On January 20, as most of the nation focused on an historic inauguration, Heartland Payment Systems, a credit card payment processing company, acknowledged that data thieves had installed spyware on its network to steal credit card details throughout 2008. The company says it handles about 100 million payments a month, and doesn’t yet know how much information was stolen; the theft might be the biggest data breach ever.
But does anyone really care? Or rather, should anyone care?
Data breach laws in 44 states require companies to report the loss or theft of personal data, and such laws no doubt prompted Heartland’s revelation at 2008breach.com. But hundreds of other breaches pass unnoticed by most consumers. Though intended to spur companies to follow strong security practices to safeguard sensitive data, the laws don’t seem to be achieving their purpose.
Case in point: The Identity Theft Resource Center, a San Diego-based organization that provides free assistance to identity theft victims, found that the number of reported data breaches jumped from 446 in 2007 to 656 in 2008–an increase of 47 percent.
The ITRC’s Jay Foley believes that most of the increase reflects not an actual increase in breaches, but rather an increase in the reporting of them. While that can be seen as a success for the data breach laws, it can also be seen as a failure: It’s good if the laws are getting companies to be more on the ball about letting us know when a breach has occurred, but their underlying goal should be to put pressure on companies to prevent losses in the first place.
Existing laws assume that the public and the media will decry each breach and cause the affected company to take a hit to its reputation. But with 656 breaches occurring in a single year, it’s a safe bet that most of them won’t get much notice.
Foley believes that with the addition of some necessary updates, such as requiring that all breaches are reported to state attorneys general and that notifications to affected consumers contain all the pertinent theft and remediation details, the existing data breach laws will work.
I’m not so sure. I recognize that companies are extremely anxious to avoid the public relations hit they are likely to suffer following a reported breach–a point that Chris Hoofnagle, director of the Berkeley Center for Law & Technology’s information privacy programs, emphasizes.
But Hoofnagle also points out that if we are truly deadened to hearing about more and more incidents, the fallout won’t affect companies nearly as much. If that’s the case, we likely need regulatory teeth to push companies to handle our data properly.
No matter how careful we are in protecting our identities, the vast majority of our sensitive data is held by companies over which we have no control. Those companies need the right incentive–or threat–to care about our data as much as we do.