Note: This article was submitted by John Kerris.
Recently, Marriott self-reported experiencing one of the largest data breaches in history. The breach, which occurred in the reservation database of its Starwood brand, gave hackers access to the identities, credit card information, passport numbers, and other personally identifiable information of over 500 million guests dating back to 2014. News of a hack of this magnitude just a few short years ago would have led to wall-to-wall coverage, press conferences, and enormous public backlash. However, in today’s world of big data, people have become essentially desensitized to these events, for two major reasons.
The first major cause is rooted in the fact that the modern world views invasions of privacy as minor issues that come in exchange for modern conveniences. According to Forbes, 2.5 quintillion bytes of data is gathered around the globe every day. By dividing that number by the world population of 7.7 billion, we calculate a figure of over 324 million bytes collected per person, per day. For reference, that’s equivalent to about 198 photos or one hour of low-quality video streaming worth of information gathered about each person on the planet in a single day. Therefore, people are no longer surprised when they see their data being collected; it’s become routine.
Another reason that people may have become desensitized to lapses in data security is because they’ve become shockingly common. A catchphrase many analysts echo is, “data is the new oil.” This is not only true, but could possibly be an understatement; nearly every firm across every industry is interested in gaining as much data as possible. These firms are willing to pay for it, and countless companies’ business models revolve around the selling of this data. Where there is such ravenous demand, there will be equally intense supply. By performing a simple Google News search for the terms “data breach”, one generates a plethora of stories. A few are discussing Marriott’s woes, but many have moved on to one of the numerous security lapses that have already occurred in the few days since. These include huge breaches from Quora, AltMed, Ames, San Mateo Medical Center, and more.
Shocking? Maybe to the previously unaware, but anyone who has been paying close attention to events like these knows that attacks on consumer databases occur on a daily basis. At least we know that the firms we patronize do their best to make sure that our personal information is secure, right? In most cases, the answer is a resounding no. Due to the rapid innovations that occur in technological fields, even the newest, most cutting-edge companies have security software that is almost criminally outdated when it comes up against the revolutionary techniques that hackers employ. Therefore, it is often more cost-efficient for a company to incur the costs of dealing with a breach every once in a while (as we’ve already shown, they don’t affect demand that significantly), than to incur the charges associated with hiring security experts and constantly updating technology.
One factor that plays a large part in this culture is the US’s extremely lax data privacy laws. Outside of medical data, which is strictly protected under HIPAA, the American government offers very little in the way of punishments for companies that allow their customers’ data to be vulnerable. The only legal punishments most hacked companies ever face are relatively small civil suits from the victims of their oversight. This gap in legal protection has been made all the more glaring by the EU’s recent adoption of the General Data Protection Regulation, which sets extremely stringent regulations on how businesses can collect, store, and use data, and sets up stiff penalties for violators. Despite America’s current deficiencies in this area, the tide is slowly turning in favor of harsher enforcement. Many legislators have come out in support of passing a bill similar to or even stronger than GDPR. In addition, the Pennsylvania Supreme Court ruled on Monday that firms are responsible for protecting their employees’ personal information. This could be just the beginning of a slew of similar rulings.
Despite the obvious merits of data protection legislation, it may be harder to pass than one might imagine. Lobbyists and businesspeople alike tend to oppose such rules, saying that they would only increase costs and stunt economic growth. These claims would give pause to any administration, especially the anti-regulation Trump regime, and they are not without merit. However, in the long-run, laws to protect consumer information are not only ethically mandatory, but they are beneficial to businesses because they do two things: create an incentive for staying technologically up-to-date and provide customers a greater sense of security. Customers deserve to know just how a business will use their data, and to feel comfortable that the data they provide will not fall into the wrong hands.
Congress should outline laws for database management that are simple, clear, and effective, and provide assistance to companies in learning how they need to comply. Rules should be stricter and more detailed for companies that collect more and/or wider ranges of data. These factors eliminate the problem of compliance cost/difficulty that could force smaller businesses out of the market. This new regulatory system should be tightly policed, with fines imposed for all data breaches or other violations and bonus fines (and possible criminal charges) for those executives that try to cover them up. With a system like this is place, buyers can be assured that their personal information is safe, and if it isn’t, that those responsible will be held accountable.