'Oops, Darn It, We Lost Your PIN'
By Neil Weicher
After reading about the proposed Cyber-Security Enhancement & Consumer Data Protection Act of 2006, I wondered if it is time to bring back the time-honored tradition of public flogging. In this day and age of PACs and lobbyists we can no longer accept the "just trust us" line of reasoning from the government (assuming we ever could). Essentially, that is what we are still being asked to do.
Prior to the convening of the new Congress, this bill was in the first stage of the legislative process and had been referred to the House Judiciary Subcommittee on Crime, Terrorism & Homeland Security. Unfortunately, it is unlikely to be a major priority of the new Congress. To recap, the legislation requires companies that own or possess sensitive personal data in electronic form that contain sensitive personal information to inform the Secret Service or the FBI within two weeks of discovering a major breach. At that time, law enforcement agencies may decide to delay notification to consumers by as much as 30 days, pending their determination of a whether it is considered a major breach.
When To Sound the Alarm
The bill defines a major breach as any incident that involves the personal information of 10,000 or more individuals, databases owned by the federal government, or personal data about federal employees or contractors involved in "national security matters or law enforcement." Refusing to comply with the rules could result in up to five years in prison or fines of $50,000 for each day that the intrusion is not reported—an idea endorsed by the Justice Dept.
Now, here’s what it fails to do: There is no provision for immediate notification to the public or business community at large of such breaches, so businesses and consumers cannot make informed decisions about where to put their spending dollars and customer loyalty. I don’t know about you, but I don’t want a government bureaucrat deciding what does or does not constitute a security breach.
The only "penalty" that will have any real impact on how corporations treat their customers' private data is consumer dollars and public humiliation—a public flogging sans the physical pain. Since the Act makes no provision for consumers to learn how well or poorly their personal information is being treated, the proposed legislation provides no real protection. I have been in the data security industry for nearly 20 years, and I can tell you that if most consumers knew how carelessly their personal data were being treated by many companies, they would be horrified.
Protection On Hold
More than two years ago, for example, I met with a Fortune 1000 company about their increasing concerns around securing their databases that contained sensitive information about hundreds of thousands of customers. After a series of meetings and conference calls talking about steps they could take to put better security measures in place, they suddenly disappeared. That's not atypical in the business world—we assumed that they had their security needs met elsewhere. But here's the thing: A few months ago this same company called us out of the blue. They have yet to make any decisions on our proposal but would like to schedule a meeting for further discussion. The point is not that they didn't choose my company to protect their data. The point is that in all that time they didn't choose anything to protect their data. Unfortunately, there does not seem to be much of a sense of urgency with many companies. And the current proposed legislation is unlikely to change that.
For at least the last 10 years I have been saying that I am not worried about the data streaming over the Internet. However I am worried about the vast repositories of unprotected data sitting on corporate databases, backups, desktops, laptops, etc. Criminals know that is where the real money is. Yet our collective minds and the majority of our security efforts still seem to be on trying to protect the perimeter, worrying about someone scanning network traffic. I don't want to pretend that there is no risk at all in network scanning, but it is a very inefficient way to make illicit money—"sniffing" for one credit card number at a time over the Internet—unless you luckily happen to catch Donald Trump's PIN number!
So do we want just another list of government regulations on how companies are to protect data and what the penalties are if they neglect to do so? I certainly don't. The target will keep moving from year to year, and five years from now industries may find themselves having to adhere to regulations that were obsolete two years earlier.
Here's what we need to do: Demand legislation that actually protects the consumer. It must require that this bill mandate full public disclosure to consumers and businesses of breaches by companies; possibly even requiring them under certain circumstances to notify each customer individually by paper mail. Now there's a financial penalty for a company with a million or more customers! This includes online transactions as well as, and perhaps more importantly, what is known as "data at rest," i.e., data sitting on servers, company laptops, back-up tapes, etc. The majority of data breaches we have heard about in the news over the past year have come from these sources, not from "sniffing" packets on the Internet.
While I am sure its intentions are good, this legislation simply does not address the broader consumer protection issues, such as requiring direct notification of the consumers and companies whose data have been compromised, and allowing them to do business only with companies who they feel are treating their sensitive information with respect. The prospect of losing such "face" before the general public, and the cost of direct notification to each affected customer, might be more of an incentive than a $50,000 fine—a drop in the bucket for most large companies.
Maybe we can also reserve a "real" flogging for particularly egregious violations? Our system of economics dictates that consumers will vote with their feet when faced with spending decisions. And since history has proved that the best and brightest minds for solving problems can be found in private industry (when properly motivated) rather than public bureaucracy, lets let data-handling companies step up to address this situation on their own, all the while looking over their shoulders at the crowd gathering in the village square.
In a follow up article I will talk about the personal data in the hands of government agencies and "data aggregators". But one step at a time!