Yet another notice arrived today from a retailer about my personal information being compromised. Same for you? Interested in joining a support group? As someone who has worked in security and resilience for the past couple of decades, receiving notice after notice, I know that personal information is not secure. Protecting it is something to be taken seriously and getting it right will reduce the onslaught of incidents—and all those notifications. What should be done when personal data is compromised?
Notifying the authorities is but one approach
In the past two weeks, there were a couple of interesting forays by policymakers on incident reporting. The first was the Securities and Exchange Commission (SEC) guidance (see my colleague’s blog). It pushes public companies to report various types of incidents in their regulatory filings and send notifications to shareholders. The SEC is also instructing firms to guard against senior management teams and directors trading their company’s stock before such incidents are reported to the public.
There was also a hearing by the House Financial Services Committee, which is contemplating two bills. One proposal would establish a national standard for data protection and notifying consumers (with oversight by existing functional regulators and the Federal Trade Commission, as well as enforcement by state attorneys general). The other bill would establish oversight for credit bureaus and standards for credit freezes. It is a bit strange that under the draft legislation, credit bureaus would get to charge individuals up to $5 for each request to put in place, or remove, a credit freeze if they are the cause of the breach. Perhaps this language will get worked out in committee markup so that we don’t further penalize the victimized consumers.
Relying on states’ breach notification requirements created a fractured approach to alerting stakeholders (especially consumers) when personal data is compromised. In the wake of the 2017 Equifax breach, perhaps the time has come for national standards across all industries in a way that holds organizations with vast amounts of personally identifiable information accountable.
Much more to be addressed
Individuals also need easy and transparent ways to manage their identities through enhanced technologies and security processes. Privacy and security disciplines must collaborate to innovate advanced technologies that will radically improve digital identity management. We already live in a world where data about our online searches, purchases, exercise habits, social media profiles and physical locations are constantly being tracked—I can only imagine how much more data will be available about us as we implement more “smart” devices in our homes, businesses, hospitals and beyond.
Companies and governments need to work together to implement standards that change the way we do business. These standards should encourage organizations to adopt biometrics, encryption and blockchain—tools that will help organizations implement stronger, more rigorous authentication processes. Let’s face it, the bad guys are already onto our passwords, social security numbers and even our pets’ names. And if they are not using that information now, they will soon. Bottom line: We need to move away from compliance for compliance’s sake.
Important note: The content in this blog is general in nature. It is not, and is not intended to be relied on as, advice. It should not replace the expertise of qualified professionals and you should seek advice specific to your organization’s needs, which may vary and require unique action.