Sign Up with the Usual Suspects: Consumer Breach Response is Broken and How to Fix It
The scourge of data breaches and identity theft is more than a decade old. But our tools for dealing with these common incidents are outdated and ineffective. Why?
Another week, another breach (or two). In just the last few days, handbag maker Vera Bradley was the latest retailer to reveal that its systems were compromised by hackers, resulting in the theft of customer credit card information from compromised Point of Sale (or PoS) systems. According to a report by Reuters, the company will postpone an upgrade of its website to focus on improving security, potentially affecting holiday sales.
The Vera Bradley story follows news that information on some 58 million people was lifted from Modern Business Systems (MBS), a company that offers online data storage. Among the information stolen: subscribers’ emails, dates of birth, names and addresses, phone numbers and other information, Tripwire reported.
Disconcerting as they are, these incidents are hardly unusual. Indeed, they have become a regular feature of modern business within the last decade, occurring at a regular cadence. According to a survey by the firm Risk Based Security, there were 3,930 data breach incidents in 2015 involving some 736 million records. That’s more than 10 breaches a day, on average.
So why, despite their regularity, is society’s response to data breaches so underdeveloped? Consider: victims who have had their personal information stolen by criminals in a data breach have little recourse to protect themselves from being re-victimized at some point in the future. Companies that are breached may be compelled to inform customers that their data was stolen and to pay for some form of credit monitoring service for a period of time. But – note – such protections vary from state to state. So the type of notification consumers get and how they are protected will vary depending on where they live and, to an extent, on where the breached company is headquartered. With no federal data breach law to ensure uniform recourse no matter their location.
Further, even when credit or identity theft monitoring is offered, it falls to the breached firm to decide which company offers the service and for how long. Consumers have no choice in what service to sign up for to protect them following the company’s mishandling of their data.
Indeed, data breach response has become almost reflexive a kind of “round up the usual suspects” approach that makes a show of “doing something,” while in fact doing little. That’s the argument made by Adam Shostack in a recent letter to the Federal Trade Commission (FTC). Shostack, a co-author of The New School of Information Security, notes that our current, anemic approach to the aftermath of a breach fails on a number of counts.
For one, credit monitoring services might prevent financial fraud resulting from the theft of credit card or banking information, but they do little to make whole victims of medical data theft, email account compromises or other forms of identity theft. Consumers rightly see breached firms as responsible for helping respond to the theft of their data. A survey by Experian found that 63% of those surveyed felt it was a company’s obligation to offer identity theft protection services following a breach. As a practical matter, though, registration for credit monitoring services falls to consumers and adoption is very, very low: in the 3% to 5% range. It could be argued that breached firms – who typically opt to pay only for each customer/victim who signs up for monitoring services – have a vested interest in keeping adoption low, as it lowers the overall cost of the breach.
Unmentioned by Shostack but equally relevant is the fact that the adverse effects of data breaches – as with environmental poisoning – may take months or even years to surface. The impact of a stolen identity or account compromise may bubble up long after the umbrella of protection offered by the breached firm has been folded up. And consumers have little legal recourse to be made whole in the absence of concrete harm resulting from the breach. In fact, breached firms like Wyndham Hotels have challenged the government and contested class action suits filed by aggrieved customers on the grounds that, since consumers are not liable for credit card fraud, they can’t prove any “harm” resulting from the theft of their data. Settlements that have been reached with firms more often address the concerns of banks affected by an incident, or address security moving forward rather than striving to make consumers affected by past incidents whole.
Shostack offers some concrete recommendations. He calls on the FTC to use its consent decree process to ensure that citizens and consumers are well served after a breach. For example: he proposes that breached firms that agree to an FTC consent decree might be required to provide a voucher to people whose information has been leaked, allowing them to sign up for services of their own choice, rather than what the breached firm offers them.
It should be up to consumers, not breached firms, what kinds of identity protection services they are entitled to and for how long. Shostack calls on the FTC to study the effectiveness of credit monitoring services for citizens affected by a breach, as well, the better to inform policymakers.
Finally, it is imperative that lawmakers in the U.S. follow the lead of their colleagues in the EU and pass comprehensive legislation that creates a uniform, federal standard governing the protection of sensitive consumer data and that articulates the responsibilities of a breached firm toward consumers. Both consumer advocates and the business community have been clamoring for such a law, but none has been forthcoming. With each passing day, the cost of inaction grows.