Announcing the #DataInsecurity Project

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Last December, millions of consumers busily rang up more than $600 billion in holiday purchases. Unfortunately, hackers were also having a field day — at consumers’ expense. We learned that lax security procedures combined with an insecure payment mechanism resulted in as many as 110 million shoppers at retail giant Target having their personal information compromised.

Security researcher Brian Krebs, who first broke the story of the Target breach, recently published a startling set of numbers that demonstrates the impact of this one incident. They include:

  • $200 million – The cost to credit unions and community banks for reissuing 21.8 million credit and debit cards;
  • $18-35.70 – The media price range per card stolen from Target and resold on the black market in the months after the breach;
  • 1-3 million – The estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud;
  • $53.7 million – The estimated income that hackers generated from the sale of 2 million cards stolen from Target (at a median price of $18-35.70); and
  • $55 million – The size of outgoing Target CEO Gregg Steinhafel’s golden parachute.

Sobering as these numbers are, they represent the fallout from a single data breach, albeit a massive one. In 2013, the Verizon RISK team reported more than 1,300 data breaches. The non-profit Privacy Rights Clearinghouse, which tracks data breaches, reported that more than 257 million records were compromised last year as well. A recent study by the Ponemon Institute found that the average total cost of a data breach in the U.S. is $5.85 million per incident. The probability that a U.S.-based organization will experience a breach of at least 10,000 records in the next 2 years is 18.7 percent, according to the Ponemon study.

By 2020, annual global data production is expected to hit 35 zettabytes, (or 35 trillion gigabytes). This data explosion will power unfathomable changes to consumers’ daily lives. However, the existence of that much data – much of it personal and very valuable to malicious actors – demands stronger security practices. Federal agencies like the FTC are doing yeoman’s work to hold companies to account for lax data security. But the FTC’s authority in this area is in question in the courts, and case-by-case adjudication is unlikely to sufficiently address the larger problem. Organizations like the National Institutes of Standards and Technology have developed voluntary frameworks for cybersecurity, but companies and other entities are not compelled by law to adopt it. Standards bodies like the PCI Security Standards Council have industry backing, but they are sector-specific.

While no one can wave a magic wand and solve the problem of data security, more can and should be done in Congress to give enforcement agencies the tools they need to protect consumer data and prod industry to make data security a top priority.

That is why we are announcing today the launch of the NCL #DataInsecurity Project. We are calling on policymakers in Congress, federal agencies and the states to be champions for data security. For too long, policy inertia has prevented meaningful reform on Capitol Hill and elsewhere that would better protect consumers’ data. There are a number of promising bills currently pending in Congress, but more can and must be done. Pro-consumer steps to enhance data security include:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice;
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data

In an era when vast amounts of data are being collected about them, consumers must have confidence that their information is safe. The Target breach was a wake-up call. We can no longer sit idly by while sophisticated hackers steal with impunity and businesses accept the status quo as just another cost of doing business. The time for reform is now.

Advertisements

Taget CEO is out

By Sally Greenberg, NCL Executive Director

This week the CEO of Target, Gregg Steinhafel, resigned. He was unable to recover from the damage caused by a massive data breach at the company – which happened right in the middle of the holiday shopping season last year.  Last December, Target announced that 40 million customers’ credit and debit cards and personal information had been compromised.  Steinhafel was with the company for 35 years.

Target’s experience is a cautionary tale for corporate leadership. The company was slow to respond to the panic that set in when consumers learned their card information had been compromised. I remember reading the advisory the company posted in December telling consumers all the things they had to do to protect themselves. There was precious little the company shared with its valued customer base – many of whom were Target credit card holders  – about what it intended to do to protect customers after the breach and into the future.

NCL issued a statement after the breach calling on retailers in the US to get with the program and adopt a more secure credit card system of Chip-and-PIN. That protocol is used widely in Europe and is less vulnerable to hacking at the point of sale. Criminals are busy 24/7 figuring out how to hack into retailer databases. We need to fight fire with fire. American consumers deserve the best protection for our financial transactions that the industry has to offer. Companies that don’t adopt these protections will find themselves much like Target  – losing customers’ trust and their business along with it.

Mega-breaches and the importance of the Wyndham decision

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Consumers can be excused for not following the minutiae of U.S. district court decisions, but developments this week in New Jersey marked an important victory for data security. On Monday, Judge Esther Salas allowed a lawsuit brought by the Federal Trade Commission against Wyndham Worldwide Corp. (the parent entity of Days Inn, Howard Johnson’s and Ramada, among other hotel chains) to move forward. From 2008 to early 2010, hackers breached Wyndham’s computer network, stealing credit and debit card information of approximately 500,000 customers. In 2012, the FTC sued Wyndham for the company’s alleged failure to adequately protect its customers’ information from theft.

To date, the FTC has settled more than fifty similar cases resulting from businesses’ failure to put in place reasonable data security measures.  However, in the Wyndham case, the company is challenging the FTC’s authority to regulate corporate data security practices. This is important because the FTC is the only federal regulator charged with holding companies accountable for failure to protect their customers’ data. Had Judge Salas agreed with Wyndham, it would have threatened to eliminate the FTC’s authority to hold companies to account.

The importance of Judge Salas’ decision was put in stark relief yesterday when security firm Symantec published its latest Internet Security Threat Report. The report, one of the most comprehensive security assessments in the industry, didn’t mince words when they called 2013 the “Year of the Mega Breach,” when “cybercriminals unleashed the most damaging series of cyberattacks in history.”

