You choose, we deliver
If you are interested in this story, you might be interested in others from The Journal Gazette. Go to www.journalgazette.net/newsletter and pick the subjects you care most about. We'll deliver your customized daily news report at 3 a.m. Fort Wayne time, right to your email.

Business

  • Column: OPEC swamps crude-oil prices
    Crude-oil prices collapsed to a four-year low on Thanksgiving Day, dropping as low as $67.75 per barrel after the Organization of the Petroleum Exporting Countries decided to leave production targets unchanged at its most recent meeting.
  • Who's in charge of Black Friday?
    What about those store managers in charge of making sure merchandise is on the shelves? The Journal Gazette spent some time with a Meijer store director on Friday to get a glimpse into his Black Friday.
  • Oil plunge a panacea for crude-reliant Asia
    A renewed plunge in oil prices is a worrying sign of weakness in the global economy that could shake governments dependent on oil revenues. It is also a panacea as pump prices fall, giving individuals more disposable income and lowering costs for
Advertisement

Delays revealing data breaches costly

Like JPMorgan, industry practice is hide evidence

Rumors of a data breach at a major New York bank started circulating in cyber-security circles more than a week before it went public.

So for insiders, news that JPMorgan Chase had been victimized was more confirmation than revelation, just the latest headline from a digital crime wave that shows no sign of ebbing.

But for the millions of customers of JPMorgan Chase, the news reports that began appearing last week were the first indication that their personal information might have been stolen by hackers.

Like Target, Neiman Marcus and countless other companies, the nation’s largest bank chose to keep evidence of a cyber-crime private until journalists forced the issue.

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

The result is that days, weeks or longer can pass between when a company learns of a cyber-crime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties – such as a credit card company – that the risk of fraud or identity theft is elevated.

“There have been so many breaches where companies have held information for so long that more disclosure would force companies to do a better job being accountable to consumers,” said Ed Mierzwinski, consumer program director at U.S. Public Interest Research Group. “It’s a real pain in the neck to clear your name. … You have to spend time – a lot of time – clearing your name. And you don’t get paid for that.”

The seriousness of the JPMorgan Chase breach, which involves at least one other bank as well, remains uncertain, though some reports said account data may have been compromised for some customers.

Bloomberg News first reported the intrusion, saying that the FBI was investigating the possibility that Russian hackers had launched an attack in retaliation for U.S. sanctions prompted by Russia’s actions in Ukraine. Other investigators have expressed skepticism about that possibility but not ruled it out.

JPMorgan Chase posted a notice on its website saying, “The security of your Chase accounts is one of our highest priorities,” with general tips on how to protect personal banking security. But it didn’t directly address the numerous news reports of a data breach, nor did it offer details about what happened and who might be affected.

Divergent interests

The most recent news release on the corporate site talks about a partnership between the bank and a water industry nonprofit group in Milwaukee.

A spokesperson for JPMorgan Chase said it will notify consumers if it determines they have been affected but declined to say when or how. JPMorgan Chase also declined to comment on when it first learned of the data breach.

The interests of consumers and authorities sometimes diverge, said Neil MacBride, former U.S. Attorney for the Eastern District of Virginia and now a partner at Davis, Polk & Wardwell.

“Consumers want immediate notification from the breached company while law enforcement may want several days or weeks to investigate a crime scene before hackers are tipped off that the cops are on their tail,” he said.

Notification is a notoriously cumbersome and costly process for companies that have data breaches. Forty-seven states and the District of Columbia have laws governing such disclosures, and a company with a nationwide customer base may have to comply with them all.

There also are notification requirements specific to banks under federal law. Publicly traded companies must report “material breaches” from cyber-crime in disclosures to investors.

And the Federal Trade Commission investigates some corporate data breaches, especially when there is evidence that security measures were not up to industry standards.

The result is a mish-mash of rules and regulations that, in practice, force companies to disclose data breaches but rarely require them to do so quickly. New York’s data breach law, for example, requires disclosure “in the most expedient time possible and without unreasonable delay,” but allows for delay to accommodate “the legitimate needs of law enforcement” during an ongoing investigation.

The work involved in notification – and the public relations price for companies that have failed to keep their customers’ data safe – was a top goal of those who pushed for state notification laws. They wanted to raise the cost of data breaches in order to provide companies with incentive to implement better security practices.

“It wasn’t about providing a lot of notice to consumers. It was about seeking some visibility about lax security procedures,” said Deirdre Mulligan, a professor at the University of California, Berkeley, School of Information who help craft California’s data breach law, which when it passed in 2002 was the nation’s first.

But 12 years later, as the breaches continue to pile up, some experts say the time has come to revisit the subject – with the goal of prioritizing the interests of the consumers who are affected.

“We’ve got this kind of patchwork, but given the frequency and visibility of these breaches, we ought to have a much more rigorous conversation in this country about data security policy,” said Woodrow Hartzog, a Samford University law professor who specializes in privacy and security.

Taking the initiative

Until then, companies typically are free to take the initiative of notifying their customers quickly. EMC Corp.’s RSA Security division, which makes security tokens for computer networks, publicly disclosed it had suffered a breach in March 2011. Its chairman, Art Coviello, posted an urgent message on its website acknowledging the intrusion by what Coviello described as an “advanced persistent threat.” Intelligence officials later said they traced it to China.

“This was an extremely unusual event where the corporation very quickly identified the breach and disclosed it,” said Michael Brown, then a senior cybersecurity official at the Department of Homeland Security and now a vice president and general manager at RSA. “And we on the government side were very impressed.”

The company’s action, he said, enabled the alerting of its customers in the private sector and in government about ways to detect if they were vulnerable and to protect themselves.

Advertisement