People have been wondering what the next step should be in light of all the hacks since Citigroup’s credit card market took the hit. To combat these hacks bills have been introduced by Congress that will strictly penalize those who withhold information concerning a data breach.
These bills come as IdentityHawk, a leading identity theft protection service, released a report that there were 760 data breaches in the United States in 2010, according to The 2011 Data Breach Investigations Report, of which 97% were avoidable through simple or intermediate controls.
Two separate federal bills, one proposed by the Senate and the other by the House, would severely penalize companies for not alerting users if information has been compromised.
Congress Points the Finger
The Senate bill, called the Personal Data Privacy and Security Act of 2011, attempts to replace the 47 individual state laws on notifying consumers about a hack, and will impose severe criminal penalties on a company that intentionally conceals a security breach. Most importantly, and directed at Citigroup (NYSE: C), the bill will prosecute those responsible if the company does not notify customers of a breach immediately.
If 5,000 people were affected, a media notice must be sent out, and if 10,000 or more people were affected, the FBI and the Secret Service must be notified. Such extreme measures must also be taken if hackers compromise databases of 1 million people or if they impact federal property.
Thankfully some are a little more forward thinking, as the bill proposed in the House would require advanced security policies and procedures to protect information and enable disclosures to victims and the Federal Trade Commission within 48 hours.
According to IdentityHawk’s report, companies must beef up their security, because:
- 97% of breaches were found to have been avoidable through simple or intermediate controls
- 89% of the corporate or organizational victims were not compliant with the Payment Card Industry Data Security Standard at the time of the hack
- Risk assessments are not being performed frequently enough
- Only 50% of organizations that had been breached took active steps to upgrade their security afterward.
Who’s the Victim?
It would stand to reason if Congress passes harsh preventative laws in an effort to promote interactions and transparency between companies and their customers. Currently, the former are viewed as “victims” of a data breach, when in truth it’s the latter who are most affected.
These laws will and must discard those notions, and instead rightfully treat companies as protectors of our personal information. Why shouldn’t there be criminal punishment to those who haven’t adequately prepared themselves against a breach, and furthermore how can they withhold that from those whom it directly and most significantly affects?
In a rapidly changing industry, it’s interesting to note that small tech startups like Mint.com and Billshrink, which have ballooned into formidable companies and handle personal financial information every day, have not yet fallen prey to large-scale breaches, while big corporations like Sony and Citigroup have suffered greatly. The average cost of suffering a data breach (neglecting pending litigation) is up to $2.7 million, with notification costs at $73 per record, not to mention bad press and possible loss of customers.
Perhaps we will see a shift in how people view security and how they will choose to protect themselves. Just because hacking exists, doesn’t mean you need to experience it.