By Dennis Herrera
[Originally published in the San Francisco Chronicle, May 24, 2018]
Online data theft has become an unsettling reality of modern life. From the 500 million accounts hacked at Yahoo to the 148 million Americans victimized by Equifax, internet pirates are bent on plunder — and too many U.S. businesses are unwilling to mount a vigorous defense. The Republican-controlled Congress has talked tough but has done basically nothing to stop the assault.
While there has been a recent international focus on data privacy — and rightly so — in the wake of a political firm acquiring private data on millions of Facebook users, we also need to address data security. And, once again, California must step up to protect its residents.
In San Francisco, I have filed a lawsuit on behalf of the people of the entire state against Equifax for its lax security safeguards and failure to promptly inform the public of the breach. In Sacramento, state Sen. Bill Dodd, D-Napa, has introduced SB1121 to add teeth to California’s existing data breach statute and nudge businesses to erect better barriers to online piracy.
There is much work to do. In 2017, the United States saw more online data breaches than during any period in history, as hackers hit nearly 1,300 companies and stole more than 179 million consumer records — sensitive financial data, credit card numbers, you name it. This year is already off to an ominous start. Among the businesses recently hit by online piracy: FedEx, Orbitz, Under Armour and Saks Fifth Avenue.
The peak of the pillage was reported in September, when we learned that hackers had infiltrated Equifax — one of the nation’s three giant credit-reporting agencies — and made off with the crown jewels of identity theft: Social Security numbers, driver’s license data and other private records of 148 million Americans — the vast majority of the working adults in the country.
Equifax did everything wrong.
Before the data breach, the company failed to act on a warning from the Department of Homeland Security, which advised it to patch online holes (firms that heeded the warning suffered no incursions). Equifax then waited six weeks to alert the public while three top executives sold stock worth nearly $2 million. Later, the CEO resigned with a $15 million compensation package. Adding insult to injury, the company tried to slyly entice hacking victims to sign away their legal rights in exchange for a free credit-monitoring service.
Critics called the Equifax scandal the equivalent of the 2001 implosion of bad-boy energy giant Enron. In Washington, lawmakers vowed to erect better consumer safeguards, but the fiery talk has failed to yield forceful action. Meanwhile, President Trump’s top financial watchdog, Mick Mulvaney at the Consumer Financial Protection Bureau, is dragging his feet on taking action to hold Equifax accountable.
As Washington fiddles, California is stepping up to protect us from data pirates.
If I and other city attorneys, district attorneys and attorneys general around the nation prevail in court, it would send a message to corporations: boost security and plug those database holes, or be held to account.
Dodd’s bill adds penalties if a business fails to promptly notify consumers of a data breach, and holds negligent companies accountable for the harm they cause. Data-theft victims would have up to four years to seek civil damages of between $200 and $1,000 each (roughly the equivalent of five years of online identity theft protection).
The larger the breach, the greater the penalty. That will provide substantial motivation to companies who might otherwise be inclined to consider data breaches an acceptable cost of doing business. A repeat of the Equifax debacle, for example, would leave the company facing penalties of up to $15 billion for the 15 million Californians whose data was compromised.
So far, Big Business is putting up resistance to Dodd’s bill. That’s because it will compel firms to finally protect consumer data rather than treating it as a disposable commodity. The California Chamber of Commerce labels the bill a “job killer” that will bankrupt companies. But the price of protection against online piracy is a fraction of the cost companies absorb in bad PR and lost revenue after a huge data breach.
In short, better data security equals better business and better protection for consumers. Who can argue against that?