Skip to main content

Companies are sorry about security flaws. Just not sorry enough to change

insecure security breach cfpb
Ted Eytan/Flickr
(in)Secure is a weekly column that dives into the rapidly escalating topic of cyber security.

Reuters reported on February 6 that the Consumer Financial Protection Bureau, a key agency responsible for overseeing financial companies, is neglecting its investigation into the Equifax hack that compromised the personal information of millions. The CFPB allegedly has failed to issue any subpoenas or request any testimony — and has backed off cooperation with other agencies like the Federal Reserve.

Sadly, this isn’t a shocking turn of events.

Sadly, this isn’t a shocking turn of events. Various government regulators have levied fines against companies that suffer security breaches in the past, and a handful of past security failures have indeed cost companies dearly. Most, however, survive unscathed.

Two independent studies have confirmed this. One, conducted by the RAND Corporation, found that most computer breaches cost a company around $200,000. That’s a small figure, even for a small business with a few dozen employees. Another study from Columbia University found that the financial cost of a cyber security breach is, on average, less than 0.1 percent of a Fortune 500 company’s annual revenue.

Where’s the stick?

The moral of this is simple – the consequence of a data breach often isn’t high enough to make companies worry about security.

That’s where government agencies like the CFPB need to step in. They can put their fingers on the scales, using fines to make sure companies see real consequences from their failure to protect consumers. In the past, the CFPB has stepped into that role, though it usually hasn’t been a part of enforcement actions that stem from security breaches. The Federal Trade Commission is also involved in many cases but it, too, rarely levies a fine large enough to pose any real consequence for the companies in question.

Giving Equifax a pass? The Administration should get on the side of consumers and focus on making sure hacks like the #EquifaxBreach don't happen again. My bill with @SenWarren would be a good place to start. https://t.co/iJ4neRvjut

— Mark Warner (@MarkWarner) February 5, 2018

Government oversight tends to be lax in the United States, no matter the issue, but cyber security has regulators particularly vexed. It’s usually unclear who is best equipped to handle an investigation, and the damage caused by compromised data isn’t easy to quantify.

In 2013, Yahoo suffered the largest data breach yet recorded, exposing data on all three billion users. What punishment is fair for each exposure? Does the severity of the data loss matter? How can the losses suffered by the victims even be quantified? No one seems to agree and, more importantly, the law doesn’t agree, either. It doesn’t help that the fallout for victims also varies. While some might have their credit ruined or their taxes defrauded, others won’t be harmed at all, and there’s usually no way to link specific breaches with the problems suffered by specific victims.

These complexities allow companies, and other organizations, a chance to dodge responsibility with a meager apology. That’s exactly what Equifax did in the wake of its hack by offering victims free identity theft monitoring. It’s a reasonable and appreciated gesture, but it doesn’t go far enough to protect the victims. Monitoring doesn’t stop identity theft for you and doesn’t reimburse what you’ve lost. It merely helps you pick up the pieces of a bit more quickly than you otherwise might.

Daily data breaches don’t have to be inevitable

There’s only one solution to the problem. We need new, comprehensive laws that hold companies accountable for security breaches.

The Data Breach Protection and Compensation Act of 2018 could be that law. Introduced to congress in January by Senator Elizabeth Warren of Massachusetts and Senator Mark Warner of Virginia, the bill establishes an Office of Cybersecurity, as part of the FTC, which would supervise the data security of large consumer reporting agencies. This new office would have to be notified of any breach within 10 days; currently, companies wait months or even years before disclosing a problem.

Currently, companies wait months or even years before disclosing a problem.

Specific penalties are also noted, starting at $100 if a consumer’s first and last name are compromised, along with at least one item of personally identifying information. An additional $50 is tacked on for each additional bit of info leaked. Although we don’t know exactly what the price of those fines are based on, it’s a penalty scheme that seems to take lessons from mobile data services and ISPs that add steep penalties for data overages. Better yet, half the penalty collected would be given back to the victims.

Those penalties add up. Equifax’s hack would result in a penalty of about $1.5 billion dollars. In fact, the total fine would be higher, but a provision in the bill limits the maximum to a percentage of a company’s revenue. Equifax would no doubt survive such a fine — its annual revenue is $3.1 billion, after all — but it’s steep enough to make any company think twice before slacking on cyber security.

Companies have protested the bill, of course, and it doesn’t seem likely to pass Congress. Yet this is exactly the action that’s needed, and we should all rally behind a push for greater accountability. The near-daily occurrence of major security breaches provides plenty of ammo for this column. But I’d be happy to spend a little more time brainstorming topics if it meant shaking the spectra of imminent identity theft that currently haunts us all, whether we know it or not.

Matthew S. Smith
Matthew S. Smith is the former Lead Editor, Reviews at Digital Trends. He previously guided the Products Team, which dives…
Buy now, fix later — PC hardware feels like it’s in early access
CPU pads on the AMD Ryzen 7 9700X.

PC hardware is feeling increasingly unstable at launch, and that really came into view with AMD's release of Ryzen 9000 CPUs. AMD released several updates for these CPUs in the weeks following their release, boosting performance by significant margins. That performance was absent from these CPUs at launch, as you can read in our Ryzen 9 9950X and Ryzen 9 9900X review, suggesting they weren't quite ready for prime time when they released in August.

AMD isn't alone here. Although Intel's 13th-gen and 14th-gen didn't have big issues at release, they've faced a major instability crisis that forced Intel to replace an untold number of impacted CPUs. Between the latest two generations from AMD and Intel, buying a CPU has meant signing on for problems that are hard to foresee.

Read more
The widest gaming monitor ever is 36% off during Prime Big Deal Days
The Samsung Odyssey Neo G9 57-inch mini-LED gaming monitor placed on a desk.

Samsung’s 57-inch Odyssey Neo G9 curved gaming monitor transports you to the flight deck of the Starship Enterprise (or the cockpit of the Millennium Falcon, if you’re more of a Star Wars person). And for the next couple of days, you can take 36% off during Prime Big Deal Days, which takes place on October 8 and 9. The 7680p x 2160p resolution effectively puts two 4K displays side by side for a 32:9 aspect ratio.

The massive screen immerses you in any game, whether you’re piloting a Formula 1 car around Spa-Francorchamps in Assetto Corsa or getting lost in the dystopian universe of Cyberpunk 2077. It’s also great for multitasking at work, editing photos and videos, streaming or just leaving a chaotic amount of Google Chrome windows open.

Read more
Prime Day is the perfect time to ditch Nvidia for AMD
AMD's RX 7700 XT in a test bench.

There's no doubt that Nvidia makes some of the best graphics cards you can buy, but if you're shopping Prime Day deals, you'll want to take a careful look at Team Red. There's barely an Nvidia GPU in sight that's on sale, and even among those that are discounted, the prices aren't very good. On the other hand, AMD has cards marked down from already reduced prices, making Prime Day the perfect time to score a deal on a GPU.

By far, the best deal I've found is the XFX Speedster QICK319 RX 7800 XT. You can read more about the card in my RX 7800 XT review, but in short, it trades blows and sometimes even beats Nvidia's $600 RTX 4070 Super. The price right now is insane, too. This model normally sells for $520, but it's 18% off for Prime Day, bringing the price down to $427.

Read more