In-brief:The scourge of data breaches and identity theft is more than a decade old. But our tools for dealing with these common incidents are outdated and ineffective. Why? (Editor’s note: this blog post has been cross posted from Digital Guardian’s blog, where you can read it in its entirety.)
Another week, another breach (or two). In just the last few days, handbag maker Vera Bradley was the latest retailer to reveal that its systems were compromised by hackers, resulting in the theft of customer credit card information from compromised Point of Sale (or PoS) systems. According to a report by Reuters, the company will postpone an upgrade of its website to focus on improving security, potentially affecting holiday sales.
The Vera Bradley story follows news that information on some 58 million people was lifted from Modern Business Systems (MBS), a company that offers online data storage. Among the information stolen: subscribers’ emails, dates of birth, names and addresses, phone numbers and other information, Tripwire reported.
Disconcerting as they are, these incidents are hardly unusual. Indeed, they have become a regular feature of modern business within the last decade, occurring at a regular cadence. According to a survey by the firm Risk Based Security, there were 3,930 data breach incidents in 2015 involving some 736 million records. That’s more than 10 breaches a day, on average.
So why, despite their regularity, is society’s response to data breaches so underdeveloped? Consider: victims who have had their personal information stolen by criminals in a data breach have little recourse to protect themselves from being re-victimized at some point in the future. Companies that are breached may be compelled to inform customers that their data was stolen and to pay for some form of credit monitoring service for a period of time. But – note – such protections vary from state to state. So the type of notification consumers get and how they are protected will vary depending on where they live and, to an extent, on where the breached company is headquartered.
With no federal data breach law to ensure uniform recourse no matter their location, consumers are at the whim of circumstance in how they fare following a data breach.Further, even when credit or identity theft monitoring is offered, it falls to the breached firm to decide which company offers the service and for how long. Consumers have no choice in what service to sign up for to protect them following the company’s mishandling of their data.Indeed, data breach response has become almost reflexive a kind of “round up the usual suspects” approach that makes a show of “doing something,” while in fact doing little.
That’s the argument made by Adam Shostack in a recent letter to the Federal Trade Commission (FTC). Shostack, a co-author of The New School of Information Security, notes that our current, anemic approach to the aftermath of a breach fails on a number of counts.
Read more about Adam’s recommendations and his analysis of the current breach response system over at Digital Guardian’s blog: Sign Up with the Usual Suspects: Consumer Breach Response is Broken and How to Fix It | Digital Guardian