A Better Way to Combat Online Crime

We need more disclosure.
When breaches happen, customers need to know.

By now, almost every American has been a victim of online crime at some point. Just last week, JPMorgan Chase & Co. revealed that the accounts of 76 million households and 7 million small businesses had been compromised by hackers.

More than 930 million records containing personally identifiable information have been exposed since 2005. In the past year alone, high-profile breaches have been reported at Home Depot, P.F. Chang's, Neiman Marcus and, of course, Target, which revealed in December that an attack had affected tens of millions of its customers.

Yet even as consumers have been hit again and again, there's been an inexcusable lack of federal action on data security. There are two clear problems Congress should address. A solution to both -- one that could benefit businesses, consumers and the government -- may lie in legislation that has been around since 1988.

First, the repeated incidents highlight a simple question: When it comes to data breach notifications, how long is too long to wait? In Target's case, company officials didn't acknowledge the breach until a full week after they learned of it, and then only after a journalist forced their hand. Such delays are all too common, and there's no question that disclosure must be faster.

Second, the underlying problem is a lack of federal oversight when it comes to consumer-related cybersecurity. Credit card and debit card breaches are less damaging than those that involve personally identifiable information. Your name, Social Security number, passwords, date of birth, medical records, home address, bank account numbers -- even your transaction histories -- can all be found on the data black market if your information has been exposed in a breach. Any law that addresses consumer cybersecurity would have to be applicable in circumstances ranging from simple credit card breaches to a security failure at the Internal Revenue Service.

Congress has tried to address these issues, introducing bills that are variously easy on businesses that store such information and tougher. And almost every state in the U.S. has breach notification laws on the books. It's still not enough. Data breaches have become the third certainty in life, and consumers can't possibly remember what companies got hit when and how badly.

This is where government, business and consumer interests truly intersect, pointing to the need for a law that protects all injured parties.

The general shape of that law can be derived from a piece of legislation passed in 1988 that became known as the Schumer Box. It placed the small print of credit card agreements under a magnifying glass, highlighting the terms with the largest impact on consumers -- information such as long-term rates, the annual percentage rate for purchases and the cost of financing -- and making them easier to understand. The Schumer Box was to credit cards what the nutritional label was to food. It should serve as a model for data breach legislation that can create a powerful tool as we make our way through the pioneer days of big data.

The Data Breach Disclosure Box would provide a spur to companies and government agencies that have been lackadaisical about data security in an environment that requires white-knuckled vigilance. It would also encourage organizations to improve their breach preparedness plans so they can notify consumers sooner and provide a more transparent and empathetic response.

It would apply to all businesses and government organizations that have experienced a breach, and it could be displayed in stores, on products or online. It would look something like a nutritional label:


The type of information provided in the Data Breach Disclosure Box should be a matter for public debate. But there are a few common-sense elements to consider:

  1. Has this organization been breached within the past five years?
  2. If yes, how many times?
  3. What kind of information was exposed?
  4. Does this organization encrypt all consumer and employee data using the most up-to-date methods?
  5. Does the organization have a breach notification policy?
  6. If there was a breach, what did the organization do to help affected consumers?
  7. What types of information are consumers and citizens obligated, or not obligated, to provide?

Some will argue the Data Breach Disclosure Box will hurt businesses. But it doesn't have to be a scarlet letter. If a company can demonstrate that it is doing everything it can to help consumers, strengthen its defenses and maintain data according to cutting-edge standards, it becomes very attractive these days.

What Washington needs to grasp is that this issue is not a matter of red states versus blue states. When it comes to the security of our data, we are all in the same state of emergency.

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.