In the past three months alone, tens of millions of people have been victims of data breaches. From the recent Target breach, which affected 70 million names, home addresses, email addresses, and phone numbers along with 40 million debit and credit accounts, to the Neiman Marcus breach which affected 1.1 million credit cards from customers who made in-store purchases, universities are equally as vulnerable. On February 19, 2014, the University of Maryland announced that 300,000 records of students, staff, and faculty were stolen in a cyber-attack. These all came on the heels of security breaches at other retailers in the last six months of 2013 including those at Walgreens, Adobe, Walmart, Michaels, and Nordstrom. Data vulnerability is an alarming, daily reality.
Though the investigation continues to determine how these data breaches happened, they generally stem from attackers who insert malicious software into the weak systems of retailers, corporations, and universities.
On February 4, 2014, the Senate Judiciary Committee held a hearing to discuss several policy changes to better protect consumers. One such change is pushing for more secure credit and debit cards. Visa and Mastercard are in the process of transitioning to the more secure credit and debit system, which Europe and parts of Asia have been using for nearly twenty years. Instead of payment data being stored on the magnetic strip, it is stored in a chip. The chip is encrypted, requires a pin to verify the customer’s identity, and is difficult to counterfeit.
Visa and Mastercard have long been advocating for the chip-and-pin cards. The two corporations have set an October 2015 deadline for banks and retailers to transition to the new system and to issue credit card holders the new cards. If banks and retailers do not comply by October 2015, Visa and Mastercard have asserted that they will no longer accept liability for the costs of fraud if a breach occurs. Nonetheless, critics acknowledge that this one change will not suffice. At a minimum, the chip-and-pin cards do not protect consumers from fraud in online purchases.
Additionally, the Obama administration recommended a federal standard to require businesses to promptly report thefts of electronic personal information. Simultaneously, the Federal Trade Commission has been advocating for a federal data security and breach notification law.
Senators Al Franken of Minnesota and Patrick Leahy of Vermont are co-sponsoring the Personal Data Privacy and Security Act, which includes stricter disclosure and security standards. Opponents argue, though, that the swiftly changing technology field would not benefit: a federal regulation would potentially become ineffective within a short time period.
Verizon recently released a report, concluding that many businesses fail to comply 100% of the time with the standards set by the Payment Card Industry Security Standards Council (an organization founded by the major credit card companies). The report states, “Criminals only need one chink in your company’s armor to get in . . . Some companies still treat compliance as a one-off annual scramble . . . But if you don’t work at compliance, just one new uncontrolled Wi-Fi access point, unprotected admin account or unencrypted drive could take you out of compliance.”
Nevertheless, underlying these potential changes is the reality that data hacking has turned into a sophisticated business and will not be defeated with one or two changes. One immediate step that many companies, universities, and banks can take is to make sure any sensitive data is immediately encrypted. A process known as point-to-point encryption encrypts credit card data as soon as it is swiped at a retailer. Currently, encryption is not immediate and typically leaves an open window for attackers to steal information.
The grim reality is that nearly one-third of the United States population has been victim to data breaches. It is no denying that cyber-security poses a real and imminent threat and requires long-term, comprehensive solutions.