As I write this, a couple of very large and very significant breaches have recently either taken place or been revealed – specifically Yahoo’s breach impacting 3 billion users and Equifax’s breach affecting at least 145 million.
But there are countless other breaches every day – in fact so many that most don’t even make it to the news, even if they are disclosed.
And, there are many more that are not disclosed because the owner of the system isn’t aware of it.
Both Deloitte and Accenture left data exposed and the only reason they were shut down was that someone outside the organization told them about it.
so how do we fix this problem? Unfortunately, there is no easy answer, but here are some thoughts to mull over.
- Consumers don’t really care about credit card and bank account breaches because they have limited to no liability and doing something about it requires work. In the situation where there is really no upside for the consumer, they are not motivated to expend effort. If consumers were liable (which is not likely to happen), they would be much more motivated to improve their security – like by not making the password to their account password or 123456 – the two most popular passwords, year after year. So how do we get consumers more motivated? I don’t know, but it is a great question.
- Two factor authentication (2FA) – 2FA is a way to log in that requires you to provide something you know (like a password) and something you have (like a one time PIN on your phone). But this makes it harder for the user to use the site and that is the last thing that a business wants and there is no law that requires it, so, in the interest of not driving away customers, businesses don’t require it – not even most banks. In fact, numbers that I have heard say that 1-2 percent of the users have turned on two factor authentication. Possibility – may two factor authentication mandatory.
- Cyber insurance – even in the face of all these breaches, many businesses – maybe over half – do not have cyber insurance. Information from the insurance carriers say that about 12 percent of drivers involved in accidents don’t have insurance, even though insurance is mandatory. Should cyber insurance be mandatory? Currently, insurance carriers do ask businesses to fill out a form in order to get cyber insurance, but I have never heard of anyone being turned down. Maybe it happens, but not very often.
- CEO personal liability – in rare cases the CEO gets fired after a breach. The CEO of Equifax “retired” after the breach, but the company will pay him $90 million over the next couple of years to go away. That doesn’t seem like much of a punishment. Should CEOs be personally liable? Sarbanes Oxley has such a personal liability clause and it isn’t very popular. I also cannot remember when any CEO was fined or jailed over that liability, so it doesn’t seem like it either works or is used much.
- Lawsuits – after every breach there are lawsuits. Lawsuits against everyone – executives, Boards, companies – you name it. Most of these lawsuits are dismissed for “lack of standing”. Even in the rare cases where they are settled, the amounts are small – $25 million in the case of one of the Target lawsuits. For a multi-billion dollar company like Target, they consider that less expensive than fixing the problem.
- Europe – now this one is dicey. Starting next May, for companies that do business in the European Union, the government can fine companies that have a PRIVACY breach up to 20 million Euros or 4 percent of their GLOBAL REVENUE, whichever is more. For a company like yahoo with revenue of a little more than a billion dollars, a 4 percent fine could amount to as much as $50 million dollars. While that won’t make Yahoo go broke, it will hurt. A 20 million Euro fine will definitely make smaller companies wince. Should the U.S. do something like this.
I don’t have the answers, but I am interested in what you think. Let me know and I will publish your comments in a future post.