Personal is data too vulnerable
Sony executives bow in apology on Sunday at a news conference in Tokyo to explain how customer data had been obtained by hackers. Credit: Bloomberg News
In the latest jaw-dropping corporate data breach, hackers have managed to access more than 100 million user accounts at Sony's PlayStation Network and Sony Online Entertainment service. One expert called it potentially the mother of all such data scams.
Unfortunately, gigantic corporate data breaches of this kind are all too common, which is why it's time at last for tough federal legislation to protect consumers from such carelessness. Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.) have proposed a bill covering both data security and privacy, and it's a start. But it doesn't go far enough to address a big problem that consumers can't address by themselves.
In March, for example, someone stole a portable storage device containing identity data on 3.3 million people from Educational Credit Management Corp., a nonprofit student loan guarantor. Authorities said it appeared to be the largest theft of such information to date.
Around the same time, an email marketing firm called Epsilon Data Management discovered a security leak that exposed the names and email addresses of untold numbers of consumers. This too was branded as potentially the largest breach of its kind -- Epsilon's marketing customers include giant banks, retailers and hotel chains -- and one that could open the door to massive "spear-phishing" attacks, which differ from normal phishing because the email used as a lure contains the recipient's name and appears to come from a company with whom the target already does business.
Companies sometimes fail to take even the most basic precautions. A few years ago, hackers in the parking lot of a Marshalls store exploited an unsecured wireless network, which in turn helped them steal more than 45 million credit- and debit-card numbers from parent TJX Cos., which also owns T.J. Maxx.
The list of such episodes goes on and on. What's needed is legislation that establishes high standards for data protection, stiff penalties for lax companies, and prompt consumer notification once a breach has occurred (Sony took about a week). Consumers also need the right to sue when they're harmed by a data theft.
These issues are governed by a hodgepodge of state laws, which the Kerry-McCain legislation would pre-empt on most points. But in some areas, their bill would weaken protections rather than strengthen them. For instance, consumers everywhere would lose the right to sue. The Federal Trade Commission would be empowered to make rules for data security, but couldn't require any specific technological means. And consumers would be left to "opt out" on a site-by-site basis to prevent various commercial uses of their data. A better system would bar such use unless a person specifically approves.
Security and privacy are two sides of the same coin, which is why the Kerry-McCain bill addresses both. But it needs bolstering on privacy as well. Most glaring is the absence of a "do not track" mechanism so that, with a single click, consumers can prevent their Internet activities from being tracked by firms that then use or sell the data. The FTC has proposed such a plan, and it's crucial. hN
