One year ago this month, the massive hacking of Target marked a turning point in the national debate about data breaches. The Target breach numbers are now well known: 40 million credit and debit cards compromised, as many as 110 million consumers put at increased risk of identity theft. Since then, breach news has come in a deluge: 56 million cards at Home Depot; 4.5 million records at Community Health Systems, 76 million accounts at J.P. Morgan Chase, just to name a few. Countless smaller breaches happen on a daily basis and go largely unrreported. According to security firm Trend Micro, the average breach last for 229 days until it is detected.
The data security threat to our economy is real and demands action. A check of the statistics is staggering: the security firm Norton reckons the total economic cost of cybercrime topped $38 billion last year. The average cost to companies of a single data breach incident $5.85 million, according to a study by IBM and the Ponemon Institute.
Our answer to this must be an emphatic “no.”
Our awareness of the threat posed by data breach has never been higher, and consumers have never been more unified in their calls for action. Even in Washington, DC, where elected officials can barely agree on naming post offices, Congress has enthusiastically held hearings to investigate high-profile data breaches at Target, Neiman Marcus and elsewhere.
President Obama’s recent executive order on financial data security was a welcome announcement, to be sure, yet it was also a tacit acknowledgement of just how serious our nation’s data security challenges have become. The upcoming White House summit on cyber security in the consumer financial space, will provide further momentum to the effort.
Consumers will be safer thanks to these important measures, but this is far too daunting a challenge to be tackled through executive orders alone. Truly stemming the tide of online crime will require a comprehensive approach that brings together consumers, businesses and the government in a common drive for solutions.
On the enforcement side, there is no federal agency better positioned to tackle the data security challenge than the Federal Trade Commission, which is already working hard to protect consumers in this arena. Congress should clarify and strengthen the FTC’s ability to enforce existing data security protections. Civil and criminal penalties against malicious hacking and more cooperation with international partners would also help tighten the noose around cybercriminals.
The FTC should continue to play a leading role in shaping an overarching national strategy for improving data security. Here’s one potential next step: the agency should take advantage of its extensive experience regulating the many industries affected by today’s data security crisis—from financial services firms to Silicon Valley—and convene an annual data security summit. This would be a gathering of experts where representatives from industry, the policy community and consumer advocates can share experiences and develop new ideas for combating data breach and fraud.
Meanwhile, Congress should step up and enact into law some of the many good ideas we already have. National data breach notification legislation, modeled after California’s strong law, would be a good first step. Ten states have adopted data security standards that require companies collecting and storing data to develop policies to protect it. These could serve as models for national data security law. Since “perfect” data security is impossible, cyber insurance requirements should be explored to help make consumers whole when breaches occur.
Today’s data security threat represents one of the great consumer protection challenges of our time. Just as hackers threaten all of us, surmounting this challenge will require contributions from every stakeholder. With clear leadership from Congress and a shared dedication to all do our part, we can regain the upper hand against cyber thieves and deliver the reform the American people expect and deserve.
Breyault is the vice president of Public Policy, Telecommunications and Fraud at the National Consumers League and coordinator of NCL’s #DataInsecurity Project.