A consumer group is pushing business and government to adopt comprehensive reforms to better protect consumer data by among other things, urging lawmakers to pass a stringent national data breach notification bill and software vendors to not rely on patches to secure their products.
Noting that consumers are being asked to fork over more information, and that data breaches put that information at great risk, The National Consumers League (NCL), a 115-year-old consumer advocacy, has developed an awareness campaign and a list of reforms as part of a #DataInsecurity Project because “the landscape of protection for consumers is woefully inadequate,” concerns borne out by NCL's "The Consumer Data Insecurity Report: Examining the Data Breach—Identity Fraud Paradigm in Four Major Metropolitan Markets," based on recent research from Javelin Strategy & Research.
“Consumers are being asked to share more information with business, government and not-profits,” John Breyault, NCL's vice president, public policy, telecommunications and fraud, told SCMagazine.com Monday. “And the information is not always as protected as we think it should be.”
Initially convening late last fall at a conference to discuss identity theft, the group, which has been trying to hammer home the importance of online security for 20 years, changed its tactics in the wake of the Target breach.
“We realized we needed to rethink our approach and not just focus on the symptoms and ignore the larger issues,” Breyault said.
The NCL aimed its efforts at “what can be done by government and what incentives business needs” to bolster the security.
The Javelin research, which Breyault co-authored and which surveyed fraud victims in four major metropolitan areas — Washington, D.C., Minneapolis, Miami and Los Angeles — found that victims, nearly a third of whom take no action in the aftermath of fraud, blame businesses and banks for breaches. And, the bulk, 70 percent, “expect the federal government to ensure that businesses adhere to data security standards” though they also see existing regulations as “generally insufficient.”
The NCL intends to put pressure on lawmakers to come up with a national data breach bill, modeled after the tough, no-nonsense California legislation.
Noting that there is broad agreement that data is at risk and therefore should be a bipartisan effort, Breyault noted that data security legislation has been “held up for years in Congress,” with the exception of the recent progress made regarding information-sharing. And with only about “four weeks left until Congress recesses,” he doesn't expect legislative action any time soon.
“After that, it's hard to see how we're going to get legislators interested in anything but the [upcoming fall] elections,” he said.
But not all the responsibility rests on Congress's shoulders.
“Business has to step up and take greater responsibility,” said Breyault. “Right now, there's not a lot of liability,” he explained, except for companies operating under HIPAA or Gramm-Leach-Bliley (GLB) requirements.
The NCL also finds fault with software vendors, which in the rush “to get products to market quickly, are not worrying about security” and instead issue patches later to fix vulnerabilities, Breyault said, noting that a reliance on patches gives rise to threats such as zero day vulnerabilities.
“We'd like to see software companies do more upfront,” he said.
In the mean time, consumers, too, can take additional measures to protect themselves, first and foremost, taking action after fraud.
“One of the most interesting data points in the [Javelin] report is that about one in three victims of fraud — that's 32 percent — failed to take any action,” said Breyault.
Although researchers didn't ask questions about what motivated them, Breyault believes that some of the tools consumers are given are “too hard to use or they don't understand how to use them or what to do.” He noted that many don't know what a breach notice means or what a breach “means to them.”
The NCL is taking its awareness campaign and call for reform out to the four markets which were surveyed by Javelin by hosting events in each city. The group has already convened in Washington and will next go to L.A. then Chicago before wrapping up in Minneapolis.