ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

My Two Cents: There Oughta Be A Law!

Updated on February 9, 2015

For What It's Worth

Published July 7, 2014

by Rachael O'Halloran

The views in this copyrighted article are solely those of Rachael O'Halloran.

If you choose to share this article, please use the share buttons on the right or the following link:

http://rachaelohalloran.hubpages.com/hub/My-Two-Cents-There-Oughta-Be-A-Law

Thank you.

Shout it out with a megaphone

http://cotm.co/devo---winnie/324/day-38---colossians-124-28
http://cotm.co/devo---winnie/324/day-38---colossians-124-28

Security Breaches

With the rash of security breaches we have heard about on the news where companies have not notified the public until weeks, sometimes months after they've been hacked, you would think there oughta be a law "requiring" them to do so ... or else!

It is bad enough that we hear about it after the fact. What really stings is that, as their loyal customers, they didn't think we mattered enough to let us know about the intrusions in a "timely fashion" so we could get on the ball and start being more vigilant.

Many people just pay their credit card bill each month and don't even look at the charges on their billing statements. While that's not so smart, these are also the very same people who will cry out the loudest: "Why didn't someone tell me that my credit card data was stolen?"

Believe it or not, there is a vaguely written law on the books that requires the Attorney General to be notified of all breaches that affect 500 people or more.

I guess that means if the breach affects less than 500 (unlucky) people, we may never hear about the incident to know if we were included in that number. We certainly all can't count on a personal notification.

You might ask, "Well, Rachael, what can we do, even if they did tell us about the hacking incident?"

There are measures that consumers can take as I outlined in my article "How to Protect Yourself After A Security Breach or a Hack."

While it is true that we may never win the war, but at least we can win a couple of the battles.

Chinese Hackers Arrested

In May 2014, the FBI announced that they indicted five Chinese hackers for "economic espionage" - for spying on American companies.

According to the FBI, they are only the tip of the iceberg. There are home grown American hackers, Russian hackers, Syrian hackers, Italian hackers, and Nigerian hackers with more being trained and polishing their cyber-skills every single day.

Introducing: The EINSTEINS

The original Privacy Impact Assessment (PIA) for EINSTEIN 1, dated September 2004, explained that EINSTEIN 1 analyzes network flow information from participating federal executive government agencies and provides a high-level perspective from which to observe potential malicious activity in computer network traffic of participating agencies' computer networks.

EINSTEIN 2 incorporates network intrusion detection technology to alert the United States Computer Emergency Readiness Team (US-CERT) of the presence of malicious or potentially harmful computer network activity but only in federal executive agencies' network traffic.

Similar to EINSTEIN 1 and EINSTEIN 2, EINSTEIN 3 enhances cybersecurity analysis, situational awareness, and security response and is only able to detect malicious traffic targeting Federal Government networks, but also prevents malicious traffic from harming those networks.

- quote from The Department of Homeland Security website

Department of Homeland Security To The Rescue?

The National Protection and Programs Directorate is part of the Department of Homeland Security (DHS) and they are offering the use of two of their three "EINSTEINS."

Up until now, this agency only worked with other federal agencies in providing a "situational awareness snapshot of the health of the federal governments' cyber space." I'll attempt to explain some of that doublespeak in a minute.

Now they want to get involved in helping protect private businesses against breaches, especially medical facilities and health-care providers - because they have done such a bang-up job in requiring all of them to go "electronic" with patient records.

Einstein 1 and Einstein 2

The official website language is in the sidebar but here's the plain language version.

EINSTEIN 1 is programmed to detect and collect network security information and work with the affected participating federal agency to address (not fix) the portal of the threats and vulnerabilities.

But this is only done with federal agencies who voluntarily participate in their program.

After the breach, it is up to that federal agency to share findings with the public. (Obviously they do not have to adhere to the same rules as private sector in reporting breaches to the Attorney General.)

EINSTEIN 2 is programmed to analyze and watch traffic for cyber threats and improve and share "situational awareness" with the participating federal agencies to prevent future network vulnerabilities.

EINSTEIN 2 is not programmed to locate the threat.

Its job is to identify that there is a cyber threat and help prevent it from happening again. EINSTEIN 1 collects and tells the agencies how the threat got in.

These are your tax dollars at work, folks. Does it sound like a bunch of garbage to you?

Well, it does to me.

Simplified, it takes two EINSTEIN computers to do the job that a $100 Virus Protector and $50 Malware Protector can do on one computer.

With all the technology available (not to mention our tax dollars), why can't our government step up their EINSTEINS to be more pro-active and actually FUNCTION like a computer instead of masquerading like one?

It is no wonder there are so many breaches in government and health care networks.

After all these years, with only participating FEDERAL agencies as members in EINSTEIN programs, where does that leave everyone else?

