From: USA Today
Deals website LivingSocial’s disclosure last week that hackers cracked its network to steal sensitive personal information for more than 50 million accounts was the latest in a continuing series of such mea culpas.
Last summer the social networking site Formspring admitted that it lost 30 million registered users’ passwords to data thieves, just a few weeks after LinkedIn reported losing encrypted passwords for nearly 6.5 million of its users. Around the same time, Yahoo confirmed the theft of 450,000 Yahoo users’ e-mail addresses and passwords.
Those headline grabbing disclosures followed a rash of similar incidents over the previous several months from e-mail marketer Epsilon, online publication Stratfor, shoe retailer Zappos, and Microsofts online India store.
Stolen e-mail usernames and passwords have become like gold in the cyberunderground. That’s because access to online financial accounts, social networks and business networks often revolve around e-mail logins. What’s more, many people tend to use weak passwords, or the same passwords for multiple accounts, security experts say.
A couple of things are driving disclosures of personal information theft. Companies have become more methodical about public admitting that they’ve been hacked, largely because most states have adopted data loss disclosure laws that require notification of victims.
And the Obama Administration has championed the importance of disclosing breaches and sharing forensic information for the greater good. USA TODAY asked attorney Tim Blank, head of the Dechert law firm’s s Privacy and Data Protection, to connect a few more dots.
Q: What impact do states’ data loss disclosure laws have in building awareness of data thefts?
Blank: Many of the data loss disclosure laws have been in place for over a decade, and those breach statutes have matured. People have come to better understand what is required under those statutes, and state attorneys general have began enforcing those statutes.
Q: There’s been a lot of political wrangling over federal cybersecurity legislation. How much has that played in?
Blank: The Obama administration has placed a great deal of emphasis on cybersecurity issues and we think that this emphasis, along with increased media coverage about breaches and intrusions, have helped to change corporate groupthink on privacy disclosures. The SEC adopted explicit guidance in October 2011 that advised public companies that current disclosure laws require disclosure of cybersecurity risks.
Moreover, it’s clear that corporations themselves have come to better understand the commercial and reputational risks associated with not disclosing and the potential backlash from consumers. Companies have long feared that consumers would lose trust in their brand if they disclosed a privacy incident. That fear has subsided to some degree as companies have seen that consumers are more forgiving of a breach than they are of lack of candor on privacy.
Q: What do companies risk by failing to report data theft to the proper authorities?
Blank: The risks of failing to disclose a privacy breach are broad and real. Failing to report a breach or a cybersecurity risk can result in regulatory investigations and actions for violation of state breach notification laws. It can result in FTC investigation into your privacy practices. It can result in private consumer class action litigation, including fraud claims under the federal securities laws for failing to disclose the risk beforehand. Failure to report can also, as made clear recently by the SEC, result in an SEC investigation and action for failure to comply with disclosure obligations.
Q: Anything else?
Blank: Congress can make the environment safer by passing legislation that creates more incentives for sharing information about breaches. It will be hard to convince companies to go much further on sharing information about cyber attacks without protection from frivolous lawsuits, and it will be difficult to get privacy advocates to support any additional legislation without adequate privacy protections for personal information. As is the case with many things stalled in Congress lately, the building blocks for an adequate cybersecurity bill are probably there. What seems to be lacking is the political will to engage constructively on these issues.