The U.S. Attorney General,
Eric Holder, urged Congress to pass Federal laws to regulate how retail outlets
handled data breaches. This was in response to the breach at Target where
hackers stole credit card information from customers in December of 2013.
Holder stated that retailers
who fail to protect data should be held liable. He also stated that a Federal
law would assist law enforcement with prosecution.
At first glance, it may seem
like a good idea. After all, we all deserve to have our identities protected
when shopping. However, several questions come to mind. As is so often the case
with good intentions, the results may not be everything hoped for.
First, there is a problem
with where the blame is focused. Too often, we see cases where the victims are
held liable for the actions of crooks. By holding the retailer accountable, the
focus shifts to punishing the victim organization rather than focusing on the
criminals behind a breach. This same mentality is used at local levels, such as
when police will patrol neighborhoods on cold mornings looking for “puffers.”
These are cars that someone starts to warm up while waiting inside. True, there
are suspects who will steal the warming cars. If the police can take the time
to stop and write parking tickets to the would-be victims, then wouldn’t that
time be better spent looking for suspicious people hanging out in the areas
where the cars are being stolen? Education about the risks and ways to protect
yourself, rather than blaming victims, is a much better approach. Of course, as
with any harmful event, there is the risk of a company being held liable,
especially if the data protection measures were negligent or lacking. Assuming
appropriate measures were in place, blaming the organization is
counter-productive.
 |
| From WikiCommons |
Second, it is ironic that the
government would be in a position to dictate what standards other industries
should follow. After all, one of the most famous cases of a data breach is the
government’s loss of hundreds of thousands of confidential documents to a
contractor in the case of the National Security Agency and Edward Snowden. It
hardly instills confidence in a government solution.
Third, I am doubtful that
establishing Federal standards would provide any real assistance to local
police. Local jurisdictions do not have the legal ability to enforce Federal
laws and Federal prosecutors are often swamped and, in my experience, will not
even touch smaller cases. There would be benefit with information sharing
between local law enforcement to facilitate investigations, but in many computer
crimes, the suspects are out of the country and there is no way local police
can ever prosecute. I would like to see more of the details about how these
cases could be investigated with a successful prosecution before just accepting
that another political solution would actually achieve any benefit.
Last, most states already
have laws related to how companies need to respond to and address data
breaches. A new Federal mandate could override state laws and might not be as
effective as the current law. Plus, any time there are legal changes, there
will be additional costs and those will ultimately be passed onto the consumer.
There are already limits on how much consumers can be liable for in regards to
identity theft. New laws or changes could potentially be more costly to the
consumer, the very group these laws are designed to protect.
Too often, when there is a
real problem to address, the knee-jerk reaction, especially of politicians, is
to announce solutions that may or may not work. As always, look at the goals
and the consequences of new measures. These decisions should be carefully
vetted and reviewed and the best course of action taken for the good of all,
not just as a ‘feel good’ idea. Keep the focus on stopping criminals, not
finding someone else to blame.
Eric Smith, CPP is the leading authority
on organizational self-defense. He has extensive experience in law enforcement
as well as security management. Eric is available for staff education and
security awareness training as well as business coaching to help organizations
provide safe workplaces. To learn more email Eric at businesskarate dot com.
If you
would like to reprint this post, please contact Eric at Eric at businesskarate dot com.
No comments:
Post a Comment