In the aftermath of the recent Capital One data breach, which came only a year after a massive compromise of the personal information of Marriott guests and two years after Equifax’s servers were compromised, the question we should ask is, What do we do now?
It seems there is no slowing the rapid pace at which hackers are infiltrating the security systems of companies that hold our Social Security numbers, our bank information and our addresses. It seems that companies to which we’ve entrusted our information get off with slaps on the wrist and stern finger wags from lawmakers and then return to business as usual. The monumental fines they are charged are but a thin slice of the gigantic revenue pie they each earn every year.
In the past decade, big companies — such as Adobe, Yahoo, Target and Uber — have had data breaches. As such incidents become the new normal, these cases fall into the background. That is, until the next one occurs.
The Federal Trade Commission said that it would require Equifax to, on top of paying a $575 million fine, take concrete measures to improve its security program, which will be assessed every two years by a third party.
But that’s not enough. We should not have to ask for competent data security only after our information has been compromised.
After so many incidents, it’s inexcusable for lawmakers and regulators at the Federal Trade Commission, among other federal agencies, to throw up their hands and claim that they can’t reshape our laws quickly enough to deal with the complexities that come with living in an increasingly online world. Federal rules should replace a mishmash of state standards, legislation should enshrine consumer privacy guarantees, and deeply consequential fines should be levied if guarantees and standards aren’t met.
This is especially urgent due to the consolidation among the firms that warehouse data for retail companies like banks, hotel chains and retailers. More vital identity data is being stored in fewer places, making the breaches ever more consequential.