Well it appears the US government has been asking the same questions we have “Who’s responsible for these data breaches and who should be held accountable when things go wrong?” And it appears there might be a bill on the way to answer that question.
Do you believe you might be the victim of data or identity theft? Take a look at our data theft check list.
Before the major breach of Minnesota-based retailer Target, banks held the onus of repaying customers in the event of a fraud–and indeed, they were the ones who repaid Target’s victims, all 110 million of them. But it appears that might be changing in the near future if this bill gets passed.
And perhaps some of the reason for this shift of responsibility lies in the lack of responsibility we’ve unearthed in light of the attacks (including Neiman Marcus and Michaels). In a recent report posted by the New York Times, it appears Target’s cyber security team had actually picked up evidence of the threat back when it was being uploaded by Eastern European hackers. The security team did a threat analysis and determined the threats didn’t warrant further activity.
Target’s execs were also informed by the government earlier that year to be on the lookout for just the kind of malware that did Target in, and an outside security analyst had even recommended installing new sale terminals but the company didn’t want to take the time and money to upgrade their systems as they headed into the Christmas shopping season.
This new bill, if passed, would make Target and other companies responsible for failed threat attention. Essentially, the bill would force these companies who had neglected sound advice and ample warnings–like twenty-two-year old kids who think themselves invincible–to take responsibility, no longer able to run back to mom (the banks) to solve their problems.
The bill would force the companies to initiate stronger security systems and to reimburse their customers in light of subsequent attacks. Specifically, the bill would give companies a window of 15 days after a suspected data attack in which they would be required to inform their customers. The bill would also take steps to limit the amount of sensitive information that businesses store–such as PINs or social security numbers–in order to make them less of a treasure trove for hackers and give customers some added security.