Facing inevitable data breaches and new privacy laws, companies shift focus to response

digital padlock overlayed onto cryptographic numbers
Data is impossible to secure perfectly, making breaches inevitable (Image Courtesy of Blogtrepreneur/FLICKR under CC-BY-2.0).

By Tyler Sonnemaker
Medill Reports

The number of data breaches has skyrocketed in recent years, with high-profile incidents involving major companies such as Facebook and Uber, financial institutions and government agencies. According to a report from the Identity Theft Resource Center, 1,579 incidents — involving nearly 179 million records — occurred in 2017 alone.

That amounts to more than four incidents per day, and there are likely many more that go undetected. As a result, hundreds of millions of people have had their personal information stolen.

For everyday internet users, it’s easy to become numb to news about data breaches. And with the sheer volume of records leaked, it’s hard to determine whether to be concerned about a particular incident or whether to stop using products and services from a company that has exposed your data.

At the same time, it’s impossible for businesses, government agencies and other organizations that collect and store your data to completely guarantee safety.

“Cybersecurity is an oxymoron and a data breach is inevitable,” said John Reed Stark, an independent cybersecurity consultant and former chief of the SEC’s Office of Internet Enforcement.

But that inevitability doesn’t mean giving up entirely. Instead, it just changes how companies must approach cybersecurity, requiring them to go beyond preventative measures.

“It’s important to have the latest tools and technology because the threat is evolving,” Stark said, but added that “it’s even more important to have the proper governance and proper response framework in place.”

Stark recommended companies hire an independent cybersecurity firm immediately after learning of a breach. He compared it to going to the doctor — the doctor gets paid whether the results are good or bad, so there’s no incentive to skew the findings.

Companies, cybersecurity professionals, and policymakers alike have started paying more attention to how breach victims respond to an incident.

“Companies are recognizing that they need to be prompt in disclosing the breaches,” said Michelle Cohen, a partner at Ifrah Law and chair of its privacy and data security practice. They must be “transparent with consumers and regulators regarding what happened, what may have been compromised and what the company is offering to do to remedy the situation,” Cohen added.

Each incident is unique, from the laws governing the organization involved to the type of information compromised. But this shift in thinking means consumers and regulators must look to new metrics — such as how long it takes a company to both discover and disclose a breach.

There are legitimate reasons why breach victims may not want to immediately alert the public. They might still be fixing the vulnerability and don’t want to draw more attention to it.

Companies may also be reluctant to alert authorities, who could ask for access to customer information to assist with an investigation. “That’s information about customers that they haven’t agreed for the company to give to the FBI,” Stark said.

But sometimes the motives are more selfish. Executives, whose compensation is often directly tied to their company’s stock performance, may fear that disclosure could negatively impact stock price or cause a PR headache.

“Two weeks [is] probably fine because you need to investigate, but four months could easily be viewed as too long, especially if there is a likely harm to consumers,” Cohen said.

In recent years, several high-profile companies, including Facebook, Equifax, Yahoo, and Uber, have responded to breaches by choosing not to alert the public or trying to cover up the incident entirely.

Regardless of executives’ motivations, public backlash has spurred new legislation around online privacy, cybersecurity standards and disclosure requirements. Most notable are Europe’s General Data Protection Regulation (GDPR), which became effective May 2018, and California’s Consumer Privacy Act (CCPA), set to go into effect January 2020.

Many customers of U.S. companies are covered by GDPR’s extensive protections, and as more states pass their own laws, the legal landscape is becoming fragmented and complicated, making compliance a moving target.

This has helped lead to a growing, diverse chorus in favor of a national digital privacy law.

“Many parties (myself included), think that a national standard around data notifications would make things clearer,” said Cohen, noting that “companies would not have to engage in a 50 state analysis of the different state standards.”

The devil is of course, in the details, from both a political and technical standpoint. Politically, some fear that a weak national standard could undermine stronger state protections.

Technically, Congress has so far demonstrated a severe lack of understanding about how the internet and modern digital economy operate. This was especially apparent during hearings with Facebook CEO Mark Zuckerberg, where members seemed confused about basic aspects of the social media giant’s business model and services it provides.

“Most sitting members of Congress don’t personally have that expertise,” said Lisa Hayes, vice president of strategy and general counsel for the Center for Democracy and Technology, a Washington, D.C., nonprofit that focuses on internet and privacy issues.

Hayes, noting that she herself relies on CDT’s technologists, hopes that legislators will “go get experts who can advise [them] on technologically feasible solutions.”

Whether or not effective national legislation is likely to pass in the immediate future, it’s clear that companies are facing increasing legal, political, and financial pressure to respond transparently when data breaches inevitably do occur.

Understanding the visualizations:

  1. Breach dates and discovery dates are approximate based on the best publicly available information.
  2. Friend Finder Network’s breach was first publicized on Twitter by a security researcher who goes by the handle @1×0123. It appears this is also when FFN discovered the breach, preventing it from withholding information from the public.
  3. Equifax was notified of its vulnerability in December 2016 by a security researcher but did not act to fix it until after it was hacked in June 2017.
Photo at top: Data is impossible to secure perfectly, making breaches inevitable (image courtesy of Blogtrepreneur/FLICKR under CC-BY-2.0).