Businesses have the tools and know-how to keep our personal information safe.
They just don’t do it.
“It’s expensive,” said Nick Mancini, a partner at Tech Consultants, a Woodland Hills information technology firm.
And that, in a nutshell, is why big companies that should know better routinely issue red-faced notices that they’ve been hacked and that customers’ confidential info is on the loose.
Target took it on the chin again Friday when it revealed that up to 110 million customers — not just the 40 million it originally reported — may have had their names, addresses, credit and debit card numbers and other information stolen.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target’s chief executive. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Well, that’s heartening, even though the company seems to be having a difficult time with both the understanding and the sharing parts of that.
The Target hack underlines the vulnerability of consumer data at a time when businesses large and small are doing their darnedest to amass as much of our info as possible.
Knowing a lot about customers enables companies to tailor their marketing pitches to people’s specific tastes. It also provides a treasure trove of digital goodies that can be sold to other businesses and marketing firms.
So it’s no wonder that almost all transactions these days include not just your name and credit or debit card number, but also requests for your email address or other contact info.
That information is subsequently triangulated with other info available from so-called data brokers. The upshot is that highly revealing dossiers on your life and personal habits can be compiled by corporate interests — and, in turn, made available to hackers.
Think the National Security Agency is nosy for peeking at your email or eavesdropping on phone calls? The World Privacy Forum, an advocacy group, testified in Congress last month that data brokers are providing marketers with lists of people with chronic diseases such as AIDS and of women who have been raped.
Other lists include people with known addictions to drugs or alcohol, the locations of domestic violence shelters and the home addresses of police officers.
“Highly sensitive data are the frayed and ugly ends of the bell curve of lists, far from the center,” said Pam Dixon, executive director of the World Privacy Forum. “This is where lawmakers can work to remove unsafe, unfair and overall just deplorable lists from circulation.”
I have some other advice for lawmakers. I’ll get to that in a moment.
First, let’s dispense with the notion — promulgated by many in the business world — that customer data is basically safe, so you shouldn’t worry. It’s not. And you should worry.
More than 662 million consumer records have been exposed to theft in more than 4,150 known security breaches since 2005, according to the Privacy Rights Clearinghouse in San Diego.
Businesses also would have people think that they’re bending over backward to keep a lid on customers’ personal information. Nearly all corporate privacy policies include some variation on the phrase “we take privacy seriously.”
If that were true, though, they’d actually take privacy seriously, which would mean using all resources at their disposal to make good on their pledge.
The tools are there. Technology is available to encrypt data, making it unintelligible to anyone lacking an encryption key.
Powerful firewalls can be erected around corporate databases, and so-called virtual private networks can be built that allow a company to move data from one location to another without being exposed to digital predators lurking on the Internet.
There are reasons that such remedies aren’t employed, or are used haphazardly, by many large companies such as Target. One is the cost. All this cybersecurity typically comes with a price tag in the millions of dollars.
Another reason is convenience. The more information security that a business deploys, the harder it is for employees and partners to access the data needed to do their jobs.
It’s not that workers would be locked out of their companies’ computer systems. They’d just have to use more keystrokes and enter more passwords to get what they want.
But such steps can slow things down, and efficiency experts say delays of this sort can be deadly in today’s gotta-have-it-now economy.
“Companies try to find a balance between security and convenience,” said Mancini at Tech Consultants. “You can lock down a network, but that can make it less usable to the people who need it.”
To which most consumers would probably say: Tough patooties.
Lawmakers have focused primarily on regulations addressing how companies should notify customers of data breaches. That’s not good enough.
What’s needed are strong nationwide policies that clearly define what information can be collected and stored by businesses and the steps that must be followed to secure such info.
Does a company really need to know your birth date? Does it really need your phone number?
And the more information a business collects, the more it should be required to have state-of-the-art security systems in place, just as companies are required to ensure workplace safety for customers and employees.
To encourage compliance with such rules, lawmakers should enact financial penalties for security breaches. Such penalties could vary from $25 for each customer for small businesses to $500 a customer for large firms.
In Target’s case, that would mean a fine of as much as $55 billion.
Maybe the company would be able to negotiate that down. But it almost certainly wouldn’t allow itself to get into such a situation again.
And that’s the whole point. Companies act only when it’s in their financial interest to act. Harsh penalties have proved successful at prodding corporate interests to change their ways.
Case in point: Air travelers and federal authorities were fed up with long delays on runways. So in 2010, the U.S. Department of Transportation imposed fines on airlines of up to $27,500 a passenger for delays lasting more than three hours.
What happened? The number of delays dropped precipitously.
There were 66 flights with at least three-hour delays in August 2009. A year later, after the new fines were imposed, only one such flight was reported. And the number of delays has remained low ever since.
When it comes to information security, that’s all lawmakers need to know.
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to firstname.lastname@example.org.