Time for Standardized Data Breach Law
I love the ironic quote “Data is the new oil” by Clive Humby of dunnhumby, a British company known for analyzing data to improve customer experiences and brand loyalty.
If anything, data may be the “new spoil” instead. And the past week has been much about data, a modern obsession not necessarily for the best reasons.
Bitcoin exchange Mt.Gox acknowledged last Friday that it had been hacked and now is bankrupt after more than 850,000 bitcoins worth over US$450 million disappeared from its computer systems – in theory not possible for a virtual currency trading platform. It now appears the Tokyo-based Mt. Gox tried to conceal it was hacked, as it sought to buy time to find out what actually happened. It declined to honor withdrawal requests from its depositors until mounting demands eventually led to the late disclosure.
This incident underscores once again that there is no such thing as a hack-proof computer system and anyone who still believes in that notion – unfortunately I came across some bankers who do – should join the Flat Earth Society.
This brings me to the news about traction in the US early last week to push for a standardized nationwide data breach law to force companies to become more accountable and proactive in notifying consumers and law enforcement agencies promptly when their database and web sites were compromised.
Stock exchange regulators like the American SEC have rules for such disclosures but the general public is often at the mercy of private companies less inclined or compelled to raise red flags. Take for example the huge data breach late last year at US retailer Target Corporation, a public company and the second largest American discount retailer behind Walmart. Target took four days to disclose a major data breach involving personal information of more than 110 million customers.
If four days is fast, consider the NYSE-listed Las Vegas Sands Corp., which announced only last Friday that some of its customers’ Social Security and driver license numbers had been compromised following a cyber-attack almost three weeks ago on February 10.
Meanwhile reports also surfaced over the weekend that the US Secret Service is investigating another possible data breach at US retailer Sears Holdings Corp. following reported hacking of credit card data of millions of US consumers, which the company has so far said it was not aware of.
The spate of recent cyber-attacks has prompted warnings of a wave of serious cybercrimes ahead as hackers continue to breach the antiquated payment systems of companies such as Target and other top retailers.
It takes two to tango, so while hackers are quick to seize the advantage, fingers can also be pointed at the private sector, policymakers and regulators for their slow response to address the increasing threats and sophistication of cybercriminals. According to a recent report by Verizon Enterprise Solutions, a disturbing 69 percent of data breaches were actually identified by external parties, of which 9 percent were by customers. And “over half of the breaches identified internally were spotted by end users — not the IT team as you might have expected.”
That should not be a surprise given that just 11 percent of companies adopt industry-standard security measures. Even the best practices these days still fall short of the arsenal at the disposal of opportunistic and aggressive hackers.
Furthermore, while the majority of data breaches are deliberate attempts, many involve “unintentional elements”. The Verizon report said these include “taking information home, copying data onto a USB drive, attaching the wrong file to an email or sending it to the wrong person, or leaving a laptop in a taxi, all of which can lead to a data breach.”
The report added that 66 percent of all data breaches took months or even years to be discovered.
According to another report by the Ponemon Institute, the cost of cybercrime for US companies averaged US$11.5 million in 2012, 26 percent higher than the previous year. And there were 122 successful cyber-attacks per week on the 234 companies studied, compared to 102 successful attacks per week the previous year.
Unfortunately, there is little the public can do as traditional defenses like antivirus programs offer literally no support against the malicious codes written by cybercriminals.
Taking into account the Snowden revelations to date, including the latest last week on how British spy agency GCHQ has been collecting millions of Yahoo webcam images from around the world, those who have deliberately or naively ignored cyber security warnings should get some serious reality checks.
(Vanson Soo runs an independent business intelligence and commercial investigations practice specialized in the Greater China region. Blog: http://vansonsoo.com)