Should the U.S. Require Companies to Report Breaches?

By Christopher Mims Features Dow Jones Newswires

There are two things we can count on in the wake of the Equifax breach, already credited with exposing a majority of American adults to the possibility of identity theft. The first is that more and potentially worse breaches are in our future. The second is that companies will need to be prodded toward smarter cybersecurity practices and faster reporting of breaches.

Continue Reading Below

Details of the breach -- which Equifax said it discovered in late July -- have only recently been revealed by the credit-reporting company and by Mandiant, the cyber forensics firm it hired. However, the enormous loss of data appears to have been the result of an unpatched vulnerability, which allowed hackers to roam freely inside Equifax's computer network for more than four months. (In a report, Equifax said it "took efforts" to fix the compromised system.)

The Federal Trade Commission and the Federal Bureau of Investigation are investigating, and the first of what's expected to be a wave of lawsuits by state attorneys general has already been filed. But punishing Equifax isn't the same as minimizing the impact of similar disasters. For that, we're going to need something anathema to the tech industry and especially companies that have been hacked: transparency.

It isn't coming voluntarily. There's already a patchwork of data-breach disclosure laws passed by 48 different states, yet none have been strong enough to get companies -- wary of increased costs and hits to their reputations -- in line. Newly proposed federal regulations could be, if they can get bipartisan support.

"Equifax has had a very poor response and I'm disappointed in them," says Rep. Jim Langevin (D-R.I.), one of the members of Congress behind the new regulatory push. "As good corporate citizens I believe Equifax owes much more transparency to consumers."

Equifax didn't respond to requests for comment.

Continue Reading Below

Many firms share information with each other through cybersecurity back-channels, but participation is entirely voluntary. That's one reason the European Union passed the General Data Protection Regulation, going into effect May 2018, which will force companies that do business in the EU and the United Kingdom to promptly disclose when personal data is breached.

Lawmakers in the U.S. are urging Congress to follow suit. Rep. Langevin reintroduced the Personal Data Notification and Protection Act, first proposed by President Obama in 2015. Co-sponsors include Rep. Ted Lieu (D., Calif.) and Rep. Carol Shea-Porter (D., N.H.). All three are members of the bipartisan Congressional Cybersecurity Caucus.

Meanwhile, Republican lawmakers are gearing up for hearings that will surely include grilling Equifax executives, but have yet to call for regulations. House Energy and Commerce Committee Chairman Greg Walden (R., Ore.) has said that until those fact-finding hearings are complete, he doesn't want to pre-emptively put forward legislation.

Many companies and analysts object to proposed legislation, in part because they believe that should it come to pass, companies would prioritize compliance -- following the letter of the law and appearing to do the right thing -- rather than actually dealing with the fast-moving problem of cybersecurity, says Andrea O'Sullivan, program manager of the technology policy program for the pro-market Mercatus Center at George Mason University.

Companies don't want to be embarrassed or face the increased costs of having to disclose when people's data is leaked, and there is also a concern that should companies be forced to report every breach, it could lead to "data breach fatigue," where regulators are overwhelmed and the public throws up its hands at a problem that feels too pervasive to fix. (One could argue we're already past that point.)

Transparency could actually give companies herd immunity. Existing voluntary breach reporting systems allow companies to share data on the nature of cyberattacks as soon as they occur. If reporting were mandatory, more companies could be quicker to defend against new attack vectors and new bad actors.

And, needless to say, strong cybersecurity is quickly becoming a selling point for savvy financial businesses.

Even regulation-averse politicians have cause to support a data-breach disclosure law at the federal level, says Rep. Langevin. It would simplify the issue for businesses by pre-empting the patchwork of 48 state laws, dating back to 2003, that currently govern what companies have to do in the event of a breach of personal data.

Rep. Langevin argues that, had it been in place already, the Personal Data Notification and Protection Act would have had a direct impact in the case of the Equifax hack, and in previous hacks that inspired the bill.

Under this proposed legislation, Equifax would have had to disclose its breach within 30 days -- not the six weeks it took -- to the FTC and the Department of Homeland Security, which would become central clearinghouses for breach information.

Companies that fail to meet the requirements would face a raft of penalties, including fines of up to $1 million per violation. They'd be liable for civil penalties in lawsuits from states attorneys general, with no limit on the damages that could be recovered if the company is found to have acted willfully or intentionally.

Even absent such efforts at the federal level, the coming EU regulations will force many large U.S. companies to get better at cybersecurity and, more important, improve their data collection and storage policies, says Charlie Wedin, a partner at international law firm Osborne Clarke. His firm is helping companies prepare for the EU rules. "What compulsory breach notification is doing is putting this on the board agenda, and they're focusing on this like never before," he says.

What we really need to do is start treating data safety with the same seriousness we apply to airplane and automobile safety.

This could happen with a one-two punch of regulatory and market-based solutions. Forced to buy car insurance, we make certain economic decisions about how, what and when we drive. Meanwhile, seatbelt laws have saved millions of lives. Along these same lines, mandatory disclosure would force companies to think more about their security in the first place -- and even consider buying cyber insurance. And damage done by irresponsible companies could be minimized.

When Equifax was breached, hackers got birthdates, Social Security numbers and other hard facts about most of us. This data has the power to ruin our financial lives, so it's time we all took interest in its protection.

Write to Christopher Mims at christopher.mims@wsj.com

(END) Dow Jones Newswires

September 24, 2017 08:14 ET (12:14 GMT)