The Target breach can now be added to a long list of historical events that occurred on December 19th. It should rank somewhere between King Henry II being crowned King of England in 1154 and Italy besting Chile for the 65th Davis Cup in 1976. At least we hope that is the case.
There has been a proliferation of articles and communication across multiple media channels highlighting this incident. Most of the articles have provided sensible tips to consumers on what steps to take and how to react. Many have included stories from consumers expressing their outrage. Some have even vilified Target for the incident. Why then would an organization such as the ITRC, built on advocacy and consumer trust, actually want to thank Target? Because breaches happen all the time! In fact, we have documented more than 600 breaches, THAT WE KNOW ABOUT, in 2013 alone. But this time, everyone is talking about it. Finally.
It is unfortunate that it took an incident from such an iconic brand, during the holidays and in such a broad scope, to cause this kerfuffle. But in our estimation, this reaction is long overdue. Consumers need to be aware that the information and data they have floating all over the place is vulnerable. They need to know that their data can be breached, even if they themselves follow all the best practices. There – I said it. Individual consumers are powerless to stem the tide of data breaches. That last statement will cause both advocates and consumers to cringe. But it’s the truth and someone needs to say it.
There are things people can do to minimize the damage which can result from a data breach, but that is different from doing things to stop a breach (ways to minimize damage after a breach will be covered in depth in Part 3). Right now, the services we consumers use, and the businesses we trust to safeguard our data, are the ones that must take steps to ensure that the risk to us is lessened. And we think that in many ways, the business community on the whole is making efforts in this area. Do we really think that Target WANTED to admit to a data breach, during the holiday season, right before the second busiest shopping day of the year (according to Shoppertrack data predictions). Of course not. But once they were outed by a security expert they were compelled, in part, by the laws that govern the reporting of breaches to affected parties.
For those of you that don’t believe that laws elicit compliance, I remind you of an old saying among the financial detectives I used to work with: “Locks are for honest people.” After all, a thief would simply break a lock and take off with whatever valuable goods are inside. Honest people are deterred by “locks” and, when presented with guidelines and guardrails, they generally practice restraint, even if a little bit tempted, because they don’t want to be a criminal. Laws are an outside force that compel us to govern ourselves because we don’t like the consequences (think speed limits, and jay walking laws). In the case of a data breach, mandatory breach reporting laws are locks. The fact that there are still four states (Alabama, Kentucky, New Mexico and South Dakota) that still do not have laws/regulations regarding mandatory reporting is troubling.
Breach reporting laws keep the honest companies in compliance and ensure a safer environment for consumers on the whole. Untrustworthy members of industry won’t report a breach regardless of the law. Compliance and noncompliance can be useful indicators to consumers when they are sorting out what companies to trust in this complex landscape. This incident may well have us on our way to more dialogue about a robust federal data breach notification law. Why? Because now consumers will be engaged in the dialogue and we need that critical participation from them. The business community can (and mostly does) support a law that promotes uniformity in the reporting guidelines across all states, thus simplifying their breach reporting process. After all, with national and international companies (like Target) why should your right to know be based upon where you reside? That is an oversimplification , but you get my point.
Let’s be hopeful that 2014 will bring a new round of meaningful dialogue in this area and let us hope that consumers, with this new awareness, are stronger participants in the conversation.
“Why I want to say Thank You to Target (Part 1 of a 3 part series)” was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. You can follow her on Twitter at @ITRCCEO. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.
If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign. For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.