On September 14, 2012, the national bookstore chain Barnes & Noble discovered that computer hackers had breached the company’s online security network, and stolen the credit card information and PIN numbers of customers in 63 different stores nationwide. One would think such a bold cyber-heist would invite immediate disclosure from Barnes & Noble, to tell customers their bank accounts may be in danger of hacking.
That, however, did not happen.
Instead, Barnes & Noble never contacted individual customers who may have been impacted by the hack—and took six weeks before making a broad announcement about the PIN thefts in the press. Officials in New York, one of the states where the hacks took place, told Barnes & Noble they could wait until Dec. 24 to tell the customers.
So, basically: Merry Christmas, you need to run your credit report because of a breach we sat on for months.
The delay was well within the law. Ironically, though 46 states have reporting requirements when it comes to stores informing customers if they have been hacked, those mandates are often at odds with one another, and nearly all somehow become inapplicable when the stolen information is encrypted.
“If you had a breach that included name plus credit card information, but the credit card information was encrypted, you would not have to provide notice,” Miriam H. Wugmeister, a lawyer with Morrison & Foerster, explained to The New York Times back when the hacks were revealed.
Nearly a year later, Congress is weighing whether to remedy that situation, and whether to impose strict federal reporting requirements on how companies should inform customers if their personal information has been stolen online.
On July 18, the U.S. House of Representatives Subcommittee on Commerce, Manufacturing, and Trade held a hearing on the matter, noting that, since 2005, over 608 million consumer personal information records have been compromised, stemming from 3,800 attacks. Those attacks appear to be escalating, as there were 680 data breaches, affecting 27.7 million data files in 2012 alone.
A speedier, streamlined, federal reporting law could empower consumers to take action immediately to protect their financial interests from theft—rather than waiting blindly for months, hoping theirs isn’t the bank account or credit card hackers decide to target.
But some experts say that simply notifying victims of data breaches that their personal information has been compromised simply isn’t enough. David Thaw, an Information Society Project fellow at the Yale School of Law, who testified at the July hearing, tells TakePart that enhanced reporting requirements are fine, but functionally toothless in protecting consumers without a mandate for increased preemptive security.
“We need a single federal uniform standard,” he tells TakePart. “What Congress is considering, however, in terms of notification only, underestimates the amount of risk out there right now. Not to be a doomsayer, but it’s important that we address not just the breaches that are happening now, but the breaches that could be happening very soon.
“There is a tremendous amount of data that is moved online and it has to be exchanged in a manner that is conducive to cybersecurity.”
Currently only the healthcare and financial industries are subject to strict regulations about how to manage online data security. That isn’t good enough, says Thaw.
“Just because you only sell widgets and don’t deal with healthcare, financial or military data, doesn’t mean you can’t be the weak link in the chain that attackers use to go after other areas.”
Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, agrees that preemptive data security laws are absolutely essential to protecting consumers.
“The solution is obviously two-fold,” he tells TakePart. “We need proactive and reactive laws as well. However, the harsh reality is that I don’t envision a scenario where you don’t have widespread data breaches. So strong reporting requirements are absolutely essential to protecting consumers.”
Stephens says that while he supports robust data protection legislation, his organization is skeptical when it comes to federal oversight on the matter.
“Our main position with respect to federal legislation, is that it not preempt state laws. Often, federal legislation may not be as strict as certain state laws, and we would be unlikely to support any bill that preempts more robust state reporting laws.”
Thaw says the congressional committee overseeing proposed regulations has not put out draft language yet, so just how robust the reporting requirements they’re considering remains unclear. What is clear is that online personal data is currently not secure. While advocates may argue about the benefits of federal reporting legislation, all seem to be in agreement that not enough is being done to prevent data theft.
Thaw says research he’s conducted shows that comprehensive preemptive cyber security in conjunction with speedy reporting is four times more effective than simply robust reporting on its own.
“It’s much better to put the whole regime into place at once,” says Thaw. “The key message that I’m trying to send to members of the committee, the research I’ve been doing for five years now, has shown very very clearly that the combination of the two is much more effective, than informing consumers alone.”