Data breach is one of those all-of-a-sudden new terms most of us did not know we needed. But it represents a huge and growing problem that should be addressed.
One of the most important steps is to ensure that people know if and when their data have been compromised. And the sooner that can be done, the better.
In a data breach, a person’s private information – credit card numbers, Social Security numbers or other personally identifying information – is stolen, typically from merchants and presumably used fraudulently for profit. In the old days, thieves rummaged through trash cans for receipts or credit card slips. Because this is now an electronic issue, the number of customers affected can be huge. In the case of Target, as many as 40 million credit and debit card numbers were exposed between Nov. 27 and Dec. 15.
There are a lot of facets to the problem. One, of course, is for merchants to better guard any such data they have collected. But the bad guys are smart, too, and as security improves, so do the efforts of thieves.
With that, there will almost always be some risk. And that is where notification looms large. If there is a data breach, those whose personal information has been compromised – or even potentially exposed – need to be told, so they can take steps to protect themselves.
Passwords can be changed, credit card accounts can be canceled, creditors called and so forth. An inconvenience, to be sure, but better to go through all that than to wake up one day to find you have just bought a car halfway around the world.
There is, however, no national standard for customer notification in the event of a data breach. And, although U.S. Attorney General Eric Holder has joined in advocating one, there seems to be little movement toward that end.
That needs to change, and Congress needs to act. Data security is a true 21st-century concern, one that threatens the way Americans do business.
In any case, objections to a national standard are thin. Consumer groups are said to worry about weakening laws in states with strong rules. But the answer to that is to make the federal law at least as good.
And if merchants fear that a federal standard might be burdensome, they should ask themselves how they would like to be in Target’s situation. That company has seen its stock, sales and profits suffer since its data breach.
There are proposals in Congress for a national standard on data-breach notification, although efforts to enact one have so far failed. But 46 states and the District of Columbia have such laws, which vary significantly. But with that, the outlines of what a national standard might look like cannot be that foreign. What is left is for Congress to come together and act.
This is not the stuff of political controversy. Working to reduce the risk to customers from data breaches is good for consumers, good for businesses and good for the country. It should be an occasion for bipartisan cooperation. Congress must merely chose to do so.