The high price of data breaches

Nov 26, 2011 By James Cole

As consumers, we transmit valuable personal information to the companies with which we do business. In doing so, we trust that information will remain secure. Over the past year, however, we have learned of a number of instances in which vast quantities of personal data have been compromised. Last spring, for instance, breaches at Sony Corp. affected more than 100 million customers, putting their credit card numbers, email addresses and passwords at risk. Another recent breach exposed email addresses of customers of companies such as Best Buy, Citibank, Disney, JPMorgan Chase, the Home Shopping Network, Hilton, Marriott and the College Board.

Although we often think of credit card numbers as being among the most sensitive , disclosure of email addresses and passwords can in some cases allow identity thieves to do us more harm. Because many people use the same passwords for different accounts - an inadvisable but common practice - knowledge of an email address and password for one account may give an identity thief access to other accounts, to social network profiles, or even to the contents of . With one breach, identity thieves may gain access to nearly all sensitive information that a person stores electronically.

When companies disclose breaches of , as Sony did, consumers can take steps to reduce the damage caused by the breach. They can strengthen passwords, change , put fraud alerts on their credit reports, and keep a close watch on their bank accounts. A 2006 study commissioned by the Federal Trade Commission found that the earlier consumers discovered the identity theft, the less time it took to resolve the crime, and the less money thieves were able to steal. Early notification can mean the difference between a few hours of effort or months of stress and worry for identity theft victims.

Prompt notification also enables to more swiftly and effectively investigate and prosecute the perpetrators of the identity theft. Last year, law enforcement officials successfully prosecuted an individual who stole more than 90 million credit and debit card numbers by hacking the payment systems of several U.S. retailers. He was sentenced to 20 years in prison - the lengthiest sentence imposed in the United States for identity theft. Such successful prosecutions not only provide justice to victims, but also may deter would-be identity thieves from stealing personal data in the future.

Forty-seven states have laws that require companies to notify consumers in the event of a breach of their personal information. These laws have helped consumers mitigate the risks of and have created incentives for companies to improve their cybersecurity. But this patchwork of state laws is not enough. Not all states require data breach notification, and the existence of multiple standards makes compliance unnecessarily difficult and more costly for companies.

In May, the administration proposed a broad-ranging cybersecurity bill that would address this problem by imposing a single notification standard for companies nationwide. The bill would require companies to provide timely notice to their customers when their personal information is compromised. The bill also would require companies to report data breaches to the federal government to help law enforcement go after identity thieves before the digital evidence disappears. And the bill would authorize enforcement by the and state attorneys general, giving companies real incentive to comply.

There is strong bipartisan consensus in Congress for cybersecurity reform. A Republican task force in the House published a report last month on the pressing need to improve cybersecurity. The Senate also has been working hard to move forward with cybersecurity reform. During a mid-October meeting with leaders from the administration, a bipartisan group of senators agreed to work together to pass a cybersecurity bill as quickly as possible.

We need Congress to act promptly. The Privacy Rights Clearinghouse has been tracking data breaches since 2005 and now lists more than 540 million records of personal information breached. Congress should require companies to comply with a national data breach notification requirement and hold them accountable to consumers and the marketplace. When breaches occur that put personal information at risk, notification helps protect consumers and punish identity who undermine society's trust in cyberspace and put our economic prosperity at risk.

Explore further: Twitter rules out Turkey office amid tax row

More information: James Cole is U.S. deputy attorney general. Readers may write to him at: U.S. Department of Justice, 950 Pennsylvania Avenue NW, Washington, D.C. 20530.

5 /5 (1 vote)
add to favorites email to friend print save as pdf

Related Stories

Sony, Epsilon execs to testify

Jun 02, 2011

(AP) -- Executives from Sony and online marketing firm Epsilon will go before lawmakers on Thursday to try to explain recent data breaches at their companies that have exposed email addresses, credit card numbers and other ...

Sony, Epsilon execs support data breach bill

Jun 02, 2011

(AP) -- Top executives from Sony and online marketing firm Epsilon told lawmakers Thursday that they support federal legislation that would require companies to promptly notify consumers if their personal information is ...

Sony backs US cybersecurity legislation

Jun 29, 2011

Japan's Sony Corp., victim of one of the largest data breaches in history, voiced support on Wednesday for cybersecurity legislation being considered by the US Congress.

Is danger of identity theft overblown?

May 23, 2006

The announcement yesterday about the loss of personal electronic data on up to 26.5 million veterans is the latest in a string of similar reports about information security breaches at major institutions in the last two year ...

Recommended for you

Twitter rules out Turkey office amid tax row

20 hours ago

Social networking company Twitter on Wednesday rejected demands from the Turkish government to open an office there, following accusations of tax evasion and a two-week ban on the service.

How does false information spread online?

23 hours ago

Last summer the World Economic Forum (WEF) invited its 1,500 council members to identify top trends facing the world, including what should be done about them. The WEF consists of 80 councils covering a wide range of issues including social media. Members come ...

User comments : 0

More news stories

Sony's PlayStation 4 sales top seven million

Sony says it has sold seven million PlayStation 4 worldwide since its launch last year and admitted it can't make them fast enough, in a welcome change of fortune for the Japanese consumer electronics giant.

Robotics goes micro-scale

(Phys.org) —The development of light-driven 'micro-robots' that can autonomously investigate and manipulate the nano-scale environment in a microscope comes a step closer, thanks to new research from the ...

Biologists help solve fungi mysteries

(Phys.org) —A new genetic analysis revealing the previously unknown biodiversity and distribution of thousands of fungi in North America might also reveal a previously underappreciated contributor to climate ...