[BreachExchange] To Prevent Another Equifax Breach, Treat Data Leaks Like Oil Spills

Fri Sep 8 19:56:01 EDT 2017

https://www.cfr.org/blog/prevent-another-equifax-
breach-treat-data-leaks-oil-spills

Another day, another data breach. At this point, we all know how this will
unfold. The markets have taken their five percent chunk out of Equifax.
Everyone will get another year of credit monitoring. People will be fired.
New people will be hired. Equifax's security budget will double. Lawsuits
will be settled. Equifax isn’t going out of business, though maybe it
should.

The decades-long belief that disclosure alone will get the markets to fix
the problem clearly hasn’t worked. A stronger, tougher, national breach
notification requirement like the one in Europe won’t make the market value
security. Significant and certain financial costs could get the markets to
take data breaches seriously. Raising the financial costs of losing
personal records from the current average of $158 per year to a fixed fine
(paid to the individual victim) of say $1,000 would be a good start.

Let’s dispense with the class action lawsuits (anyone who has checked with
Equifax to see if there data was lost may have already waived their right
to sue). Setting a high dollar figure per record and making that payment a
certainty will make companies think twice before asking for this data (do
you really need my Social Security Number to provide me with cable
service?) and twice more before storing it.

If Equifax knew with certainty that the consequences of a data loss were
going to cost them $1000 per compromised record, this incident might never
have happened. While regulators can’t show up with clip boards and make
companies more secure, significant financial penalties would start to get
market forces working in favor of security.

But the real goal of public policy should not be to punish companies by
forcing them out of business after a breach; it should be to create the
proper incentives to prevent the data loss in the first place.

Even with high fines, many companies might choose to roll the dice and
simply accept the risk that in the event of a data breach, they will go out
of business. Legal shenanigans would inevitably ensue to create holding
companies so that no assets are put at risk.

To avoid that outcome, U.S. policymakers should steal a play from
environmental policy and require companies to carry insurance to cover the
full societal costs of the loss.

If oil tankers want to operate in U.S. waters, they are required to have a
“certificate of financial responsibility” issued by the U.S. Coast Guard
National Pollution Funds Center. The certificate shows that the vessel
carries the necessary insurance to cover the full loss of cleanup should
the oil be lost.

These are massive and mandatory multi-billion dollar policies. And because
insurers don’t want to pay them out, the maritime industry has developed
rules and requirements for transporting oil like double-hulled ships that
have made spills like the Exxon Valdez a thing of the past.

Applying this concept to cybersecurity, Congress should establish by law a
process to set the societal cost for the loss of personal records by a
company as well as a requirement that companies prove they have the
insurance to pay out that cost in the event of a total loss. By doing so,
Congress would give industry the necessary incentive to invest in security
and for insurance companies to be able to measure the risk reduction.

If such a regime were in place, many companies might conclude that the
business of buying and selling personal data is not such a great way to
make money. That would be a good thing.

The services that Equifax provides are valuable. If it can’t figure out how
to provide those services securely and prove it to an insurance company,
another company would. Preventing a data breach like this is not
impossible. There are companies that have been actively and successfully
managing far more sophisticated threats for years. But it’s not cheap, and
it’s not easy. It requires embedding security into the core of the
business, what Equifax should have been doing from the start. A regime that
increases the costs of a data loss and requires companies to prove they can
pay it out would do what no amount of bad press has ever been able to do:
make the boardroom value security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170908/bc887490/attachment.html>