With the wealth of information online, we all worry about potential security breaches. But potentially, these breaches could be kept a secret in the USA.
It’s rare a month goes by without rumblings of data breaches. Just look at the Ashley Madison leak, which saw account details of cheating spouses dumped online. It’s a big deal, and has serious consequences. Users of AdultFriend Finder had similar headaches in May. Even eBay was compromised last year.
Keeping any sort of leak a secret sounds mad. But is it?
It would be in the interests of the companies involved, of course, but there could also be a positive knock-on effect for customers too. No, really. It’s not all roses, but it might not be quite as terrible as it sounds either.
When Companies Stay Silent
Proposed legislation could allow companies to, in some circumstances, remain tight-lipped when hackers access their systems – but only if they believe there is “no reasonable chance” such a breach could seriously affect customers. Typically, any company victim to hackers would need to send details to the Federal Trade Commission (FTC). It would make current state disclosure laws, most of which push companies to announce leaks, moot.
Basically, if nothing sensitive or potentially damaging is stolen, businesses don’t need to notify you when they’re hacked.
Hacked businesses would need to evaluate if the data extracted is anything customers should worry about, ie. could lead to identity theft or banking information. Normal procedures would then have to follow. Notifications would have to be sent if:
“a security breach involves: (1) the personal information of more than 10,000 individuals, (2) a database containing the personal information of more than 1 million individuals, (3) federal government databases, or (4) the personal information of federal employees or contractors known to be involved in national security or law enforcement.”
Gerald Ferguson, a privacy attorney at Baker & Hostetler LLP who advises companies when leaks occur, told the Wall Street Journal:
“[The bill] would lead to less notifications… It would permit companies to do a second analysis of whether there is a reasonable risk of financial harm. When you are starting to do a risk of harm analysis there’s is a lot of discretion.”
The Data Security and Breach Notification Act of 2015 was read twice and referred to the Committee on Commerce, Science, and Transportation in January.
Why This is Great for Businesses
This is all about what, ironically, Ashley Madison offered: discretion.
Reputation is key. That’s why, for instance, Carphone Warehouse remained coy on their recent breach, which may have affected 2.4 million people in the UK, for as long as possible. Nobody wants to use a company they think is vulnerable to attack. Oracle shot itself in the foot by begging customers not to reverse engineer their code to find security problems. It’s the same as admitting you’ve got lots of issues concerning security, or throwing up a huge sign reading, “You can’t trust us with your personal information!”
Good shout, Oracle.
Reputation means a lot. It means money. A 2014 study revealed that businesses spent an average of $145 for each record leaked in a data breach, but when popular retailer, Target announced that 40 million customers’ credit cards had been compromised in 2013, victims could claim up to $10,000 in damages (though it was considerably less on the whole). That was $10 million in total.
It doesn’t seem to have massively damaged stock in the Target Corporation, though prices did dip following the breach. It might’ve actually helped that they disclosed information before they were legally required to.
Nonetheless, it was risky. Douglas Meal, attorney at the Securities and Exchange Commission last March, said:
“[I]f you never disclose the breach at all then you don’t have the class action suits… It’s the disclosure of the breach that creates the firestorm of litigation… Companies think they are doing the right thing by disclosing but instead end up being viewed as the problem.”
Why It Could Be Good for Customers…
The spin? Too many notifications mean panicking customers with unnecessary worry. This is undoubtedly a good move for businesses subject to hackers, but it might be a good move for you too.
A big problem right now with disclosure in the USA is state division laws. Complying with different regulations across states slows down the process of actually letting people know what’s happened. Instead of jumping through separate hoops, companies would only need to comply with the FTC ruling.
Criteria are often concerning; just how does an attorney determine what data could affect customers? Fortunately, these are clearly laid out in The Data Security and Breach Notification Act of 2015 draft. Admittedly, they underline the importance of protecting data concerning national security, but the first and second clauses cover any major leaks.
Notifications should be swift as well: if your personal financial information has been compromised, you should (in theory, at least) be told as soon as possible. That’ll mean more time to do something about it! The faster you act, the less it should impact you. Let’s use a UK business as an example of what not to do: Carphone Warehouse took three days to announce they’d been victim of a “sophisticated cyber-attack.” Up to 90,000 credit cards could be affected, though this data is encrypted, so the risk is reduced.
For anyone affected by this, Carphone Warehouse advised customers what to do, including making sure your bank monitors activity, and checking your credit rating. In addition to these measures, you should also change passwords on those specific accounts, as well as any you use the same password on (and learn how to create a secure one), and be wary of phone calls warning of fraudulent activity (especially as criminals can often keep the line open, so you call them back instead of your bank).
Go through a checklist of what to do if you’re a victim of credit card fraud, and keep in mind what banks will never ask you online or over the phone.
Notifications can cost money, too. Letting every customer know about every breach eats up resources. Yes, bypassing this would be better for companies, but it also means they can focus on closing potential holes in their security and investigating breaches. Companies have to be seen to be doing something about their security vulnerabilities, trying to reduce damage to their reputations. Carphone Warehouse apologized and blocked access to the sites, but so far they’re not offering money to any victims of fraudulent activity.
For Better or Worse?
It’s not law yet. I’m not saying it’s an ideal situation. Equally, it doesn’t have to be as bad as it sounds.
Customers do panic – and that’s an understandable reaction. Can you blame companies for wanting to reduce that worry… and damage to its reputation and finance!
On the other hand, if a business keeps these things secret, how can you ever trust them? Do you feel safe giving them your personal information? And do they warrant your confidence?