Target’s recent series of data breaches inflicted a nasty bruise on its brand reputation, but the retailer’s pain would have been even worse had it been subject to civil penalties over the fiasco.
And that’s just what the Federal Trade Commission would have preferred. FTC deputy director Daniel Kaufman said at a conference today that the commission is hoping Congress will see fit to legislate monetary consequences for breached companies, according to a VentureBeat article.
The idea has strong bipartisan support among the FTC’s five commissioners, and the same would likely prove true in Congress, Kaufman suggested.
It’s debatable whether a such a measure would have prevented the Target breaches, or if enacted will prevent future ones at other very large companies. The non-legislated but very real reputational penalties that accompany breaches at high-profile enterprises are enough that few take data security lightly anymore. Civil penalties might, though, sway smaller, less-well-known businesses toward greater vigilance.
The specter of breaches is arguably the hottest worry-inducing potentiality across the corporate world. Security must constantly be improved as hackers eventually find a way around virtually every barrier to entry. There’s nothing to suggest a change in that reality will transpire in the foreseeable future, so companies must embrace the notion that establishing protections for sensitive data is not a project but rather a permanent journey.
So if I understand this correctly..the FTC wants a Company to not only incur the financial loss for a data breach but further penalize them with penalties…? IDIOTS
There are subtle points here that are typically missed:
– Was the breach a result of [willful] negligence? <– this is all that really matters
– Was the organization breached able to detect & respond appropriately? In a 'meaningful' amount of time?
– How does the punishment *not* hurt the victim (again)?
These are not easy questions and there are no cookie-cuter answers that can be legislated here, to the best of my mental abilities.
Aside from judging EVERY breach individually, on its own merits and by facts alone – there is no other. Period.
More of the “prevention” mentality. The idea that one can be punished for something infers that they could have prevented it in the first place. The issue with security in its current state is that a breach often cannot be prevented because security itself is fundamentally flawed within the technology.
It would be like fining a bus driver (on behalf of the bereaved passengers) for being on the side of the road because of a flat. Obviously, organizations should be held accountable if there is negligence that can be proven, but there are already many suggested (or required) standards for organizations to adhere to or face fines. This further illustrates for me the complete failure in understanding the challenges faced by the security industry.
Last thought: There is much we don’t know about attacks because of several reasons. One is that organizations who are breached often do not report it because of the negative impact it might have. The second is that many organizations are breached and never even know it. So exactly how is this supposed to be enforced fairly across the boards? It can’t be, which undermines the entire idea fundamentally.