Mexico and credit-card hub South Dakota), and companies doing business in more than one must figure out how to comply with all of them.Thatâ€™s not an easy exercise . The usual course, McCullagh explained, is that â€œthe state that has the most stringent standard is the one that controlsâ€�â€”which leads to distant firms having to familiarize themselves with California or Massachusetts laws.In theory, it shouldnâ€™t take the threat of legal action to get companies to prevent breaches and notify customers promptly if they happen. They represent an expensive habit, at an estimated average cost of $204 per customer back in 2009 , and customers can flee if they think a companyâ€™s careless with their data.But not all companies are so easy to fireâ€”try canning your cable company if no alternative runs to your house.Meanwhile, useful security upgrades like switching to â€œEMVâ€� smart-chip security on credit cards get pushed back , and corporations responsible for breaches can still take their time to disclose .Sometimes thatâ€™s for good reasons, such as not hindering a law-enforcement investigation.Sometimes you have a case like WellPoint.How to keep customer safety at bayIn 2011, that Indianapolis-based insurance company waited five months to notify customers that poor security at its site exposed their information â€”then let Indianaâ€™s state attorney general find out about this breach from a newspaper report . This sloppiness earned the company a fine from the stateâ€¦ of $100,000.The Target debacle has renewed Congressional interest in the topic, in the form of bills such as the Personal Data Privacy and Security Act of 2014 , introduced by Sen. Pat Leahy (D-VT) and the Data Security Act of 2014 , put forth by Sens. Roy Blunt (R-MO) and Thomas Carper (D-DE).It shouldnâ€™t be that hard to adopt the best practices of the states and set a national standardâ€”it could be a rare opportunity for Washington to lighten the regulatory burden for many companies without cutting customers loose first.But donâ€™t count on Congress switching into high gear and quickly resolving its differences. WroteNational Consumers League public-policy vice president John Breyault, an advocate for a nationwide disclosure law: â€œI hesitate to say that weâ€™re any closer to resolving those disagreements today than we were before the Target breach.â€�( Disclosure : I moderated a panel discussion atan NCL conference on identity theft in December.)Last year showed how thoroughly Congress could screw this up. After months of effort to craft a cyber-security bill that would encourage companies to share confidential security details with each other and with the government, the House passed a bill called the Cyber Intelligence Sharing and Protection Act .CISPA had a number of issues, but the biggest one was the in-retrospect laughable provision that gave companies blanket immunity to share information about threats and vulnerabilities with the National Security Agency â€”as in, the agency that was actively subverting security standards at the time.(Such prominent members as Sen. Dianne Feinstein [D-CA] still see the NSAâ€™s overreach asnot a bug but a feature , but thatâ€™s an issue for another column.)CISPA stalled out in the Senate, but the problem of companies not comparing notes about vulnerabilities remains. As my former Washington Post colleague Brian Krebs , the foremost reporter on this subject, observed in an e-mail two weeks ago about Targetâ€™s troubles, â€œItâ€™s a month out from the breach, and we still donâ€™t have official details on what happened. Thatâ€™s inexcusable in my mind, and very short-sighted.â€�But it does fit in with the political history of this issue.http://m.yahoo.com/w/ygo-frontpage/lp/story/3452474/coke.bp?.tsrc=tmobustoday&.intl=us&.lang=en-us
In war, Victory. In peace, Vigilance. In death, Sacrifice.