imageWith a few lines of code, cyber criminals and governments have able to infiltrate the security of banks and retailers and steal hundreds of millions in customer records. Shutterstock

JPMorgan Chase early last month disclosed that cyber thieves pilfered account data on 76 million households and seven million small businesses over the summer, one of the biggest breaches ever and only the latest of the many that have made headlines in recent years. Such thefts are beginning to seem as inevitable as death and taxes.

Even worse, while some breaches are widely reported in newspapers, many more occur at small firms and receive hardly any attention at all. Since 2005, there have been more than 4,400 data breaches that have exposed close to a billion records in all, according to Privacy Rights Clearinghouse, a California non-profit that advocates for consumer privacy.

The repeated breaches lead us to ask the obvious questions: why are we seeing so many? Why are firms not protecting our data more aggressively? And what can we do about it?

As more and more data migrates into the digital realm and firms increasingly link with one another and with their consumers on faster and ubiquitous broadband networks, it is inevitable that at least some of this information will leak, whether through carelessness or malintent. But we should be able to expect that firms are investing sufficiently in their network security to keep our data as safe as possible.

Some of this is definitely happening, and firms are increasingly paying more attention. A week after JPMorgan’s disclosure, for example, the bank said it would likely double its US$250 million cybersecurity budget.

It’s important to note that data breaches do not directly hurt the firm; they most directly harm the consumer, whose personal information could then be used for fraud and identity theft. This is what economists call an “externality,” making it less likely that the company will voluntarily fix the problem since it doesn’t bare the cost. Another example of an externality is pollution, which affects not the owner of the facility but citizens living downstream from the carbon-spewing plant.

imageJPMorgan Jamie Dimon vowed to double his bank’s cybersecurity budget following the disclosure that 76 million household records were stolen.Steve Jurvetson/Flickr via CC BY, CC BY

Shining light on lapses

To deal with externalities, governments generally impose taxes and fines to recoup the resulting costs to society or penalize the behavior. In the case of data breaches, policymakers have generally used transparency as a way to ensure companies suffer some of the costs of information theft.

One of the most popular tools used are data breach notification laws, fashioned after one California passed in 2003. Currently 47 states have passed similar laws that require firms to send notices of any breaches to consumers alerting them to take certain preventive steps. The notifications are also intended to put the firm in an embarrassing position by being forced to disclose its poor security practices and thereby creating incentives to invest to better protect its data.

The Security and Exchange Commission is considering a similar effort to provide guidelines on how and when companies should disclose these risks and actual cyber attacks in their regulatory filings. These types of rules, coupled with the intense media attention following a data breach or security lapse at a firm, are meant to shine light on poor practices in hopes that the market and competition goads companies into taking adequate security precautions.

Holding companies liable

But, looking at the frequency of data breaches, these efforts do not seem to be adequate in stopping or even slowing down the pace of data breaches. So what else can we do? One possibility would be to amend tort laws so that firms that suffer a breach are held directly liable for any harm to consumers and forced to compensate them for any losses. California recently proposed an amendment to its data breach notification law that would also make retailers liable for customer financial losses. It is not clear if the bill will pass though.

A more far reaching approach would be to pass a uniform, national notification law, an idea that is being widely discussed. Currently we have a hodgepodge collection of regulations from one state to the next that seem to be satisfying no one. A federal law focused on strong transparency and penalty for negligence might provide the right kind of incentives for firms to protect customer data without the government dictating the terms.

The weakest links

But even if security at the large banks and retailers became impenetrable, thieves could still find way to steal data via third-party vendors, which do not face the same level of public scrutiny and do not have budgets to hire cyber security people of their own. Thus they are not as secure as the banks and major retailers.

The data breach that hit Target, for example, happened because of a third-party vendor. It is likely that many of these companies will have to get some sort of certification or provide contractual warranties to prove their systems cannot be easily exploited.

Criminals looking to make a quick buck from our data, of course, are not the only ones behind all the breaches. Many fingers have pointed to nation states and it is not clear whether private firms could ever invest enough in cybersecurity to thwart such attacks. It would be prohibitively costly to do so.

Companies likely need the help of their own governments, but private firms naturally find it difficult to share sensitive information, with an agency or in an SEC filing. They have more incentives to cover up data breaches.

There have been attempts to establish public policy that encourages companies to share information on intrusions and data thefts. Some of the newer proposals in the Senate and House outline ways to make it attractive for private firms to share sensitive security breach data with government agencies, even providing liability protection. The question is whether such a bill can pass or how effective it would be in spurring useful data sharing.

It will be a costly if we hope to reduce the frequency of cyber attacks and prevent the loss of our names, addresses, telephone numbers, credit card details and other private data. And those costs will likely be passed onto consumers through higher prices. At the end of the day, if we want more security (just like a safer car), then consumers have to demand it and be willing to pay for it. The hope is that in the long run, security becomes a default rather than an option.

_This article is part of a series on cybersecurity. More articles will be published in the coming weeks.


Rahul Telang does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

Read more

7 Reasons To Travel Around The World Whi…

People from all walks of life like to roam around this planet our species has taken over. For as long as humans have been around, they’ve let their curiosity get...

The Donald Trumps NAFTA Boondoggle

For years labor leaders, America Firsters, and just about anyone who paid attention have railed against the unfair, job killing, economy destroying one-sided giveaway Bill Clinton and Progressiv...

Dr. Robert Owens - avatar Dr. Robert Owens

How Much Should I Borrow for My Study Loan?

There’s no doubt that study can open a lot of doors, many of which can lead to considerable success. Whether it be time to change your career, a desire to upskill in your field or simply to enjo...

News Company - avatar News Company

Somebody Has to Say It

Where are the voices of those crying in the wilderness?  Where are the watchers on the walls?  If the alarm isn’t given how will the people know when the enemy enters the camp?  In America toda...

Dr. Robert Owens - avatar Dr. Robert Owens

How to Make Better Business Decisions in 2020

Every business owner would love to own a crystal ball to avoid big mistakes. While it might not be possible to see into the future, there are actions you can take to prevent company gaffes and ...

News Company - avatar News Company

Tips To Reduce The Stress Of Moving Properties

Moving properties is something that can often be a stressful situation for many people because there’s so much to think about. You also have the big task of moving everything you own from one place to...

News Company - avatar News Company

Keeping Your Commercial Premises Safe and Secure

When you run a small business, you take a lot of responsibility on your shoulders. But one of the most important areas to focus on is making sure that your commercial premises are safe and secur...

News Company - avatar News Company

Most Popular Ways To Send Money Internationally in 2020

What are the customers’ choice and cheapest ways for overseas payments Learn about different methods for sending money overseas. What features are important to you? Cheap or fast transfers? Which p...

News Company - avatar News Company

Most Popular Ways To Send Money Internationally in 2020

What are the customers’ choice and cheapest ways for overseas payments Learn about different methods for sending money overseas. What features are important to you? Cheap or fast transfers? Which p...

News Company - avatar News Company