Why I Think There Should be a Password Breach Notification Law
Trust. It is earned in drips and lost in buckets.
The same is true for online trust. We all consume and participate in a tremendous number of digital services. Most require some means to identify different users and limit permissions. In a majority of cases that involves a user name and password. We all have them. Many of them in fact. So many, it is tough to keep track. They are the keys to grant access to our data, services, and online accounts. But what happens when these important assets are exposed to cyber criminals?
Data and account breaches seem to be happening all the time. Cyber thieves are finding ways to steal login credentials of millions of users. The problem is not going to go away. People need to be informed so they can take the appropriate actions to protect their assets and reputation.
If I have an online account with a company and they know my credentials were stolen, shouldn’t they notify me in a timely manner? I should change my password for their site as well as any other sites where I use that password (not that I reuse passwords, but some do!).
Losing Trust
Just in the past week a few companies came clean and verified they had millions of users’ passwords but did not announce it to the public at the time. Dropbox had 68 million password hacked in 2012 but only notified users this year. Now Rambler, one of the largest Russian Internet sites, is advising they had 98 million passwords hacked in 2012 as well.
Left to their own devices, I get the impression companies are choosing not to inform users in a 'timely manner' when their credentials are compromised. This seems to be self-serving and not in the greater interest of everyone. They are attempting to protect their reputation instead of informing victims that they have in-fact been violated.
The healthcare industry is required to report data breaches. Additionally, there are regulations which require the notification of users when their Personally Identifiable Information (PII) is lost or exposed. Yet, passwords are not on the list. But if someone gets your password, they can easily gain access to your data. It just does not make sense.
Although I am not a big fan of regulations, as they tend to be too slow for many situations, I believe this would be an excellent area for legislative value-add! The law can be simple and align or even be amended to existing personal data information breach notifications.
Building Trust
It is time that all sensitive data, even user credentials, be treated equally when part of a data breach, lost, or otherwise compromised. Owners have a right to know, so they can take the necessary steps to protect their reputation and digital assets. Businesses and even government service providers should be required to comply. Only then, can we begin to trust again.
Great article. I agree.
There Ought to be a Law?
Really?
Perhaps you might go to the link I just posted, read what David has to say, then get back with us on that.
I do believe regulation, in this rare case, is applicable to set a minimum industry standard for good and ethical practice. Failure to comply would bring regulatory penalties as well as open the door for litigation by the victims.
Now keep in mind, I am not a fan of cybersecurity regulation. I don't take the matter lightly. But in some cases, such as this, it is desirable.