Season’s greetings! It’s time to open up those wallets and hand over your credit cards to the hackers who have been raiding some of America’s largest banks and retailers.
You may remember that around this time last year, when Americans were out doing their holiday shopping, Target, one of the country’s biggest retailers, was the victim of the then-largest retail data heist in history. Hackers broke into the company’s servers and siphoned off 40 million credit card numbers.
Since then, reports of massive data breaches have piled up like presents under a Christmas tree. Neiman Marcus, Kmart, Dairy Queen, SuperValu and UPS experienced hacks this year. In September, it was revealed that 56 million credit card numbers were stolen from Home Depot’s servers, an operation that was even larger than the one that occurred at Target.
Part of the reason these hacks keep happening is that retailers just don’t seem to take cybersecurity seriously. An investigation of the Home Depot and Target breaches found the companies missed several red flags that provided opportunities to prevent or reduce the damage.
Craig Spiezle, executive director of the Online Trust Alliance, told The Indypendent that many companies do not have the proper alarms and response plans in place to catch the hackers and then react quickly to halt the attack.
“From a security perspective, you recognize that you need to take steps to prevent a breach from happening. But you also have to have steps in place to catch when it happens and then [know] what to do about it,” he said. “In the case of Target, it became like the Titanic. They could go from one data hole to another and then ultimately bring the company down.”
In an analysis published in January of 500 data breaches, the Online Trust Alliance found that 89 percent of them could have been prevented.
According to a recent Ponemon Institute report, which was sponsored by the information service company Experian, 27 percent of companies don’t have a data breach response plan in place, even though cyberattacks increased by more than 10 percent from 2013 to 2014.
But even if you do everything right, breaches can and will happen. Despite having one of the most sophisticated and expensive security systems on Wall Street, banking goliath JPMorgan Chase announced in September that hackers had penetrated its defenses and extracted the emails, phone numbers and addresses of more than 76 million households and 8 million businesses. However, more recent reports suggest that the hack may have affected other banks and that the full scale of the heist is still unknown.
The incident highlighted the inadequacy of U.S. cybercrime regulations. Currently, there are no federal laws that define what type of information needs to be stolen in order for a company to report a breach. Banks are only required to notify customers if the incident caused them a financial loss. Hence the confusion and difficulty in determining the scale of the JPMorgan hack.
Several bills have been introduced in Congress that would establish data breach notification requirements to protect consumer data, but none of them have garnered much support.
Instead, companies must comply with cybercrime-related laws in 47 different states that set different definitions of what constitutes a data breach and how a company is supposed to respond. Because the Internet has no borders, Spiezle said that it is time-consuming and enormously expensive for companies to hire law firms to navigate the different regulations.
However, in what appears to be a sign that private industry is starting to take cybercrime more seriously, more than 40 trade associations representing retailers and merchants sent a letter to Congress in November demanding federal legislation that would address data breaches.
The letter urged lawmakers to “act to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur.”
While Spiezle said he agrees that federal data breach legislation should be a priority and that it would make sense for a federal law to preempt state laws, he worried that the trade associations behind the letter would try to set the bar so high that a company would not have to report a data breach unless it affected 100,000 customers or more. In contrast, a bill co-authored by Democratic Senator Edward J. Markey would require companies to report a breach that affected more than 5,000 customers. California law, meanwhile, requires companies to notify the state attorney general if a breach compromised the personal information of more than 500 Californians.
“The devil’s in the details,” said Spiezle. “The trade groups want to minimize the ability of anyone coming after them so they don’t want to have state rights enforced. So this is where the rub comes in.”
“We need to look at what’s the right thing and get it done and get past this gridlock and the special interest groups that really want to have it so watered down that it becomes ineffective,” he added.
According to another Ponemon Institute study, which was sponsored by IBM, the cost of data breaches in the United States was $201 per person in 2014. While banks protect customers against fraudulent credit card charges, that doesn’t mean the public won’t eventually pick up the tab.
“If there is more fraud, costs go up,” Jeffrey MacKie-Mason, dean of the School of Information at the University of Michigan, said via email. “Some of that price increase will likely be in annual customer fees or interest rates affecting cardholders; some of it will likely be in higher merchant fees, affecting retailers. Everyone is affected by the higher cost of doing business, regardless of where the law assigns liability.”
But the cost of cyberfraud is insignificant compared to what could be on the horizon. The JPMorgan attack demonstrated that hackers could be capable of infiltrating the United States’s largest financial institutions, with potentially serious consequences.
“We could see a financial collapse and resulting great depression — or worse — from a sufficiently serious cybercrime. Such crimes might, for example, be perpetrated not just by profit-seeking criminals, but by nation states who want to bring down the economy of other countries,” said MacKie-Mason.
And it’s not just the financial system that’s at risk. The Government Accountability Office (GAO) has issued several reports indicating that hackers could cause enormous harm to all aspects of the country’s critical infrastructure. The GAO has repeatedly recommended that the federal government make cybersecurity a national priority.
Despite these warnings, in 2012 John McCain led a group of Senate Republicans in defeating a bill that would have created new standards to oversee cyberthreats to America’s infrastructure. They argued that the law imposed too much of a financial burden for companies to follow.
“In general, if we look at just our Congress we seem to have the inability to do anything,” Spiezle said. “It’s incredible that we can’t get together on this issue.”