Update to this blog (June 7, 2016.)
A bill in Congress that would require retailers to inform consumers of a data breach involving their personal data is facing opposition from the retail industry:
In October of 2015, Experian, the world’s biggest consumer credit monitoring firm, disclosed a massive data breach that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc. What is more, they waited almost two weeks before making the public aware.
Ironically, Experian itself is in the business of data protection and data breech resolution. Here is an excerpt from their “Data Breach Resolution” service:
“Turn calamity into calm – When a data breach hits, one wrong maneuver can put you in the path of fines, litigation, customer turnover and brand erosion. Experian Data Breach Resolution is here to steer you through the storm.
Experian Data Breach Resolution upholds the highest standards of regulation and compliance to bring you premium data breach resolution. We’ll meet your needs for effective and fast resolution, and we’ll help protect the individuals looking to you for added security following a data loss. We customize and scale our services to discreetly handle each breach of data, whether it affects hundreds, thousands or millions of individuals. From notification to fraud resolution, we offer superior support for you and your customers during a data breach.”
What is even more interesting about the October 2015 Experian breach is that it was not the first time. T-Mobile was involved in a data breach with Experian, in December 2013 when T-Mobile discovered, but didn’t publicly disclose information until a month later, that a breach had occurred with a supplier named Decisioning Solutions.
Experian owns Decisioning Solutions. It bought Decisioning Solutions in April 2013.
Businesses play a critical role in the privacy landscape. A few, like Experian, have vastly expanded the amount of personally identifiable consumer data available, and successfully marketed it so that virtually no major transaction or potential purchase or even job application is processed without that data having some effect on the end result.
Sadly the business world has shown itself to be an untrustworthy minder of people’s personal info, either due to negligence or to a lackluster approach to database and network security. In the case of Experian, they’ve vastly increased the currency of data that is potentially at risk, they’ve acquired companies and developed services to help others mitigate that risk. And acted irresponsibly themselves.
The Privacy Rights Clearinghouse estimates that nearly 900 million consumer records potentially have been accessed by hackers in almost 5,000 known data breaches since 2005. Many other data breaches, of course, may have been undetected or went unreported.
Companies of all sizes need to step up their game in protecting customers’ information, with companies that profit by trafficking in data being in the first rank.
Encryption, if you will, is the key. They should immediately adopt encryption software that renders their data unintelligible to outsiders.
Encrypting databases would incur costs for companies, true. But better to get out in front of the problem, before lawmakers require them to do so.