Headlines from the report include:

  • 91% increase in targeted attacks campaigns in 2013
  • 62% increase in the number of breaches in 2013
  • Over 552 million identities were exposed via breaches in 2013
  • Spear-phishing campaigns saw a 91% rise in 2013
  • 38% of mobile users have experienced mobile cybercrime in past 12 months
  • 8 of the breaches in 2013 exposed more than 10 million identities each
  • 1 in 8 legitimate websites have a critical vulnerability
  • 500% increase in ransomware scams in 2013

The Symantec numbers are just the latest in a string of warnings coming out of the cybersecurity community about the growing threat from hackers. For example, Tuesday also marked the end of Microsoft’s support for the Windows XP operating system, which may still be installed on nearly 28 percent of desktop computers, as well as ATMs and government computer systems. Reports indicate that this could result in a field day for hackers as remaining security vulnerabilities in the operating system are exploited. News about a major vulnerability in the widely used OpenSSL security technology could expose the two-thirds of websites that run it to hackers. And those are just the warning coming out this week!

While Monday’s decision in the Wyndham case was encouraging, the issue is far from resolved. Wyndham has stated that it will continue to challenge the FTC’s authority to regulate companies’ data security practices. This means consumers are still in danger of losing the most important data security cop on the beat. Given the constant stream of data security warnings, it’s imperative that uncertainty about the FTC’s ability to regulate data security be addressed. A number of bills currently pending in Congress would do just that. The FTC should also convene a workshop to examine the issue in depth, as NCL and others suggested last month.

To be clear, there isn’t just a cybercrime wave going on right now. What consumers and businesses across the country are experiencing is more like a cybercrime tsunami. Policymakers in Washington need to make sure the FTC can continue to respond to this threat before we’re all washed away.

The time for credit card security reform is now

(Photo: Steven Senne, AP)

(Photo: Steven Senne, AP)

During the busiest shopping time of the year – the period between Thanksgiving and Christmas – Target, one of America’s largest retailers, suffered the second biggest data breach in US history as 40 million credit and debit cards were compromised. Americans assume that when they shop their personal financial information will be kept private and away from identity thieves. Unfortunately, that is not always the case evidenced by the more than 4,000 data breaches that have been reported since 2005, an average of more than one a day over the last nine years.

Consumer advocates hope that the scale of the Target data breach will serve as the impetus for much needed credit card security reform. The time for change is now. Although consumer’s financial information will never be 100% secure, there are things that can be done. Retailers can use advanced encryption technology and more secure firewalls. Credit card companies can encourage the use of “Chip and PIN” technology in their credit cards. Our politicians can pass legislation establishing a national data breach notification standard and urge the Obama Administration to explore incentives and penalties to encourage private sector businesses to better protect consumer data. These changes will not happen without pressure from consumers.

This week, a group of Democratic Senators requested that the Senate banking Committee hold hearings to examine cybersecurity practices. The letter, written by Senators Robert Menendez (D-NJ), Mark Warner (D-VA), and Charles Schumer (D-NY) stated, “We believe it would be valuable for the Committee to examine whether market participants are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft, and other harmful consequences, and whether we need stronger industry-wide cybersecurity standards.”

Changing and improving security standards will inevitably cost time and money. No one wants to foot the bill for needed innovations. Our lawmakers must capitalize on the current consumer awareness of the need for better cybersecurity and hold a congressional hearing to determine how businesses can better protect consumer data.

Shoppers deserve trust and security from our biggest retailers

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud

Imagine that you’re the CEO of Target today. As one of the 25 most admired companies in the world, consumers’ trust in your brand is paramount to your success. Over the past week you’ve learned that your company is the victim of one of the largest retail data breaches in U.S. history. Cyber thieves compromised 40 million consumers’ credit and debit cards. To add insult to injury, the breach happened during the height of the holiday shopping season – the most important month in your company’s calendar. With every media story about the incident, each outraged consumer Facebook comment and critical tweet, that trust is eroded. It’s clear that Target is facing a public relations nightmare. How they react to this will determine how much faith consumers will continue to place in the brand.

Unfortunately, the advice consumers are getting from the company so far is depressingly familiar: monitor your credit and debit card statements, keep an eye on your credit report and report irregularities promptly.

This is the advice consumers hear after virtually every data breach. Are the increasing number of data breaches just something that consumers need to get used to? In a recent article about the Target breach Mark Rasch, a former U.S. prosecutor of cybercrime said, “Most of these attacks are just a cost of doing business,”

As advocates for consumers, we categorically reject the notion that the status quo is an acceptable outcome.

We must not accept a marketplace where consumers are asked to make ever more data available to more entities but are stuck with the consequences when those entities fail to protect our data. We think that the government and private sector can and should do more to protect the vast amounts of sensitive data that they are collecting from consumers.

This is not a new issue. For decades, data security experts have discussed ideas about how to improve the situation. At its core, consumer and business data is the focus of a never-ending arms race between those that want to protect consumer data and those that want to steal it for fraudulent uses. Just as no bank can ever be 100% secure from a robbery, no data can ever be 100% secure from a breach. However, consumers should be able to rely on a certain basic level of data security.

Unfortunately, that is exactly what we lack today. Shockingly, there is no one law in the U.S. that mandates the steps businesses should take to protect their customers’ data. Instead, consumers are reliant on precedents set by Federal Trade Commission enforcement actions. Since 2000, the FTC – under it’s “unfair and deceptive acts or practices” authority — has brought nearly fifty data security cases against companies whose data security practices (or lack thereof) have put consumers at risk. However, that authority could be taken away if the FTC loses in two closely watched court cases. Should the FTC lose, consumers will be left without one of the most important watchdogs in this fight.

Consumers should not be left to fend for themselves against the legions of sophisticated and organized data thieves. The Target breach, and the daily smaller breaches that go unreported should serve as a wake-up call for legislators and regulators that data security reform is urgently needed.