Fiddling While Rome Burns
Have you seen that recent television commercial that compares the outcomes of making insurance claims over automobile damages between a well-known “government” associated insurance company and a lesser-known (read=newcomer) to the industry? The white-coated garbed lab technician smashes windows in the side-by-side cars and then suggests that although the “government” associated company will put things right for you, so will the newcomer, significantly (and presumably) at less cost.
Ok, if you’re wondering where this is going, let’s line-up—side-by-side—recent data breaches here in the states versus those encountered by our cousins across the pond (in the UK, that is).
First up, data breaches in the U.S.:
March 18, 2011: RSA Security: More than 40 million employees and their information threatened by the compromise of its SecureID product.
March 30, 2011: Epsilon, one of the world’s largest providers of email marketing services, which handles more than 40 billion emails annually, announced “a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.” Reuters claims the breach could be “one of the biggest such breaches in U.S. history.” Among Epsilon’s clients are three of the top ten U.S. banks — JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One.”
April 26, 2011: Sony reports a hack into the company’s Playstation Network, putting at risk sensitive data for 78 million users, and PII (personally identifiable information) for 102.6 million user accounts.
May 26, 2011: Bank of America announces that a BOA “insider” has cost the organization at least $10 million in funds being stolen from more than 300 of their clients.
June 10, 2011: Citigroup admits that an attack on its website allowed hackers to view customers’ names, account numbers and contact information such as e-mail addresses for about 210,000 of its cardholders.
You get the point. Let’s see how our UK counterparts are handling data breaches that occur on their watch:
February 8, 2011: The ICO, the Information Commissioner’s Office—the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals—fines two local councils £80,000 ($130,000 US) and $70,000 ($115,000 US) for serious breaches of the UK’s Data Protection Act. Additional actions taken by the council include action taken in November 2010 and included in this Venyu blog post – where it imposed thousands of pounds in penalties for a pair of data breaches. These include the Hertfordshire County Council (£100,000 for faxing sensitive information to the wrong recipients) and employment agency A4e which will pay £60,000 for losing an unencrypted laptop).
March 21, 2011: The Financial Services Authority (FSA) — the regulator of the financial services in the UK (our version of the Federal Reserve) fines the UK division of Zurich Insurance more than £2m (or nearly $3.2M) for failing to prevent the loss of customers’ confidential information. The fine was the highest ever levied by the FSA for an individual firm, following the loss of 46,000 customers’ personal information.
June 9, 2011: ICO, the Information Commissioner’s Office—the enforcement arm for the government when it comes to data breaches for both privately-traded and publicly-held organizations throughout the British Isles, fines Surrey Council £ 120,000 UK (or $195,000 U.S.) for “serious breach” of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three occasions, including ‘taxi firms, coach and mini bus hire services’.
You get the picture: When it comes to data breaches here in the states we publicize. In the UK they prosecute.
Of course, a US equivalent of the UK’s Data Protection Act is now in the works. Sponsored by Senator Patrick Leahy, a Vermont Democrat, companies would be required to disclose cyber attacks that jeopardize consumers’ personal information and concealing a data breach would be a crime such that under the measure, anyone who “intentionally or willfully” conceals a data breach would be subject to criminal penalties including a fine or up to five years in prison. Additionally, the Personal Data Privacy and Security Act of 2011 would set a national standard for notifying consumers, effectively replacing data-breach reporting requirements in 47 states.
“The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country,” Leahy said in a statement.
Interestingly, the Leahy measure does not give a specific timeframe for making such reports and says that companies should disclose data breaches “without unreasonable delay.” Businesses would be exempt from public disclosure if they determine that no consumer data were compromised and share that information with the U.S. Secret Service. (I presume on a need-to-know basis, he says, sarcasm dripping from all pores and every keystroke).
While representatives from both Sony and Epsilon appeared before Congress on June 2, to discuss their respective breaches and Congressmen continue to debate what they should do— and when—just this week (June 13), the ICO levied additional fines against two former employees of UK mobile operator T-mobile who illegally stole and sold select customer data. The employees were fined a total of £73,700 ($120,000 US) and risk up to 18 months of prison each if they fail to pay within the prescribed date for restitution (in this case six months).
Talk about Nero fiddling while Rome burns.