The news last week that Cathay Pacific had a data breach well over six months ago in March of this year is just the latest revelation in an already urgent situation. We are in a vicious cycle of hack, breach, delay, rinse, repeat…
Repeated instances of substantial delays in any notification of these breaches to authorities and consumers are a reminder of how much work still needs to be done in the ongoing battle of fighting for data security and preventing fraud. Moreover, it’s huge breakdown in trust. Add to that, as the 115th Congress winds down, what is notable from a consumer data protection standpoint what did not get done this session. Despite numerous high-profile data breaches and even more numerous hearings, Congress failed to reach agreement on national data breach notification, data privacy protection, or consumer privacy rights.
{mosads}Consumers whose data has been leaked, stolen or mishandled aren’t even aware that their personal information is at risk for month or even years. But what choice do people have — don’t fly, don’t ride-share, don’t use social media? Okay, we can make those choices if we had to, but we still need to get health services, use a bank or a credit union, be insured, or even get our Social Security benefits.
While 2018 did see the launch of General Data Protection Regulation (GDPR) and EU driven privacy protections, as well state action including the California Consumer Privacy Act set to take effect in 2020, there is still considerable uncertainty around consumer data protection. The administration has announced the intention to create federal data privacy standards, and there is always an appetite to publicly take firms to task for lapses. But when the 116th Congress convenes in January, after what has already been a contentious and bruising midterm election, it is unlikely that protecting data and preventing consumer fraud will be at the top of the agenda. What’s more, with Democrats taking the House and the Republicans building their majority in the Senate, bipartisan consensus may be hard to come by.
Unfortunately, even with better data protection, so much data has already been lost to criminals that we will never get the genie back in the bottle. That’s why we need a second prong in the consumer protection approach. That prong is to stop using consumer data to allow access to financial accounts, health care records and government accounts. There are existing best practices out there to look to including the current regulatory guidance from the Federal Financial Institutions Examination Council (FFIEC). The FFIEC’s Authentication in an Internet Banking Environment should become the standard for consumer protection of all channels including calls, internet and mobile apps. Congress and the Administration should prioritize taking meaningful action to advance protections in the increasingly complex data landscape. But as we wait to see what this next legislative session will bring in terms of consumer protection, data protection and privacy, businesses and other organizations must take steps to mitigate risk and prevent fraud. This is especially important for trusted organizations like financial institutions, health care providers, and yes, big government agencies, that have an enormous amount of sensitive information about us.
Trying to stay ahead of fraudsters and hackers is a never-ending battle, and the need to fight fraud and protect personal data are and may always be unfinished business. But taking basic steps to bring back trust in our daily transactions—now that’s just good business.
Patrick Cox is chairman and CEO of TRUSTID.