I didn’t share a Friday photo last week because I’ve been working on this post in response to a question a friend asked: “Are we losing the cybercrime war?”
It sure feels that way. In the past couple of years, we’ve had three major data disclosures – Aetna, Equifax and Yahoo, not to mention the myriad of lower-level incidents. While the data lost in each is different, all three have major implications for security and privacy. I’ve written before that we should all assume that our data’s been stolen and take precautions, and that’s absolutely the case. All the big breaches are failures of prevention (data retention, patching, privileged credential protection), detection (instrumentation, analytics), and response (both technical and public relations). That sounds like a systemic failure to me.
I’m a fan of the Fifth Discipline by Peter Senge, and tend to look for system causes rather than blame people, but in each of the large breaches, people’s decisions played a major role – from failure to invest in prevention, to failure to operationalize detection, to tone-deaf responses to incidents. But let’s take a step back and look at the larger system in which those people operate – not just within their companies, but the entire economic and legal environment, for that’s where the real systemic problems lie.
As one of my favorite authors and bloggers, Jerry Pournelle (he recently passed away) was fond of saying, unrestricted capitalism will result in human meat being sold in street stalls. Don’t get me wrong – I’m a hard-core capitalist, and believe in the power of the free market, but in this particular case we don’t have one. Crony capitalism has tilted the regulatory and legal environment in the favor of a handful of large corporate entities (concentrated interest) and away from citizens and consumers (diffuse interest). Companies that make their living exploiting consumer information are among the worst offenders, but all to some degree use their size and scale to manipulate laws and regulations in their favor to the exclusion of new entrants.
In an environment where ‘two years of credit monitoring and an apology’ is the worst expense a company will endure, we’re going to continue to get more breaches. That’s because the bean counters will calculate the security budget based on the probability of a breach * scope of the breach * the cost of a breach on an annual basis. That’s resulting in underinvestment in cybersecurity because the cost factor is artificially low. What we need to do is change the cost and responsibility piece of the equation – once we do that, we’ll see the companies change their behavior. This is exactly what happened with the Ford Pinto back in the 70’s. In that case, the damage to the Ford brand overall was significant, and their competitors immediately changed practices to avoid a similar situation. None of the three I mentioned above are in any danger of dying because their customers weren’t impacted – Equifax sells reports to creditors, Anthem sells insurance to businesses, and Yahoo sells information about consumer activity. Consumers can’t really choose to avoid them having their data, so we’re stuck. And that’s the first thing we need to fix.
First, data about a consumer needs to belong to the consumer. Companies then become data custodians instead of data owners, cannot share data with a third party unless there is opt-in consent, and are monetarily responsible for disclosure as the asset itself has been lost (rather than damages incurred). That’s the lynchpin. Note that this would break Google and Facebook’s business model.
Next, full disclosure, within 14 days of discovery of a data disclosure (no limit on records) should be mandatory. An exception where there is an ongoing law enforcement investigation and no evidence of exploitation of the data would make sense. But once there’s evidence of exploitation (even less than 14 days), individual notification must follow immediately. By US Mail if possible (e.g. if they have your physical address), by email at least. Social media, websites, and news reports are not sufficient.
Last, and most important, the cost born by the company should reflect the risk to the consumer. That means a statutory floor for damages – payable in cash direct to the consumers impacted. Note that this would break the class-action attorney’s business model. This should be tiered based on the data lost. For example, compromised credit card numbers have a minimal impact on consumers, so set a low bar of $25 to $50 per consumer for the inconvenience of having to get new cards and change all their monthly payments. The issuers should be compensated both for the cost of fraud on those accounts and for the cost of issuing new cards. Medical and credit records are much higher value, so perhaps $100-200 plus the cost of lifetime security freeze and credit monitoring services (at retail rates, by a company of the consumer’s choosing if they want it) would be the right benchmark.
You can be sure that would get companies to take notice (they will fight the last one tooth and nail – as will the plaintiff’s bar). It would change the calculation on what information to retain (getting rid of risky data becomes the cost effective option, rather than retaining to exploit it), and how to protect it. The credit agencies are the prototypical example here – they hold massive amounts of information on consumers (who are the product) and have an economic incentive to release it to any and all comers, as that’s how they get paid. GDPR in Europe has penalties attached to it, but mostly for non-compliance, rather than for disclosure costs, and they’re not paid to consumers, rather to the EU itself.
So unfortunately my three points above might as well be “I wish I was younger, taller and thinner”. We might be able to made some changes around the margins (the thinner), but the concentrated interests will likely prevent any real reform from happening (taller and younger).
Because it’s all about the money. Cybercriminals attack where it’s stored, companies invest based on cost of loss, and consumers wonder where it went. Put it another way: right now, the criminals are winning, the companies are wondering, and the consumers are spending.