Massive Yahoo break-in shows need for uniform national data breach law
© Getty Images

One billion customer accounts.

The massive data breach recently revealed by Yahoo is the largest to ever happen to any business in any industry. It’s more than 10 times the size of the largest retail data breach ever reported. In fact, it’s nearly three times as big as all the major retail breaches of the past decade combined.

ADVERTISEMENT
And while many data breaches have exposed credit card numbers, the Yahoo breach might well be worse because it allowed criminals to obtain passwords and login information for Yahoo users’ email accounts. That means any sensitive data or documents contained in Yahoo emails could be compromised – not just credit card numbers but bank account numbers, Social Security numbers, driver’s license numbers, passport information, birth certificates, deeds, mortgages and contracts to name just a few. In other words, the kind of data it takes to commit true, full-scale identity theft, which is far more harmful to consumers than just credit card fraud.

Given the numbers and type of information potentially at stake, this incident is further proof that any federal law on data breach disclosure needs to apply to all entities regardless of their sector of the economy.

And yet if the pending deal for Verizon to buy Yahoo goes through, this breach could be exempt under legislation offered in Congress. That’s because telecommunications companies including Verizon have tried to carve themselves out of data breach notification requirements, claiming that they are just carriers of other businesses’ data even though their networks provide a prime target for data thieves.

Ironically, Verizon’s own annual Data Breach Incident Report shows that information services companies accounted for 9 percent of last year’s data breaches. That compares with 8 percent for retail and a whopping 35 percent for financial institutions, the leading target of data breaches.

Our nation badly needs a federal data breach notification law requiring everyone to disclose their own breaches. The current hodgepodge of separate laws in 47 states plus the District of Columbia leaves consumers with uneven protection and companies facing conflicting requirements. But a national law needs to be uniform and comprehensive, covering not just retail but telecom companies, banks, credit card companies, card processors and all other entities that handle sensitive consumer data.

Telecom isn’t the only industry that has tried to escape its responsibility for data security in proposed federal legislation. Banks, which account for the largest share of breaches, have sought legislation that would subject Main Street businesses to complex bank-style security rules while subjecting themselves only to discretionary “guidance.”

Enacting a federal law on how to notify consumers about data breach is paramount. But it is also important to keep data from being breached in the first place, and to keep it from being improperly used when it is.

That’s why retailers, consumer groups, the White House and others have moved to tokenization, which protects card data stored in retailers’ computer systems against hacking, and point-to-point encryption, which protects data being transmitted from one place to another. An NRF study earlier this year found that 62 percent of retailers expect to have tokenization in place by the end of 2017 and 93 percent says the same for encryption.

Credit card data is criminals’ biggest target during data breaches. And once they steal it, they usually want to create counterfeit cards to be sold on the black market or used to purchase merchandise that can then be fenced or otherwise converted to cash.

One way to discourage thieves from stealing card data in the first place is to make it more difficult for them to do anything with the data. To do that, retailers have called on banks for years to replace the United States’ antiquated magnetic stripe credit card system with the sophisticated chip-and-PIN cards used around the world for a generation. The chip stores card data in a difficult-to-counterfeit computer microchip while the secure, secret Personal Identification Number replaces the easily forged signature used on mag stripe cards.

Unfortunately, the new credit cards rolled out with so much fanfare in the past year are chip-and-signature, a half-measure that deprives U.S. consumers of the protection afforded consumers in almost every other industrialized country. There are ways around the chip, and without a PIN the new cards can make only a modest dent in the crime of credit card fraud. Ironically, the PIN alone could stop criminals dead in their tracks even without the chip, but the card companies – which like to see transactions travel over the signature-based processing networks they own or control rather than competitive PIN networks – continue to put profits ahead of security.

Any business that is the victim of a data breach suffers enormous losses, both financially and to its reputation, and businesses care about both. If every business had a comparable affirmative obligation to publicly report data breaches, then each would have a powerful incentive to voluntarily adopt strategies to minimize the threat of being hacked. Placing that principle near the top of Washington’s cybersecurity agenda would earn the support of a wide array of American businesses, encourage competition on a level playing field and help protect consumer data from unnecessary loss. We don’t think that’s too much to ask.

Mallory Duncan is general counsel of the National Retail Federation.

The views expressed by authors are their own and not the views of The Hill.