It doesn't take an EINSTEIN to figure it out.

We are in the same place we have always been - on our own.

Many states have a system or laws that itemize steps to notify consumers of data breaches.

But there are states who have no laws on their books to require them to notify consumers at all.

One way, but certainly not the only way, any of them will come into compliance is if there are strict penalties for failure to notify consumers within 24 to 48 hours of the breach.

The Government Thinks Cyberinsurance Is The Solution

The Department of Homeland Security thinks that among other benefits, cyberinsurance will protect the companies against lawsuits from the public.

According to one online columnist, cyberinsurance can include the following coverage:

  • company costs for data breach notification to customers
  • protection from liability due to employee breaches because of illegal use of consumer data
  • providing free credit reporting benefits to customers
  • protection against third-party claims for class action lawsuits.

Cyberinsurance doesn't do a thing to beef up their security. And it does nothing to aid the average consumer.

If anything, cyberinsurance will make hacking more profitable to the hacker because insurance covers the company's butts. The hackers will think it is a free ride since everyone's bases are covered.

Hacking will be viewed even more as a victim-less crime.

If EINSTEINS become involved in the private sector's security and in regulating cyberinsurance, one can only cringe at how long it will take and how well it will perform.

When the healthcare sector was ordered to make all their medical records electronic, they were given attractive monetary incentives (thousands of dollars) to become compliant within 24 months or else be fined. In other words, they had to be bribed to do it.

Between employees taking work home with them on flash drives and laptops being left in car trunks, the breaches have increased a thousand-fold.

And those are just the breaches the public is told about.

One can only imagine how much each company in private sectors will be paid to ready their network systems for cyberinsurance compliance. If the EINSTEINS are overseeing any part of this, it's not going to be pretty.

It's going to be expensive.

Target Security Breach

Child Aspirations

Children will be answering their mothers about what they want to be when they grow up:

"I want to be a doctor!"

"I want to be a lawyer!"

"Doctors and lawyers work too hard. So I want to be a hacker!"

The Attorney General, Eric Holder

Since all breaches affecting over 500 consumers must be reported to the Attorney General's Office, Eric Holder, the present Attorney General, published a press release on February 24, 2014.

In it, he urged Congress to create a "strong, national standard for quickly alerting consumers whose information may be compromised by cyberattacks."

You can read the entire press release at the United States Department of Justice website.

Today is July 7, 2014.

It's only been a few months since his February press release as to what the American people "need." It just goes to show you, no one listens to him either.

If companies are not held accountable for delaying reporting time to the Attorney General and US Secret Service, the public will always be in the dark about breaches and the extent of them.

It's not fair.

Playing Devil's Advocate

What if .... President Obama, Mrs. Obama, Vice President Biden, Mrs. Biden and at least three Supreme Court Justices all had their personal identifying information hacked from their tax returns and put in the wind.

I chose tax returns because we can't rely on their credit card data being hacked due to the fact that these are people who don't really PAY for anything with the perks they get.

So maybe if their data was accessed from their tax returns, maybe then the squeaky wheel will get the grease.

Maybe laws will change and actually be enforced.

It really shouldn't take someone high up on the chain of importance to be affected by a breach for things to change in this country.

But I think it needs to come to that for any significant changes to go into effect.

My Two Cents: Size Doesn't Matter

I think any company who is aware of a breach or hack who does not notify the public within 24 to 48 hours of the incident should be fined $1000 per affected consumer PER DAY. (Fine to be adjusted per inflation!)

Regarding the law mentioning only if 500 or more consumers are affected: I think maybe companies feel since the present law is so laissez faire', that they don't need to take breaches seriously enough to notify the public.

So, I would like to see the "500" part deleted from the law.

500 people or 5 million people, size doesn't matter. We are all affected in some way by a breach.

We are real people, not just numbers on a credit or debit card.

Chime in with your two cents by leaving a comment.

Thanks for Reading :)

Do Not Copy

© Rachael O'Halloran, July 7, 2014

© 2014 Rachael O'Halloran

Comments

Submit a Comment

  • billybuc profile image

    Bill Holland 2 years ago from Olympia, WA

    As soon as you mention our government my brain shuts down. Why is it that I have no trust in our government? Oh, wait, I remember...because they have given me no reason to trust them. :)

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #billybuc,

    I'll agree that their trust level is certainly nothing to brag about.

    Thanks for reading, at least until you got to the word government. lol

  • FlourishAnyway profile image

    FlourishAnyway 2 years ago from USA

    You are a gritty lady, Rachael. I found this to be disheartening but reflective of what's going on today. You are sooo right about employees taking home info on thumb drives, etc. I used to work for a state government agency and they did not make employees aware that their personal data was accidentally left available on the web for more than 24 hours. Talk about a whoopsie.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #FlourishAnyway,

    I can certainly believe that scenario. The depth of corporate carelessness hasn't even been skimmed yet. Imagine all the breaches they never own up to!

