Stopping the Data Breach Epidemic
We don't have to live with near-constant data breaches. Experts say companies can do more to fix the problem.
Another day, another data breach. It's easy for consumers to feel battered by what feels like an endless string of cyberattacks in which hackers steal very personal data.
In 2018 alone, data breaches at Facebook, Google, and Marriott affected hundreds of millions of consumer accounts, and in recent years data from hundreds of millions more were exposed to criminals in incidents involving the credit reporting company Equifax, retailers Target and Home Depot, and other large corporations.
It's inevitable that some consumer data will be stolen through cyberattacks or exposed through errors that accidentally leave information unsecured. But, security and privacy experts say, private companies can do much more to safeguard sensitive information.
1. Limit Data Collection
Data isn’t like the other assets that companies hold. It’s cheap to collect and virtually free to store, says Sarah Zatko, chief scientist at the data security firm CITL.
“The default is to keep everything forever,” she says.
But that can lead to trouble. The simplest way to make the next big data breach much smaller and less harmful? Collect less data, and don't keep it around as long.
This could help consumers without even harming profits, according to some analysts. Companies acquire and retain data in the hope that they can eventually monetize it, but that isn't always how it turns out, says Gartner technology analyst and research VP Alan Dayley. More than 70 percent of data remains “dark” or unused, he says. Much of it is in the form of redundant backups that companies ignore but that hackers can target.
“Companies should treat data as a liability, rather than an asset,” says Eason Goodale, co-founder of the digital security firm Disconnect. If they do that, there will simply be less data for cybercrooks to steal.
2. Institute Well-Known Security Practices
What about the data that are collected? It needs to be protected better, according to information security professionals. To start, companies should follow security practices that experts agree on.
For example, security experts say different kinds of data should be segregated into separate computer systems.
For example, consumer data and employee records should be kept on different servers—no business process, such as billing or handling payroll, needs to use both kinds of data. But too many companies are storing all their data together, increasing the risk of a more devastating breach for consumers.
"They're not compartmentalizing things, so a breach means that a hacker gets everything," Zatko says.
Additionally, experts say, fewer employees should have the ability to log into sensitive systems. Steve Stasiukonis, managing partner of the security firm Secure Network, based in Syracuse, says that many companies give executives broader computer system permissions than they really need. "They give administrator access away like Pez candy," he says.
That means that hackers have more potential targets for attacks such as spear-phishing, which attempts to trick employees into providing log-in credentials or downloading malware by posing as fellow employees, contractors, or important clients.
When it comes to data security, consumers are gaining a powerful ally among insurance companies that provide cyberattack policies. And pressure from those insurers may make a big difference in the future, according to Prashant Pai, vice president of cyberstrategy for Verisk Analytics, a risk and data analysis firm based in New Jersey.
“As insurers are slowly working to offer higher and higher limits on coverage, they’re trying to understand what they should and shouldn’t underwrite,” Pai says. “As the limits start to increase, the insurance companies will be more invasive in their risk assessments.”
3. Take Personal Data More Seriously
Companies that handle credit card data protect it carefully for a very good reason: Violating the Payment Card Industry Data Security Standard carries with it serious financial penalties. A company could even lose the right to take credit card payments—and that could be devastating.
Of course, companies do sometimes get sloppy with financial data. But problems are more likely to arise with other kinds of personal information.
For instance, it was revealed in June 2018 that a data broker called Exactis had accidentally left information on about 340 million consumers unprotected on the internet, without even the kind of password protection you'd put on a Netflix account.
A security researcher named Vinny Troia discovered the problem and alerted the company, apparently before the information was acquired by cybercriminals. The data included more than 400 individual details on consumers, including information such as religious and political affiliations, smoking habits, and even whether individuals owned a dog or a cat.
"I was surprised to find that much information in one place," says Troia, the CEO of Night Line Security in St. Louis. "They even had my mortgage information, and it was spot on."
Much of that information isn't covered under laws that require companies to safeguard personally identifiable information (PII), such as Social Security numbers and birthdates. Yet it could be used for identity theft or to trick consumers into revealing log-in credentials through a spear-phishing attack.
California's 2018 Consumer Privacy Act expands the definition of PII to include usernames and passwords, biometric data, geolocation data, browsing history, photos, and videos.
A number of federal data privacy proposals, including bills sponsored by Sens. Ron Wyden, D-Ore., and Patrick Leahy, D-Vt., would similarly broaden the definition of PII.
4. Require Faster Breach Notification
The public often learns about a data breach months or even years after it happens, meaning a long delay before consumers can react by changing passwords or reviewing their account history.
Sometimes, the delay comes about because the company involved hasn't been monitoring their system carefully.
"You're not going to find a breach unless you're actively looking for it," says Zatko. Not that it's difficult, she says: "Your employees going over their normal operations using a database look entirely different from somebody who's trying to steal all your credit card data."
But there are many times when a company knows about a data breach and still doesn't reveal it. Equifax took more than a month to inform consumers that it discovered a data breach. Serious delays were a factor in many incidents, including those at Yahoo. Uber—the ride-sharing company—even tried to cover up a breach by paying off hackers.
Federal law does not currently require companies to report data breaches within a certain time frame. Every state has some sort of data breach reporting requirement, but the rules and the penalties vary widely by jurisdiction.
Consumer Reports has called for a national data-breach notification law.
"Consumers deserve to know as soon as possible that their sensitive data has been breached," says CR's Mahoney. "The sooner they know, the more quickly people can lock down accounts and change passwords to help keep cybercriminals at bay."
Data breach reporting is another requirement of Europe’s new General Data Protection Regulation, a comprehensive consumer privacy law passed in the European Union in 2018. It requires companies to disclose a data breach within 72 hours of discovering it.
5. Impose Stricter Penalties for Missteps
"Equifax affected the lives of millions of people," says Stasiukonis. "But nobody holds the company accountable."
Despite the massive scope of the breach and the number of consumers affected, the company hasn't faced any significant penalties in more than a year since the breach was revealed. That's also been the case for many other companies that suffered data breaches.
But companies may face new penalties, due in part to the example of the new GDPR law in Europe. Under the law, companies are subject to penalties of up to 4 percent of their total annual revenues for the worst privacy and security violations. For a company the size of Equifax, for example, the toughest penalties could amount to as much as $125 million. The rules apply to U.S. companies that do business in Europe.
Health providers in the U.S. already face significant penalties for the mishandling of medical data, under the Health Insurance Portability and Accountability Act, or HIPAA. Penalties range from escalating fines to jail time for the most serious violations. There's also strong evidence that healthcare practitioners report data breaches, both large and small, more consistently than companies in other sectors.
"If the proper incentives were put into place, you'd see better behavior," says Goodale of Disconnect. "I would like for executives to be up at 4 a.m. thinking about data security the way that GM thinks about car safety."