The high price of data breaches

November 26, 2011 By James Cole

As consumers, we transmit valuable personal information to the companies with which we do business. In doing so, we trust that information will remain secure. Over the past year, however, we have learned of a number of instances in which vast quantities of personal data have been compromised. Last spring, for instance, breaches at Sony Corp. affected more than 100 million customers, putting their credit card numbers, email addresses and passwords at risk. Another recent breach exposed email addresses of customers of companies such as Best Buy, Citibank, Disney, JPMorgan Chase, the Home Shopping Network, Hilton, Marriott and the College Board.

Although we often think of credit card numbers as being among the most sensitive , disclosure of email addresses and passwords can in some cases allow identity thieves to do us more harm. Because many people use the same passwords for different accounts - an inadvisable but common practice - knowledge of an email address and password for one account may give an identity thief access to other accounts, to social network profiles, or even to the contents of . With one breach, identity thieves may gain access to nearly all sensitive information that a person stores electronically.

When companies disclose breaches of , as Sony did, consumers can take steps to reduce the damage caused by the breach. They can strengthen passwords, change , put fraud alerts on their credit reports, and keep a close watch on their bank accounts. A 2006 study commissioned by the Federal Trade Commission found that the earlier consumers discovered the identity theft, the less time it took to resolve the crime, and the less money thieves were able to steal. Early notification can mean the difference between a few hours of effort or months of stress and worry for identity theft victims.

Prompt notification also enables to more swiftly and effectively investigate and prosecute the perpetrators of the identity theft. Last year, law enforcement officials successfully prosecuted an individual who stole more than 90 million credit and debit card numbers by hacking the payment systems of several U.S. retailers. He was sentenced to 20 years in prison - the lengthiest sentence imposed in the United States for identity theft. Such successful prosecutions not only provide justice to victims, but also may deter would-be identity thieves from stealing personal data in the future.

Forty-seven states have laws that require companies to notify consumers in the event of a breach of their personal information. These laws have helped consumers mitigate the risks of and have created incentives for companies to improve their cybersecurity. But this patchwork of state laws is not enough. Not all states require data breach notification, and the existence of multiple standards makes compliance unnecessarily difficult and more costly for companies.

In May, the administration proposed a broad-ranging cybersecurity bill that would address this problem by imposing a single notification standard for companies nationwide. The bill would require companies to provide timely notice to their customers when their personal information is compromised. The bill also would require companies to report data breaches to the federal government to help law enforcement go after identity thieves before the digital evidence disappears. And the bill would authorize enforcement by the and state attorneys general, giving companies real incentive to comply.

There is strong bipartisan consensus in Congress for cybersecurity reform. A Republican task force in the House published a report last month on the pressing need to improve cybersecurity. The Senate also has been working hard to move forward with cybersecurity reform. During a mid-October meeting with leaders from the administration, a bipartisan group of senators agreed to work together to pass a cybersecurity bill as quickly as possible.

We need Congress to act promptly. The Privacy Rights Clearinghouse has been tracking data breaches since 2005 and now lists more than 540 million records of personal information breached. Congress should require companies to comply with a national data breach notification requirement and hold them accountable to consumers and the marketplace. When breaches occur that put personal information at risk, notification helps protect consumers and punish identity who undermine society's trust in cyberspace and put our economic prosperity at risk.

Explore further: Sony, Epsilon execs to testify

More information: James Cole is U.S. deputy attorney general. Readers may write to him at: U.S. Department of Justice, 950 Pennsylvania Avenue NW, Washington, D.C. 20530.

0 shares

Related Stories

Sony, Epsilon execs to testify

June 2, 2011

(AP) -- Executives from Sony and online marketing firm Epsilon will go before lawmakers on Thursday to try to explain recent data breaches at their companies that have exposed email addresses, credit card numbers and other ...

Sony, Epsilon execs support data breach bill

June 2, 2011

(AP) -- Top executives from Sony and online marketing firm Epsilon told lawmakers Thursday that they support federal legislation that would require companies to promptly notify consumers if their personal information is ...

Sony backs US cybersecurity legislation

June 29, 2011

Japan's Sony Corp., victim of one of the largest data breaches in history, voiced support on Wednesday for cybersecurity legislation being considered by the US Congress.

Is danger of identity theft overblown?

May 23, 2006

The announcement yesterday about the loss of personal electronic data on up to 26.5 million veterans is the latest in a string of similar reports about information security breaches at major institutions in the last two years. ...

Recommended for you

Google, EU dig in for long war

July 20, 2017

Google and the EU are gearing up for a battle that could last years, with the Silicon Valley behemoth facing a relentless challenge to its ambition to expand beyond search results.

Strengthening 3-D printed parts for real-world use

July 20, 2017

From aerospace and defense to digital dentistry and medical devices, 3-D printed parts are used in a variety of industries. Currently, 3-D printed parts are very fragile and only used in the prototyping phase of materials ...

Swimming robot probes Fukushima reactor to find melted fuel

July 19, 2017

An underwater robot entered a badly damaged reactor at Japan's crippled Fukushima nuclear plant Wednesday, capturing images of the harsh impact of its meltdown, including key structures that were torn and knocked out of place.

Microsoft cloud to help Baidu self-driving car effort

July 19, 2017

Microsoft's cloud computing platform will be used outside China for collaboration by members of a self-driving car alliance formed by Chinese internet search giant Baidu, the companies announced on Tuesday.

Making lab equipment on the cheap

July 18, 2017

Laboratory equipment is one of the largest cost factors in neuroscience. However, many experiments can be performed with good results using self-assembled setups involving 3-D printed components and self-programmed electronics. ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.