insights and analytics to build an economy that works for all

Category: Data Breaches

Our Economic Security is Threatened By Data Breaches

Image: npr.org

Six months ago the EU General Protection of Data Regulation (GDPR) was implemented setting major fines if user data was not adequately protected.  The GDPR required that users be able to ‘opt in’ for their use of their data – which is why users see cookie permission screens when they access a web site.  The regulation gives users primary control over their data, and where it is stored.  Information on a user must be stored in a non-identified manner.  Breaches must be immediately fixed and reported within 72 hours.  Companies are required to have a Data Protection Officer person who is responsible for GDPR enforcement and support to users. Users can require that their data be erased at any time. Individuals can request a portable copy of their data as well. Violators of the GDPR can be fined up to 20 million Euro or 4 % of their annual revenues.

Seer Interactive has surveyed both EU and U.S. sites and found that EU sites were much more secure than U.S. sites.  Using simple Google index commands experts were able to glean usernames, addresses, phone numbers, and dollar figures of purchases or donations.

Source: Statista – 2018

Data breaches reached a peak in 2017 at 1,579 incidents with over 178 million records accessed.  A super incident occurred at Yahoo with over 1 billion records accessed in 2017.  In 2015 Experian, suffered a data breach exposing 15 million records. About 1 year ago, Equifax was hacked exposing over 143 million user records including social security numbers, addresses, phone numbers and bank account information.  Hearings were held by Congress but nothing happened. Except that Equifax tried to fix the problem and eventually gave into offering a free account freezing service after major backlash at charging for the service.  Identity theft is a huge issue it is the most common type of data breach at 59 % of all data incidents. There are reports of a new trend in identity theft by perpetrators sending  a ransom email after an account has been hacked showing a user’s account and password, then threatening to post private information unless a major sum is not transferred to a Bitcoin account immediately.

Next steps:

Senator Mark Warner – (D-VA) declared after the Equifax incident, “It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” We agree data breaches of the Equifax and Yahoo magnitude are a real threat to the economic security of all Americans.

So, what has Congress done about making corporations running the Internet accountable to users for their lack of data protection?  Nothing. Though two Democratic senators have tried to get legislation passed to protect users.

Senator Elizabeth Warren – (D-MA) and Senator Warner introduced legislation in January of this year to hold credit reporting agencies accountable for data breaches and user data protection.

The bill, called “The Data Protection and Compensation Act”  would hold credit reporting agencies (CRAs) accountable for safeguarding all consumer information.  The bill establishes oversight by the FTC on cyber security at CRAs.  In addition, when breaches occur penalties are awarded $100 per consumer and an additional $50 per consumer personal identification record exposed.  In the Equifax case, the penalty would total $1.5 billion. The FTC is instructed to use 50 % of the award to compensate consumers who were victims of the breach.  In addition we believe that provisions should be inserted in every User Agreement requiring that the service provider be accountable to the user, make good any harm done and report directly to the user that their account has been hacked within 24 hours.

We do have a new House of Representatives being sworn in this January, where Democrats hold a majority, so it is possible that transforming legislation like the Warren – Warner bill could be introduced.  Yet, the Senate looks to be controlled by the GOP next year so any likelihood of passage with President Trump in power is nil.  Yet, we need to keep this issue in front our our political leaders and continue the national discourse because today Internet corporations are too complacent and will continue to be until penalties have teeth to wake them up to the priority of protecting user data tightly.

Corporations Are Not Protecting Us from Identify Theft

Image: consumer.ftc.gov

There is a contract between users and the online service provider that our privacy and identity will be protected called a User Agreement.  When Internet platform providers do not protect our privacy and account information they are violating the agreement and should be held legally accountable. These voluminous agreements are completely written from the company point of view forcing the user to turn over content rights to the platform provider.  This is just not fair it is our content we created it, like writing with a pen, the pen company does not own the article I just wrote. Neither should Internet platform providers like Google, Facebook and Apple be allowed to do whatever they want with the content I create – they didn’t create it and should not own it.

We bring this starting point up because in the latest data breach announced belatedly by Facebook of 50 million users is another case in point.  Executives causally looked at the problem as their spokesman would not even call it a breach because ‘no passwords were broken into’ no instead Facebook just gave access to Cambridge Analytica and then sent a form asking if Cambridge had deleted the data, the respondent checked a box that said Yes.  Facebook never bothered to do the due diligence on the firm to see if the 50 million records were actually deleted that to begin with the firm never should have had access.

Source: Identity Theft Resource Center – 2017

The majority of the breaches are into businesses while banking and credit institutions are bringing down the number of incidents.  Yet, the percentage of incidents that involve social security and credit card numbers is holding steady as hacking into systems increases. Experts at the Identity Theft Resource Center estimate for 2017 that 171 million records compromised, with a 44 % increase from 2016.  Based on announced incidents the 171 million records compromised is probably on the low side of all the incidents during the year.

Today, Orbitz announced a breach into payment records for 850,000 users, Equifax disclosed last fall that 148 million users had their payment records compromised, though now they say it was ‘only partial driver’ license numbers and names’, not social security numbers or full drivers’ licenses or credit card numbers.  Yahoo discovered that in 2013 over 1 billion user accounts were compromised 2 years later.  The list goes on and on, what is clear is that the online industry is approaching user privacy and security in too causal a way.

Next Steps:

During the Obama administration a bill was introduced to strengthen privacy protections and make corporations accountable for data breaches.  Senator Elizabeth Warren (D-MA) and Senator Mark Warner (D-VA) has introduced a bill to force credit reporting agencies to pay fines when data breaches occur, providing immediate disclosure and tools for remedying the problem to consumers.  Senator Warner also introduced a bill to require that credit agencies make credit freezing services available free of charge. Firms like LifeLock actually had an agreement with Equifax on a per user basis to make money from the breach when Equifax users signed up for identity protection.

Plus, we propose a complete review of all online User Agreements to force platform providers to insert clauses protecting user data from hacks with accountability, noting that content is user owned and allowing for class action law suits in the event of a breach to remedy the damage to users who need to repair their credit records and financial information from identity theft.

Powered by WordPress & Theme by Anders Norén