Data Breach Transparency and the Plague of Passing the Impact-Buck to Victims

Incidents of identity theft are no longer isolated personal attacks. While it is still very possible to be an identity theft victim at the hands of someone you know or through scam tactics, it is arguably more likely to occur from the newest cybercriminal trend: a data breach.

Since October is National Cybersecurity Awareness Month, it is a great time to evaluate how the industry is protecting consumer data in the wake of this daily threat.

Data breach, the act of exposing confidential information into an unwanted environment, has risen dramatically due to the rise of files stored digitally. Many companies opt to store consumers’ personal identifying information (PII) on a cloud-based environment. In some instances, these servers utilize the default settings which can leave such data open to the public for anyone to find. Even in the best case scenario that servers are secured to the highest level, it does not prevent criminals from hacking or exposing a weakness in the database. This exposure, known as data breach, is prevalent because it allows criminals to get their hands on large quantities – in some cases millions – of people’s PII.

When consumers hand over their personal data, it is expected that companies will treat it with the utmost security standards. While many companies do in fact take great precautions, Identity Theft Resource Center (ITRC) has still recorded over 10,000 public breaches since 2005. The 10,000 only represent United States based companies that have reported the data breach but the actual number is likely much higher. The potential of more, unreported breaches stems from the fact that there is no single breach notification standard that has to be complied with universally – each company is bound by reporting requirements based on the jurisdiction it operates or its customers live.

The time period required to report data breach is different in each state,  but it can be months. On top of the initial period, once they become aware before they report it to their consumers, a bigger challenge is that in some cases companies do not even detect a data breach in their own system for weeks, months or even years after the breach occurred. Additionally, in an effort to understand the set of circumstances around the breach, an organization may have an extensive investigation that creates a delay in timely reporting. Given that the act of exposing consumer information is not a good public perception of a company, many wait to report the incident until legally required to do so with a public relations plan in place. The longer companies wait to inform victims of data breach that their information was compromised, the longer criminals have to abuse the information. While identity theft is not 100 percent preventable, there are several precautionary steps victims should take as soon as they learn their data was exposed. These steps can greatly minimize the possibility of identity theft and fraud as each breach brings with it a unique set of inherent risks. By waiting to inform consumers of a data breach, companies are putting their identities at even greater risk of theft.

In ITRC’s tracking of data breaches, a trend has not only been noticed in the increase of incidents, but also how businesses reveal the information. In place of informing victims and the public exactly what information was exposed and when, a generic overview and timeline is provided. For example, instead of telling a victim their Social Security number and birthday were exposed between January 1-31, 2019 because of a data breach due to an unsecure server, a company will say “Some employee data (or account information) was exposed during the first quarter of this year because of unauthorized access that has now been resolved.” Vague references about the type of records exposed and how they were accessed leave victims in the dark as to where they should look for signs of identity theft and what steps to take to minimize risk of harm.

Instead of trying to save face with generic language and public relations campaigns, businesses should be as forthcoming as possible without compromising additional data or security measures. Doing so allows consumers the best possible chance of preventing identity theft. As well as increasing security measures and protecting data at the highest level, companies should also offer retribution to victims in the incident of data breach.

Much like other crime, identity theft can have repercussions in all facets of life. When a company is responsible for putting consumers in danger of identity theft they should pay the price for the repercussions victims deal with. Recently, we have seen a wave of data breach settlements trickle in from large companies like Equifax and Yahoo! Inc. Unfortunately, even though the settlements look beneficial to victims on the surface, they do not begin to covert the true consequences of the crime.

While both claims mentioned above offer victim reimbursement and restoration services, they put the burden of proof on the individual. Not only are victims burdened with being their own advocates and vehicles of remediation, now they are being forced to prove they have been harmed in order to receive a portion of a settlement that will in no way come close to the true harm identity theft causes. While some processes are easily documented like receipts or bills for credit monitoring services or fraudulent charges, how are victims supposed to document time loss and emotional distress? Of identity theft victims surveyed in 2018, 77.3 percent reported increased stress and 32 percent had problems with employment. Plus, what about the victims of data breach who have not yet become victims of identity theft? There is no expiration on this type of crime and cybercriminals are willing to wait for limited credit monitoring benefits to expire. No matter when PII was exposed, it is as dangerous to your identity on day one as day one thousand and one.

Consumers, victims and industry leaders must call on business and lawmakers to implement more data breach transparency and stop victim blaming. Victims trusted a company and are now paying the price for that trust. Not only are some breached companies painting over the real issues, they are refusing to take reasonable responsibility for their actions. So yes, while consumers must own, secure and protect their own PII, companies have that responsibility as well. This National Cybersecurity Awareness Month should be a call for not only consumers to better their practices, but the companies and services who are in charge of protecting our data every day.