4 Points About the Target Breach and Data Security
There seems to be a surge in data security attacks lately. First came news of the Target attack. Then Neiman Marcus. Then the U.S Courts. Then Michael’s. Here are four points to consider about data security:
1. Beware of fraudsters engaging in post-breach fraud.
After the Target breach, fraudsters sent out fake emails purporting to be from Target about the breach and trying to trick people into providing personal data. It can be hard to distinguish the real email from an organization having a data breach from a fake one by fraudsters. People are more likely to fall prey to a phishing scheme because they are anxious and want to take steps to protect themselves. Post-breach trickery is now a growing technique of fraudsters, and people must be educated about it and be on guard.
2. Credit card fraud and identity theft are not the same.
The news media often conflates credit card fraud with identity theft. Although there is one point of overlap, for the most part they are very different. Credit card fraud involving the improper use of credit card data can be stopped when the card is cancelled and replaced. An identity theft differs because it involves the use of personal information such as Social Security number, birth date, and other data that cannot readily be changed. It is thus much harder to stop identity theft. The point of overlap is when an identity thief uses a person’s data to obtain a credit card. But when a credit card is lost or stolen, or when credit card data is leaked or improperly accessed, this is credit card fraud, and not identity theft.
3. Data breaches cause harm.
What’s the harm when data is leaked? This question has confounded courts, which often don’t recognize a harm. If your credit card is just cancelled and replaced, and you don’t pay anything, are you harmed? If your data is leaked, but you don’t suffer from identity theft, are you harmed? I believe that there is a harm. The harm of credit card fraud is that it can take a long time to replace all the credit card information in various accounts. People have card data on file with countless businesses and organizations for automatic charges and other transactions. Replacing all this data can be a major chore. People’s time has a price. That price will vary, but it rarely is zero.
A data breach also causes a harm because people are at greater risk for fraud and will feel anxiety and concern. People might reasonably spend money and time to protect themselves. One problem is that recognizing harm can be a Hobson’s choice for courts. Recognize harm, even a tiny one, and there’s a floodgate of class action suits and damage awards that could total billions because of the enormous numbers of people whose data is affected in a breach. A small harm multiplied by tens of millions of people can really add up to catastrophic damages for a company. Failing to recognize harm is bad, too, because there really is harm, and it needs to be appropriately deterred and redressed. I’ve been thinking a lot about privacy and security harm and I’ll discuss the issue later on in another post.
4. Data security is hard.
In the past, when I heard of breaches, I used to want to scream: “Come on! How can this still keep happening?” But now that I have a business providing data security awareness training, I have realized just how challenging maintaining data security can be. Data security requires an odd combination of controlling technology as well as controlling people. On the technology side, it is expensive to do things right. And even if everything is done right, a breach can still happen. On the people side, humans are one of the biggest sources of vulnerability. People are too quick to click, too eager to grab data and take it places, and often lack sufficient awareness to be careful and vigilant. And people are hard to control. Tell a computer what to do, and it’s done. Tell a human what to do, and who knows what will happen?
Of course, the fact that data security is hard should not absolve organizations that fail to follow best practices. But we must respect the fact that data security is hard. It is hard to follow best practices, and a breach can still happen even if best practices are followed. There is something missing with the discussion about the NSA gathering zillions of pieces of data and with President Obama’s rather anemic solution of just having the data stored somewhere other than the NSA. What is missing is the recognition that this huge repository of data must be kept secure – no matter where it is kept!
Far too often, the fact that data security is hard is ignored by government and companies when deciding to collect and use personal data. And this fact is ignored by the government when requiring businesses to keep and store data. For example, in recent years, the IRS began requiring businesses to file 1099 forms for a wide array of services provided by others. Now, all businesses (many of which are small businesses) must collect and store many more people’s Social Security numbers. That’s a huge security risk. I point this out not to suggest that this measure is wrongheaded, but that data security is implicated in so many measures like this one, and thus deserves more consideration and attention.
As government and industry rush into using biometric identifiers, such as fingerprints and iris scans, as they collect and store sensitive data in larger data repositories, they are doing so in a world where data security is hard. At the very least, the fact that data security is hard should lead to greater pause and caution.
Cross-posted at LinkedIn