We need strong cybersecurity legislation NOW!

  • This week the IRS revealed that they had been hacked and literally gave away tax records of over 100,000 American citizens.
  • On February 4, 2015, Anthem Medical revealed that its systems had been hacked, exposing the names, personal health information, birthdays, Social Security numbers, income data, employment data, street addresses, email addresses and other personal details of about 80 million current and former customers and employees. 
  • On March 18, 2015 Premera Blue Cross was hacked to the tune of 11 million members giving up Social Security numbers, bank accounts and medical records.
  • In September 2014 Home Depot was hacked and gave up 56 million credit card numbers and 53 million email addresses.
  • In August 2014 JPMorgan let slip email and physical addresses of 76 million households and 7 million small businesses.
  • EBay gave up personal information including login credentials of 145 million active users back in May 2014
  • And we all know that Target let slip 110 million credit card numbers back in December 2013.

Since 2005, more than 75 data breaches have been publicly disclosed in which 1,000,000 or more records were compromised.

Now I’m not usually a big fan of legislation but it is becomming more and more obvious that corporations aren’t doing enough to protect our critical information and the only way to get them to spend the money to adequately secure their own systems is to force them to do it. And that means passing strong laws with real teeth.

First (and most obvious) companies that process, transmit or store any personal information should be required to implement cybersecurity measures and, like other industries whose products may have an impact on the public safety, they should be subject to regular government inspections and audits.

Next, companies should report data breaches as soon as they are detected – to the government, to the public and specifically to anyone who might have had their data stolen. And that doesn’t mean three or four months after it happened.

Next, companies should be forced to make quick and meaningful restitution to all people impacted by the breach. And I don’t mean sending out a check for a few dollars to each person after forcing them to submit a request and then take six to eight months to send it. And it doesn’t mean simply signing them up for a year’s worth of a credit monitoring service. If you give up enough data to ruin a person’s credit for years you should pay them thousands of dollars, it should be paid within a few weeks and you should pay for credit monitoring and identity theft services for five years or more.

Fines should be automatically levied based on the sensitivity and potential damage the data breach might cause individuals. The amounts should be fixed and non-negotiable. For example – leaking someone’s emails might cost a minimum of $500 per customer compromised, email or physical addresses $700 each, account passwords $1,000 each, credit card numbers $5,000 each, bank account information $10,000, Social Security numbers $10,000 each, medical records $20,000 each, any data involving children $30,000 each, etc. Individuals who lost more than those amounts would be entitled to full reimbursement of any monies lost. And 95% of those moneys would be paid directly to the customers with the other 5% going to fund the government agency who investigates these things.

So, in the case of the Premera Blue Cross hack mentioned above, the company would have been required to pay $40,000 per record compromised or $440,000,000! This would insure that if a company handles people’s credit card numbers, medical records or Social Security numbers they would make DAMNED sure to protect that data.

Finally, failure to adhere to any of these items would mean that the CEO, CFO and CIO would automatically face criminal charges with the real possibility of jail time (not just some poor patsy in the IT department) and also risk the potential shutting down of the business.

This last point is the most important because the main reason companies don’t have better cyber security is because the people at the top don’t want to spend the money. If the people at the top knew they would personally face massive fines or even jail time if their company’s systems were hacked then they might be willing to shift some resources into preventing it from ever happening.

Obviously there are a lot of companies out there who still haven’t got the message yet. Cybersecurity is critical in this day and age and unless we do something about it things are just going to get worse. But since companies refuse to address this issue then perhaps we should force them to do the right thing.

Of course legislation like this could never happen in the U.S. since virtually every single political lobby and every major corporation would fight against it tooth and nail.