Target Corp. is learning the hard way: The price is steep for retailers who don’t protect customers’ sensitive financial information.
Target’s profits fell a whopping 50 percent during its fourth quarter of 2013 as the result of a massive security breach involving as many as 110 million of its customers’ credit- and debit-card accounts, which began the day before Thanksgiving and extended throughout much of the holiday shopping season.
In fact, the Nightmare before Christmas continues to play as Target provides customers with free credit-monitoring and theft-protection services and pays legal fees incurred by investigations and litigation.
Profit provides an all-powerful incentive for private-sector businesses to beef up their cyber security and respond immediately when computer systems get hacked.
But what is an effective inducement for public agencies to shield sensitive information like Social Security and drivers’-license numbers or delicate health data?
Political consequences certainly can provide significant incentives.
South Carolina Gov. Nikki Haley was forced to accept responsibility after digital thieves hacked into her state’s Department of Revenue computer servers and swiped tax returns containing Social Security numbers and bank-account information involving 5 million individuals and businesses.
States “hold loads and loads of sensitive information - more than any other entity, except - possibly - for a company like Google,” said Nathan Cryder, chief policy advisor for state Auditor Adam Edelen.
Edelen is pushing legislation to prevent a South Carolina-like cyber disaster here by requiring state and local government agencies to notify victims of stolen data within 35 days of a security breach. It also requires the Commonwealth Office of Technology to develop a crisis plan and provide cyber-security training for agencies.
Cryder calls the proposal “a no-brainer.”
What’s disconcerting is that most Kentuckians probably assumed that such a plan and notification requirements already were in place.
But keep in mind what “assumptions” can make out of us.
Based on her post-hacking comments, it’s possible that South Carolina Gov. Haley didn’t know about the cyber-security lapses in her own state, either.
A penitent Haley now is performing what may be considered the gubernatorial version of “community service” by making it her mission to warn other states and federal agencies like the IRS to encrypt the taxpayer data they have been entrusted with.
Encrypting occurs by adding layers of protection so that thieves, even if they successfully hack a computer server, cannot decipher sensitive information without the cryptographic key. These bandits may break into the bank but, without the combination, the money in the vault remains inaccessible to them.
House Bill 5 does not require government agencies to encrypt data. However, isn’t it just common sense to do so?
Investigations following the attack in South Carolina revealed the state could have prevented $12 million worth of damage - plus great loss of public confidence in the government - for a $12,000 password-encryption system.
An ounce of prevention really is worth a pound of cure.
The cyber-security bill arrived at the Senate’s State and Local Government Committee after sailing through the House on a 99-1 vote. Sen. Joe Bowen, R-Owensboro, who chairs that committee, indicated he supports improving cyber-security but rightly wants to ensure that state government doesn’t force unfunded mandates on local governments.
Bowen should use the committee process to protect local governments, but then also protect taxpayers by doing what 46 other states already have done: pass a breach-notification bill and avoid what at least one state, its political leaders and - most importantly - its citizens endured.
If government-spending decisions should be transparent to taxpayers, so too should breaches involving personal data they hand over to that government.
It really is a no-brainer.