In 2013, Delaware-based credit agency Experian discovered a hacker posing as a private investigation company used one of its subsidiaries to gain access to Social Security numbers, birth dates and financial account information for more than 200 million Americans.
This year, the U.S. Office of Personnel Management discovered a breach that was initially believed to have exposed Social Security numbers and other personal data from 4.2 million government employees, in fact exposed background check details for 21.5 million employees as well as spouses and friends. An additional 1.1 million could have had their fingerprint data comprised.
As the nature of data breaches swiftly evolves from stolen PIN numbers to stolen identities, befuddled consumers and appalled industry insiders alike are raising questions about how institutions are protecting the data entrusted to them.
“If Target gets breached again, a credit card can be reissued and you can pick up a credit monitoring service. If you have your home address, billing records, birth date, Social Security numbers stolen, that kind of stuff can’t be easily replaced,” said Eric Wan, CEO of Arizona-based cybersecurity firm Simple Wan.
Between Experian, the Office of Personnel Management and a February breach of health care company Anthem Inc. that affected 80 million, the idea that companies collecting personal information should have heightened levels of data security is gaining steam.
The question is, will it take a federally mandated cybersecurity policy to force change or can court-ordered financial penalties result in stronger self-policing among corporations?
In American courtrooms seeing the first wave of lawsuits related to cybersecurity breaches, injured consumers have received awards but it’s not clear the damages to companies have been enough to encourage change.
A class-action lawsuit filed against the Office of Personnel Management in July alleges that the agency ignored warnings of deficiencies in its network security system and failed to adequately secure its servers and databases. The plaintiffs in the suit are asking for lifetime credit monitoring, upgrades to the agency’s IT security and an exemption from having personal information collected digitally until security upgrades are complete.
Also in July, Experian was hit with a $5 million class action lawsuit claiming the company failed to thoroughly investigate subsidiary Court Ventures Inc. before acquiring its assets and accepted payments from the hacker with “no questions asked.”
According to court documents, the Experian suit was filed in large part “to hold the defendant accountable” and “to ensure Experian never engages in this type of conduct again.”
But with the company bringing in $1.05 billion in profits before taxes last year some doubt a $5 million payout will be a catalyst for systemic change.
“That’s chump change to them. That’s we’ll give you $5 million to go away,” said Ed Mierzwinski, consumer program director of Washington D.C.-based U.S. Public Interest Research Group. Mr. Mierzwinski, who has coauthored numerous reports on privacy and identity theft, noted that larger awards have been granted in settlements from Target and other companies involved in breaches but said none were large enough to put a dent in a company’s operations.
He said part of the reason for the small awards is difficulty proving to the court exactly how much damage has been done when a breach affecting millions could result in only a few thousand identity thefts initially. If a consumer experiences another breach and is hit with identity crime years down the road, he or she may have no idea which breach lead to the intrusion.
“Three years from now I wouldn’t know if I was an OPM victim, a Target victim, an Anthem victim or a Neiman Marcus victim,” Mr. Mierzwinski said.
Beyond the 47 states, including Pennsylvania, that have enacted laws requiring swift notification of consumers affected by data breaches, David Thaw, assistant professor of law and information sciences at the University of Pittsburgh School of Law, said the Health Insurance Portability and Accountability Act, state attorneys general, the Federal Trade Commission and other federal statutes allow for some degree of oversight over data breaches.