The Massachusetts Office of Consumer Affairs and Business Regulation rang in the New Year with some welcome news about information security, introducing a consumer-facing tool to help in the fight against identity theft.
In making public an online archive of data breach notifications affecting Massachusetts residents from 2007 to 2016, that state may have taken the first step to make America more cybersecure. We need a national database, and other consumer-first approaches to the identity theft pandemic.
Currently, there is no uniform national approach. Instead consumers concerned about their exposure to identity theft must traverse a labyrinth of state and federal laws and programs related to data security and breach notification. They range from the newly announced public database in Massachusetts, a promising development, to a host of weaker or nonexistent consumer programs coast to coast. There continues to be no consumer-centric cybersecurity czar in Washington, D.C. making sure the best practices and information is generally available – and different approaches are vetted to compile a living document of best practices.
Given the seriousness of our nation’s cyber-insecurity, this should be a matter for grave concern. Right now, it’s impossible to know just how safe our personally identifiable information is as well as when or where or whether it has been compromised in the past. Given the vast number of companies, agencies and individuals our information has passed on the way to this or that convenience or requirement, a general state of alarm is appropriate.
While I think a national data breach database would be useful, it’s a passive tool. Consumers need to go to it and perform a search. Making that information available at consumer contact points, such as sign up or transaction pages, is a better idea.
It’s crucial we develop multiple systems that talk to each other—facilitated by a consumer cyber security czar – that provide consumers with the particulars of any reportable breach that has exposed their information. Any such system would have to start with the premise that all breaches are not alike. A breach that exposed credit card information is nowhere near as dangerous as one involving Social Security numbers, detailing banking data or including personal health information. So any system would have to have levels of concern or classification of reportable breaches.
As I’ve discussed in previous columns (and will continue to do until a strong national strategy is in place), the creation of a mandated Breach Disclosure Box would be a big step in the right direction away from our nation’s coast-to-coast swamp of identity theft.
As I detail in my book Swiped it comes down to the consumer. You are your best protection against identity theft. The 3 M’s need to be a part of daily life: Minimizing your exposure, monitoring your public records and financial accounts and managing any damage that occurs from data compromises. Knowing if a company has a record of shoddy data security can help consumers make smart choices. To practice good information hygiene, you need good tools.
The Breach Disclosure Box would also force companies to improve their data security programs and put in place a breach preparedness plan that promotes an urgent, transparent and empathetic response to any compromise of consumer and employee data.
Here is some of the information such a box might include:
- How many times has this company been breached within the past five years?
- If yes, what kind(s) of information was exposed?
- Does this company encrypt all consumer and employee data?
- Does this company have a breach notification policy?
- What did the company offer affected consumers?
- What type(s) of information are customers obligated, or not obligated to provide?
- Best practices for avoiding victimization (The 3 M’s)
As President Trump enters the White House, here is a bipartisan issue that goes way beyond blue state-red state politics. When it comes to data-related crime, the sad truth is that we occupy a state of confusion.
About the Author
Adam K. Levin is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on cybersecurity, privacy, identity theft, fraud, and personal finance. A former director of the New Jersey Division of Consumer Affairs, Mr. Levin is chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com. Adam Levin is the author of Amazon best-selling book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.