In the aftermath of the recent Capital One data breach, which comes only a year after a massive compromise of the personal information of Marriott guests and two years after Equifax’s servers were hacked, the question we should ask is, What do we do now?
It seems there is no slowing the rapid pace at which hackers are infiltrating the security systems of companies that hold our Social Security numbers, bank information, birth dates and addresses. Companies to which we’ve entrusted our information get off with slaps on the wrist and stern finger wags from lawmakers and government bodies and then return to business as usual. The big fines they pay are but thin slices of their gigantic annual revenue pies. In 2017, Target paid a $18.5 million settlement for a 2013 data breach that compromised the payment card information of 41 million customers. The retailer’s annual revenue exceeded $70 billion in 2017.
In the past decade, big companies — such as Adobe, Yahoo, Target and Uber — have had data breaches. As such incidents become the new normal, these cases fall into the background. That is, until the next one occurs.
The Federal Trade Commission said last week that it would require Equifax to, on top of paying a fine of $575 million, take concrete measures to improve its security program, which will be assessed every two years by a third party. Its 2017 breach exposed the personal information of 147 million people.
But that’s not enough. We should not have to ask for competent data security only after our information has been compromised.
After so many incidents, it’s inexcusable for lawmakers and regulators at the Federal Trade Commission, among other federal agencies, to throw up their hands and claim that they can’t reshape our laws quickly enough to deal with the complexities that come with living in an increasingly online world. Federal rules should replace a mishmash of state standards, legislation should enshrine consumer privacy guarantees, and deeply consequential fines should be levied if guarantees and standards aren’t met.
This is especially urgent because of consolidation among the firms that warehouse data for retail companies like banks, hotel chains and retailers. More vital identity information is being stored in fewer places, making the breaches ever more consequential.
— The editorial board