As the steady tide of data thefts, security breaches and associated mental lapses continues to wash over corporate America it is becoming ever clearer that the safeguards, policies and regulations we have in place are not working.
This epidemic—and that's exactly what it is at this point—is getting worse by the day. The Gap announces that one of its vendors reported a stolen laptop containing the personal data of 800,000 luckless folks who had applied for jobs at the clothing retailer. Accenture reveals that a backup tape loaded with the confidential data of an unknown number of Connecticut residents was stolen from a car belonging to—wait for it—an intern working for the State of Ohio. And the Commonwealth of Massachusetts announces that one of its agencies accidentally included the Social Security numbers of 450,000 state residents on computer disks it mailed to people who had requested data on professional licensees in the state.
By now, the story arc of these incidents is as familiar and predictable as that of a John Hughes movie. Company A discovers the breach and subsequently reports some small subset of the details to the public. Company executives say a comprehensive investigation has revealed that it was an isolated incident and that none of the data has been used illegally. The executives also vow to put better procedures and safeguards in place, while reminding customers of how much the company values their business. Two days later, another breach occurs at Company B, and Company A is off the hook and out of the headlines. Maybe—maybe--Company A eventually pays a fine and/or restitution to its customers. End of story, roll credits.
The problem here is that each of these breaches, thefts or acts of negligence is in fact treated as an isolated incident, and that's not at all what they are. Rather, they are indisputable evidence that organizations that collect and store our personal information have absolutely no business doing so. They're clearly not capable of doing it responsibly. At what point did it become acceptable for cell phone carriers to require a Social Security number on a service contract? Or for discount retailers to store credit card data for months after it is no longer needed? Or for companies to trust confidential data to green interns?
The answer is, it happened little by little. These things never happen all at once. And we as consumers are as much to blame for it as the incompetent companies holding the data are. We've let our expectations of privacy erode in so many small ways in the last few years that no one even thinks to object when some teenager at the register asks for your phone number. But the time to fix that has long since passed. None of these companies is about to give up the precious marketing data that it already has. The thing to do now is to focus on what can be done in the future to get things back on track.
If we accept that the root of the problem is that too many companies and government agencies are storing too much allegedly confidential data, then one solution might be to take those organizations out of the equation. TJX owned retailer, Marshall's does not need to be in the data-collection business. So instead of allowing dozens or hundreds of individual companies and agencies to store your SSN, medical history, financial history or other personal information, you could voluntarily store it in one central database and then grant access to it on a need-to-know basis. Mortgage companies, doctors, potential employers and whoever else an individual chooses to authorize would be able to access whatever particular slice of that individual's data they need at the time, but would not be able to store it locally.
Systems like this already exist in some areas, including health care, thanks to Microsoft's new HealthVault site . HealthVault enables consumers to create personal health records, entering whatever data they choose and parceling it out to providers as they see fit. The main obstacle to this personal information store clearly is the establishment of the central data warehouse. Who administers it and who pays for it? The other big drawback is that a central database of this size would be an irresistible target for attackers of all stripes. And as we've seen in the past, determined, professional attackers will almost always find a way to compromise a target given enough time. Also, establishing the central data store would do nothing to remove consumers' personal data from existing commercial databases. And, because private companies have no responsibility to tell you if your information is in their databases, this overarching database would probably just add another level of complexity to the existing problem.
So maybe the answer is mandatory penalties, including stiff fines and restitution, for companies that compromise customer data. Right now there isn't a national law that addresses this, although it's been under discussion in the Congress for some time. The events of the last few years have shown us that public embarrassment through breach disclosure does virtually nothing to encourage better security controls. Consumers also have not punished the offending companies by taking their business elsewhere. So it appears that the threat of serious fines may be the only hammer that has any effect on this epidemic. What form any such legislation takes and how it is enforced remains to be seen. Right now the existing identity theft measures only address the effects of the data breach problem, not the cause.
Whether it's a technological solution, a legislative one, or a combination of the two, something must be done, and fast. Consumers quickly are becoming inured to data breaches, seeing them as just another petty annoyance. That's an untenable situation. The alternative, which is leaving things as-is, will only produce a future that looks a whole lot like the present. And that's not much of an alternative at all.