Sony’s popular PlayStation Network suffered a massive data breach earlier this year, exposing 100 million users’ credit card numbers, home addresses and more. Numerous other firms, including Morgan Stanley and marketing firm Epsilon, also have suffered major breaches in recent months. With this epidemic of data breaches making headline after headline, it was only a matter of time before Congress got involved. But more government intervention will only make things worse.
Data breaches can occur for any number of reasons, from the carelessness of employees, to the use of an exploit on a server, to a complex orchestrated intrusion of a system. This is similar to your house being burgled: It could be because you left the front door wide open, or maybe a window unlocked, or sophisticated burglars scoped out your place and struck, despite locked doors and an alarm system.
Many businesses need to do more to safeguard users’ personal information. But the federal government is not properly equipped to dictate how companies must safeguard customer data. America’s unrivaled information security industry is creatively responding to data breach concerns with new technologies that promise smarter, more effective approaches to combating data breaches. Congress can’t even ensure federal agencies secure their data, as illustrated by the recent WikiLeaks snafu and the Conficker worm, which has afflicted millions of government computers.
These lessons have fallen on deaf ears on Capitol Hill. Last month, a trio of Senate bills targeting data breaches passed out of committee. The most comprehensive of these, sponsored by Sen. Patrick Leahy (D-VT), would enjoin the Federal Trade Commission to regulate the security practices of businesses that collect personal data. The legislation would also require companies to promptly notify customers whenever breaches occur. The other two bills contain similar provisions, although they differ in their treatment of federal agencies and breach notification requirements.
Lawmakers’ current approach to data breaches wrongly treats companies as culprits, not the victims they are. Kevin Mandia, founder of the information security company Mandiant, recently told the House Intelligence Committee that data breaches are not necessarily indicative of a company’s security standards. Attackers only needs to find a single vulnerability, but defenders have to carefully guard their entire systems. Thus, breaches are a real risk even for companies with superlative security practices. By penalizing firms that take data security seriously, we risk encouraging businesses to focus more on keeping regulators at bay than on genuine security improvements.
As AT&T cybersecurity chief Edward Amoroso argues, the essence of robust security lies not in standardization, firewalls or antivirus programs, but in fostering a diversity of systems and methods. If federal bureaucrats ordain a finite universe of acceptable security practices, bad guys benefit from a more predictable set of platforms and technologies on which to focus their attacks.
The evolution of data security and the responsible stewardship of personal information should be driven by consumer demand, not by bureaucratic whim. Companies that fail to protect against data breaches will suffer as consumers seek better security with their competitors. Sony, for instance, took a huge reputational hit for mishandling the massive breach it suffered earlier this year, which also wiped out billions of dollars in shareholder value. This result is hardly surprising — consumers value the integrity of their data and will vote with their wallets against companies that make mistakes.
America’s information security sector has grown by leaps and bounds in recent years. From start-ups to industry giants, myriad companies continue to roll out a wide variety of services to help companies secure sensitive data. Security firms like Websense, Fortinet and SourceFire are offering database-hardening services and vulnerability assessments. Other nascent firms, such as Co3 Systems, specialize in helping companies handle the aftermath of a breach.
Data breach insurance is also gaining traction as companies strive to manage data breach risks and safeguard their networks. As data security concerns mount, insurers will increasingly work with companies to meet data security challenges, just as insurers already help businesses improve workplace safety practices to minimize costly employee injuries. The Hartford Group, for instance, now includes data breach coverage in its Spectrum Business Owners Policy package, which is designed for small firms.
The security threats consumers and businesses face are real, but more government red tape and mandates are not the solution. A dynamic threat requires a dynamic response, which is what markets do best. Government-mandated rules could smother this vibrant and growing private market for security and insurance. Congress should stay its heavy hand on data security.
Ryan Radia is Associate Director of Technology Studies at the Competitive Enterprise Institute, where Luke Pelican is a Policy Fellow.