    When I was employed in big facilities, we had inservices on even the most mundane of subjects. The reason was to stay in compliance with federal government guidelines and to give exemplary patient care.

    I think companies would do well to adopt the same concept but first the government has to lay down the law and make certain things mandatory. When they do, then we might see some of the carelessness decrease. Until then, we are all sitting ducks.

    I'm sorry you found my article disheartening but it is just my opinion. It doesn't mean they are right, but it is the way I see things.

    Thanks for reading and commenting :)

  • bravewarrior profile image

    Shauna L Bowling 2 years ago from Central Florida

    I agree that the laws should change. With identity theft on the rise, each and every one of us should be protected - not groups of 500 or more.

    I'm puzzled as to why anyone would report your articles. I find them very informative and well-researched. What could possibly be wrong with that?

  • breakfastpop profile image

    breakfastpop 2 years ago

    It's a combo of common sense, a responsible attitude and decency. If companies refuse to report instances big or small of hacking they should be heavily fined. Only when their bottom line is affected will they "do the right thing." The same is not true of the government. They never do the right thing. Up, useful, interesting and awesome.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #breakfastpop

    Common sense is not a gift everyone has and clearly if these companies were decent and responsible in their ethics and reporting of breaches, I wouldn't have written this hub at all. lol

    Government is a shady subject with most and I hesitated writing this hub for that reason but since they want to branch out from the great job they think they are doing in government and interject themselves into marketplace breaches, we can only hope they screw it up enough to hang themselves.

    To get companies to be compliant, I do believe in hitting them in their wallet because that to me is where it hurts the most. But since government is the only entity allowed to make laws and enforce them, unfortunately we have to "put up with them" to get the things we want done.

    Thanks for reading and voting

    Rachael

  • ologsinquito profile image

    ologsinquito 2 years ago from USA

    If only these hackers could instead do good. They are brilliant people who could change the world for the better. I think about this every time I hear of a major hack or an ATM skimming incident.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #ologsinquito

    "If only these hackers could instead do good. They are brilliant people who could change the world for the better."

    Isn't that the truth! Thanks for reading and commenting :)

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #bravewarrior

    I agree, 500 or 5 people, all should be notified of a breach. Thanks for reading and commenting.

  • Eiddwen profile image

    Eiddwen 2 years ago from Wales

    Very interesting; a great read and thanks for sharing.

    Eddy.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #Eiddwen

    Thanks for reading, Eddy :)

  • vkwok profile image

    Victor W. Kwok 2 years ago from Hawaii

    Bill is right. If the government really wants people to stop trashing on them, they really should actually do something useful and concrete.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #vkwok

    Yes, you are right. But getting them to comply is a different matter altogether. :(

    Thanks for reading.

  • AliciaC profile image

    Linda Crampton 2 years ago from British Columbia, Canada

    This is very interesting, Rachel. Every time I read a hub like this I wonder if we face the same situation here in Canada. I really must do some research! Thanks for sharing this important information.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #AliciaC

    Breaches are not indigenous to any one country. Everyone is affected because hackers are not particular. To them, everyone's money is good money. lol

    Thanks for reading and commenting.

  • Suzanne Day profile image

    Suzanne Day 2 years ago from Melbourne, Victoria, Australia

    I agree that the government should be more practical and companies should be more accountable for these breaches and the safety of customer's personal information. As you've pointed out, we really are on our own with this and the law needs to keep up.

    I really do not understand companies reluctance and cheapness in working with more IT staff to get this rectified. Small business may need other assistance, but large, profitable companies really should do more and be held more accountable for their actions. After all, if a product was poisonous, it would be pulled from the shelves with direct notice, so why would leaking customer information be treated with any less concern?

    Voted useful and up!

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #Suzanne Day,

    Exactly! Recalls on products are made public in so many media venues and yet breaches are swept under the rug. I don't understand it, except to say they are probably concerned about their company reputation and commerce - the almighty buck.

    If their customers knew they had a big breach, not only would existing customers stay away but future business would suffer as well. It is wrong on so many levels. Government has to pass more laws to make these companies accountable because as long as they are policing themselves, we are doomed.

    Thank you for your comment and votes :)

    Rachael

  • teaches12345 profile image

    Dianna Mendez 2 years ago

    I believe companies should warn their customers as soon as possible about security breaches. It would keep them loyal to the brand and product. How many people have stopped using Target or Michael's due to this issue. Great topic and well done.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #teaches12345

    I think so too. If they would report sooner, maybe we can head some of these thieves off at the pass.

    Thanks for reading, your praise and for your comment.

Click to Rate This Article