U.S. needs a comprehensive data-protection plan for the nation
Last week, I discussed the massive Marriott International, Inc. data breach of its Starwood reservation system, which might affect as many as 500 million Marriott guests. In the article I discussed what Marriott customers affected by the breach can do for themselves to protect their identify and finances.
Data breaches of various sizes seem to be happening everywhere, in all types of businesses, organizations and government. Consider four of the most massive U.S. data breaches since 2013. Yahoo, a division of Verizon Communications, had 3 billion accounts breached. Equifax, one of the nation’s major consumer credit reporting companies had 147 million consumer accounts compromised. The breach of Target, one of the U.S.’ largest retail companies, affected 40 million customers.
The financial sector has had data breaches, too. Hackers compromised 76 million clients of J.P. Morgan Chase in 2014. In 2005, CardSystems Solutions suffered what was then the largest ever data breach in history, hitting 40 million credit cards. The breach was a major reason for the company’s sale by the end of that year.
Data breaches like Marriott’s, Starwood’s before its merger (500K guests), Hyatt’s (250 hotels), Mandarin Oriental Hotel’s (10 hotels), InterContinental Hotels Group’s (1,200 hotels), Trump Hotel’s (8 hotels) and Hilton’s (2015 scope unreported) specifically affect travelers. Other hacker break-ins affect everyone, including travelers.
Signs continue to be noticed that the hotel industry is not implementing essential security protection. Brian Krebs, an investigative reporter on cybercrime, points out, for example, that the hotel industry in the U.S., with some exceptions, continues to use credit card swiping for chipped cards instead of chip readers. I note that many hotels and hotel chains continue to not accept mobile payment systems, which eliminate the hotels’ need to store credit and debit card information. It’s also important to realize that some hotels like Marriott/Starwood have had more than one data breach.
Shelly Palmer, a well known technology consultant, has said of the hospitality industry’s security, “Like many industries that are venerable and mature, hotels have legacy systems that were not designed for the world we live in today.”
For all consumers, including travelers, if a data breach occurs, the public needs to know about it sooner than later, because in the end, consumers are their own first line of defense against hackers. No one will act or monitor the personal identity and financial situation of each consumer like they will for themselves. If companies, including travel companies, retailers and financial institutions delay informing the public about hackers breaching their data, or keep it secret, consumers aren’t able to activate their defensive measures with essential timeliness, if at all.
“This year we saw, yet again, that cybercriminals are still finding success with the same tried and tested techniques, and their victims are still making the same mistakes.”
That statement, coupled with the report’s detailing of 2,216 confirmed data breaches in the last year, should give consumers and government officials great pause. It makes me ask the question, “Are businesses taking their customers’ privacy and security seriously enough?” I don’t think they are.
Companies have shown they need clear rules about essential data security, what they must do to detect breaches to minimize their effect, and if a breach occurs, what reporting and other measures will be necessary. Companies apparently need an incentive to secure their data, as it doesn’t appear that the harm to their bottom line or their reputation from a breach is incentive enough.
I call upon the Trump Administration and the U.S. Congress to join other advanced economies in the world by establishing meaningful, comprehensive data-protection laws for the nation to guard the nation’s data, including the personal data of every American. The law must create a dynamic framework for regulation that can evolve as data collection, use and technology changes.
A comprehensive data-protection law:
• Should cover all industries, organizations and government. No business, organizational or governmental sector of the nation should be exempt in the legislation as some proposals, such as the Data Acquisition and Technology Accountability and Security Act would do.
• Should attempt to reconcile the differences among the existing federal and state laws, rights and responsibilities, not diminish or stifle them with weaker laws and regulations that cannot accomplish the task at hand.
• Should encourage businesses, organizations and government to adopt best security process practices to keep private information private at the systems, product and services design stage.
• Require consumer notification for every breach occurrence, to each person whose information was stolen or possibly stolen. No business, organization or government should be able to keep breaches secret. Notification should begin within a few days of detection with the information available and expand as more information and more precise information is determined.
• The framework should fully recognize the harms that result from privacy violations and provide a reasonable methodology to address them.
Whether or not businesses, organizations and government recognize it, data collection is an inherent institutional risk and data protection a requisite responsibility for any business, organization or government that collects, uses, or shares personal information or other sensitive data.
(Image: Marriott – Berlin 2018 by Pascal Volk)