The Irony of Government Solutions to Data Breaches

The U.S. Attorney General, Eric Holder, urged Congress to pass Federal laws to regulate how retail outlets handled data breaches. This was in response to the breach at Target where hackers stole credit card information from customers in December of 2013.

Holder stated that retailers who fail to protect data should be held liable. He also stated that a Federal law would assist law enforcement with prosecution.

At first glance, it may seem like a good idea. After all, we all deserve to have our identities protected when shopping. However, several questions come to mind. As is so often the case with good intentions, the results may not be everything hoped for.

First, there is a problem with where the blame is focused. Too often, we see cases where the victims are held liable for the actions of crooks. By holding the retailer accountable, the focus shifts to punishing the victim organization rather than focusing on the criminals behind a breach. This same mentality is used at local levels, such as when police will patrol neighborhoods on cold mornings looking for “puffers.” These are cars that someone starts to warm up while waiting inside. True, there are suspects who will steal the warming cars. If the police can take the time to stop and write parking tickets to the would-be victims, then wouldn’t that time be better spent looking for suspicious people hanging out in the areas where the cars are being stolen? Education about the risks and ways to protect yourself, rather than blaming victims, is a much better approach. Of course, as with any harmful event, there is the risk of a company being held liable, especially if the data protection measures were negligent or lacking. Assuming appropriate measures were in place, blaming the organization is counter-productive.

From WikiCommons
Second, it is ironic that the government would be in a position to dictate what standards other industries should follow. After all, one of the most famous cases of a data breach is the government’s loss of hundreds of thousands of confidential documents to a contractor in the case of the National Security Agency and Edward Snowden. It hardly instills confidence in a government solution.

Third, I am doubtful that establishing Federal standards would provide any real assistance to local police. Local jurisdictions do not have the legal ability to enforce Federal laws and Federal prosecutors are often swamped and, in my experience, will not even touch smaller cases. There would be benefit with information sharing between local law enforcement to facilitate investigations, but in many computer crimes, the suspects are out of the country and there is no way local police can ever prosecute. I would like to see more of the details about how these cases could be investigated with a successful prosecution before just accepting that another political solution would actually achieve any benefit.

Last, most states already have laws related to how companies need to respond to and address data breaches. A new Federal mandate could override state laws and might not be as effective as the current law. Plus, any time there are legal changes, there will be additional costs and those will ultimately be passed onto the consumer. There are already limits on how much consumers can be liable for in regards to identity theft. New laws or changes could potentially be more costly to the consumer, the very group these laws are designed to protect.

Too often, when there is a real problem to address, the knee-jerk reaction, especially of politicians, is to announce solutions that may or may not work. As always, look at the goals and the consequences of new measures. These decisions should be carefully vetted and reviewed and the best course of action taken for the good of all, not just as a ‘feel good’ idea. Keep the focus on stopping criminals, not finding someone else to blame.

Eric Smith, CPP is the leading authority on organizational self-defense. He has extensive experience in law enforcement as well as security management. Eric is available for staff education and security awareness training as well as business coaching to help organizations provide safe workplaces. To learn more email Eric at businesskarate dot com.


If you would like to reprint this post, please contact Eric at Eric at businesskarate dot com.

No comments:

Post a Comment