Organizations are trying to pay attention to data breaches. But their current effectiveness is near zilch, paralleling many people’s trust in government. Part of the problem is one of dignity, and indignity. Dignity surrounds being whole, and data breaches rob us of that wholeness.
Like many Hoosiers, I have a long list of free, corporate-provided credit reporting obligations I can exercise well into the next decade. Thanks to Anthem, Target and a long list of others, I can check my credit report, tawdry as it is, for a long, long time for free.
I have several new replacement credit cards. Fortunately, there’s no personal monetary liability for the interesting purchases made in Hammond, Indiana, where one of my credit cards was cloned to make purchases at Walmart, some hardware stores, and so forth until the klaxons at my credit card vendor’s security room went off. Perhaps they went off for the 19th time that day. I cannot know.
I noticed when I recently attended the RSA Conference on security at San Francisco’s Moscone Center that it had a different tone from last year’s. Attendees seemed in a much more interested mood. Breaches and data exfiltration are costing their employers millions in lost assets and operating-expense grief.
Many of the attendees were themselves victims of a breach. One person I met said he had had his entire history working for a three-letter U.S. government agency downloaded, including his security clearances, divorce history, and information on his entire family. You could see the veins bulging on his neck as he talked about it, his shoulders tightening. I know that feeling.
When we become a victim of a data breach, we suffer a loss, no matter how much liability-mitigation organizations provide us. Credit-history monitoring isn’t enough, doesn’t solve the problem, and doesn’t count the misery and breathtaking soap opera people go through in their quest to come back to a sense of normalcy.
It’s my proposal to do something more drastic, so as to imbue a sense of urgency in improving computer security: Require that organizations or companies responsible for financial or HIPPA-related breaches pay each victim a $1,000 non-taxable settlement.
In an instant, corporate lobbyists would lean on legislators to fund the protections needed, not to mention effective law enforcement. Insurance companies funding those settlements would breathe down the necks of CEOs, who might actually start heeding the advice of their chief information security officers.
Smaller businesses also would change their behaviors. Gas-station owners might actually go to their fuel pumps and look for the card-reading devices that steal information, or examine their own cabling infrastructure for rogue devices.
Employers might start terminating workers who use passwords like GoColts123, and they might start installing secondary-authorization equipment such as fingerprint scanners.
Face it: We’re under cyber attack. Until there is corporate liability for breaches, those who can do something about it won’t feel compelled to act—and losses will continue to mount.
We have a Federal Aviation Administration to help us. We need a Data Protection Administration for the same reasons.•
Henderson is managing director of ExtremeLabs Inc., a local computer analysis firm.