In the flurry of Congressional hearings on data breaches staged over the past few months, all have cast pretty much the same set of villains: Target, data brokers, and marketers who wrangle and manipulate personally identifiable information (PII) in an effort to poke into Americans’ lives and pry open their wallets. Today, another PII perpetrator was ushered onstage: the U.S. Government.
“We’ve heard lots of testimony [on data breaches], but we’re going in the wrong direction,” said Sen. Tom Coburn (R-OK) at the opening of the hearing of the Senate’s Homeland Security and Governmental Affairs Committee. “There’s no question that we need some type of uniform standards and I’m not opposed to that…. What we’re not talking about is the data breaches in the federal government, and to me it’s ironic that we can as a Congress sit and tell people, ‘Here are the rules,’ when we can’t even manage our own backyard on data breaches.”
Coburn was setting the stage for Gregory Wilshusen, director of information security issues for the Government Accountability Office (GAO), who testified to a litany of data breach transgressions within the halls of the federal government itself. Wilshusen detailed the high—or low—points of a GAO study showing that PII breach incidents at government agencies numbered 25,566 in 2013, nearly double the amount reported only three years earlier. Last July, Wilshusen said, hackers breached a Department of Energy computer system and stole the personal data of 104,000 people, including locations, Social Security numbers, and bank account numbers.
“Even when agencies have implemented security programs, breaches can still occur,” Wilshusen said. “Implementation of key operational practices are inconsistent.”
In a close examination of seven agencies’ security programs, the GAO found that only one had assigned a risk level and how it was to be defined for PII data breaches. And while, in a hearing last week, Sen. Ed Markey (D-MA) castigated Target’s CFO for offering customers just one year’s free credit reporting after its breach, GAO found that none of the seven agencies studied consistently offered credit monitoring to affected individuals.
Tiffany O. Jones, SVP of client solutions and chief revenue officer of iSIGHT Partners, a cyber-intelligence firm, painted a picture of a problem that ranges far beyond brick-and-mortar retailers and registered corporations that sell anonymous data. “We need to understand that cyber crime is like the movie Goodfellas, an organized community of bad people, intent on crime, economically motivated, increasingly sophisticated, and operating without much fear of law enforcement,” Jones said.
Jones then broke down a complex business plan and network of players consisting of malware developers who sell subscriptions to their wares for up to $15,000 a month, criminal cloud computing services, cyber-crime start-ups that exploit market needs quickly before moving to the next opportunity, and brokers who monetize stolen assets.
“You will see attacks like the 2013 retailer breaches again, and with greater frequency,” Jones warned. “Business and government has started to understand the scope of this problem and are increasingly shifting to intelligence-led cyber security to improve prevention, speed response, and solve the cyber security risk equation. There is progress. There needs to be more of it.”
One thing all panelists and Senators present seemed to agree on was that Congress needs to quickly enact a data breach bill that will create national notification standards that take into account the sensitive issues involved with informing customers of a breach.
Former Minnesota Governor Tim Pawlenty, now CEO of the Financial Services Roundtable, stressed to the Senators that any data breach bill they passed should ensure that the affected institutions have the freedom to share information with each other without fear of proprietary knowledge being breached as a result.
“More important than breach notification requirements are the efforts to prevent data breaches in the first place,” Pawlenty said. “Institutions must have the necessary liability protections to share threat information with private partners and the government. Having the freedom to share information will give us an improved ability to stop attacks in real time and prevent attacks from occurring in the first place.”
Private companies fear that being required to share company information with government agencies will expose proprietary business information to be disseminated publicly via Freedom of Information Act suits and requests, Pawlenty said.
The Direct Marketing Association today sent a letter to all members of Congress urging the passage of data breach legislation, while keeping mindful of private companies’ proprietary issues. “While DMA is supportive of a federal breach notification law,” the letter read, “we urge Congress to not pass other types of prescriptive legislation that would stifle innovation.”