Why There Will Be Another Major Data Breach

The storm of consumer-focused data breaches started off as intermittent downpours โ€” Choicepoint, TJ Maxx, SONY, LinkedIn, Twitter, Adobe Systems โ€” and is now a torrent: Target, Neiman Marcus, Kickstarter, White Lodging, the Sands Casino, and now everyone whoโ€™s attended or worked at the University of Maryland since 1998. In each case, hackers werenโ€™t after the companyโ€™s intellectual property or trade secrets: they were after your information, because itโ€™s the key to your money.

In fact, though itโ€™s been widely reported that the Target breach cost $240 million so far, that amount doesnโ€™t take into account the fraudulent charges individuals had to fight and is itself split among the many financial institutions whose customers were affected by the breach. Meanwhile, Target said in January that it expected to lose only 2-6% of sales over last year, and only in the first quarter.

That is why these breaches are just going to keep happening: in the absence of laws or regulations forcing all companies to protect your data (and your money) better, companies simply arenโ€™t going to lose enough money in a data breach to โ€œjustifyโ€ the costs of better security.

Meanwhile, all of us will end up paying more to offset the costs of these breaches, in terms of higher account fees, lower service levels and the like. But better laws requiring companies to protect the customer data they use, collect and store do not appear to be coming your way any time soon.

Deep in the midst of this current and ongoing cyberinsecurity epidemic, the White House issued its long-awaited โ€œguidelinesโ€ for cybersecurity and critical infrastructure last week. In the document, its authors wrote:

Get everything you need to master your credit today.
Get started for free

Similar to financial and reputational risk, cyber security risk affects a companyโ€™s bottom line. It can drive up costs and impact revenue. It can harm an organizationโ€™s ability to innovate and to gain and maintain customers.

Why might a document laying out guidelines and best practices have to remind its readers and target audience that there are serious costs to bad cybersecurity practices? Because the guidelines have no force of law and no incentives to encourage companies to comply โ€” and the Administration says it has no plans to track if or how anyone even bothers to comply with the framework, anyway.

Itโ€™s not like these companies donโ€™t know what best data security practices are โ€“ reports indicate that at least one Target employee raised alarms before Black Friday last year โ€” and itโ€™s not like there arenโ€™t a plethora of other companies who would help them if they donโ€™t have the internal resources. But updating systems, doing regular information security checks and focusing on employee training can be time-consuming and expensive.

But when the costs of any one data breach are shared by so many companies and individuals, the cost of rigorous data security to any one company might well be more than what it stands to lose in a given breach. We see this with the slow roll-out of more secure chip-and-pin cards, which are broadly used elsewhere in the world but wonโ€™t be widely available in the U.S. until after 2015: itโ€™s an (increasingly) expensive system to implement, and no one entity pays enough because of the fraud the old system encourages to bother going first.

Cybersecurity is fast becoming a classic market failure: the costs of protection thus far outweigh the potential costs of a breach. But unlike most other classic examples of market failures โ€” education and environmental protection, to name two โ€” the government seemingly has no appetite to step in and resolve the market problem with laws, regulations or even tax incentives. Instead, theyโ€™re stuck reminding companies how costly a breach could eventually be.

So the next time you hear about a data breach โ€” and with recent history as a guide, thatโ€™ll be fairly soon โ€” and you wonder why this keeps happening, just remember that it all comes down to money: yours (that the criminals want), and the cold hard cash that some corporations and institutions havenโ€™t spent to keep your information secure.

More on Identity Theft:

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.

Image: ManuelSousa

You Might Also Like

A father and son smile at each other
Becoming an authorized user is a common tip for individuals tryin... Read More

September 13, 2021

Uncategorized

A woman shakes the hand of the man who interviewed her.
Long-term unemployment can really hurtโ€”and not just financially... Read More

August 4, 2021

Uncategorized

A stock market graph, similar to the trajectory of GameStop stock, is displayed on a tablet. A blank piece of paper and a pen are next to the tablet, and all sit on a wooden tabletop.
GameStop, a dying video game retailer, has blown past epic propor... Read More

January 28, 2021

Uncategorized