Taking responsibility for data breaches
The New Jersey state legislature has a group of bills circulating, intended to increase company accountability in the event of a breach. One would require breached companies to pay for customer credit reports for six months, as well as allowing a parent or guardian to freeze their child’s credit report. Another would require the encryption of all outgoing data involved in consumer credit requests.
This is the latest instance of a state taking the initiative, to make up for the lack of national breach guidelines. “Twenty-nine 29 other states do this. We need to do it here. We need to protect our minors,” says Paul Moriarty, chair of the Assembly Consumer Affairs Committee.
Attempts like this come at a time when the repercussions of the Equifax breach are still being felt by numerous entities. Equifax continues to provide Congress with details of the breach. The growing tally of affected customers steadily approaches 150 million. And yet, there are companies out there still using the vulnerable software that made the hack possible. Over 10,000 such businesses, in fact. The software in question is an old version of Apache Struts, and though Apache has since released several patched versions, these companies are still riding with the old one. Among this number, reports ZDNet, are over half of the Fortune Global 100 firms.
People are clearly still not taking proper precautions with their customers’ data. The ethical issues surrounding privacy and security have never been laid bare more than at this time, especially in the wake of the Cambridge Analytica/Facebook scandal. Over at Entrepreneur, Prof. DK Batra adds his voice to the growing chorus calling for government to get tougher on regulation and penalty enforcement. His ideas specifically include amending the laws to consider data obtained through social engineering as a breach (as you may recall, there was a debate whether this story constituted one).
Parallels continue to be drawn to GDPR. Once the new European policy takes effect, all businesses that handle the data of EU citizens will be subject to its strict guidelines. As it stands now, however, it remains for the states to struggle to enact their own local laws, adding to the confusing regulatory patchwork across the US.