There were a lot of developments in the world of data security last week with a judge agreeing to consolidate lawsuits related to the Target data breach in a Minnesota court, more hearings in Washington, D.C. and troubling research about consumers sharing personal data on public Wi-Fi.
Target won a victory of sorts in its ongoing data breach nightmare when the U.S. Judicial Panel on Multidistrict Litigation ordered that multiple lawsuits accusing Target of failing to protect customers from a data breach will be consolidated in the retailer's home state Minnesota. According to a Reuters report, the ruling brings together 33 lawsuits across 18 districts before U.S. District Judge Paul Magnuson in Minnesota. By centralizing the cases in Target’s home state the retailer will eliminate duplicative discovery, prevent inconsistent pre-trial rulings, and conserve the resources of the parties and the judiciary, according to a court order.
While Target’s life was being simplified somewhat, there were more hearings in Washington, D.C. regarding what to do about data security in an increasing digital world. Elizabeth Ramirez, chairwoman of the Federal Trade Commission, in testimony before the Senate Committee on Homeland Security and Governmental Affairs, called for new legislation related to data security.
“Consumers’ data is at risk,” she said in written testimony. “Recent publicly announced data breaches remind us that hackers and others seek to exploit vulnerabilities, obtain unauthorized access to consumers’ sensitive information, and potentially misuse it in ways that can cause serious harm to consumers as well as businesses.”
From the FTC’s perspective, companies are not doing all they should to protect consumers and in some cases offering unfounded assurances regarding the security of personal information. The FTC has settled more than 50 such cases alleging that companies took inadequate measures to protect consumer data, according to Ramirez. In addition, she highlighted recent settlements with Fandango and Credit Karma as part of the Commission’s effort to encourage companies to adopt security in the design of their products.
In calling for legislation, the Commission recommended Congress strengthen its existing authority governing data security tools, and that it require companies in appropriate circumstances to notify consumers affected by a data breach. Specifically, testimony by Ramirez called for authority to seek civil penalties to help deter unlawful conduct, rulemaking authority under the Administrative Procedures Act, and jurisdiction over non-profit entities, which are not currently subject to FTC oversight.
Calls for national legislation drew the support of the Retail Industry Leaders Association (RILA) and president Sandy Kennedy who also testified.
“Retailers take cyber threats very seriously, investing tremendous resources in talent and technology to defend against them, and they also understand that defense against these attacks must be an ongoing effort, evolving to address the changing nature of the threat,” Kennedy said. “To that end, in January, RILA launched a comprehensive Cybersecurity and Data Privacy Initiative. The initiative is designed to enhance the industry’s existing cybersecurity and privacy efforts, inform the public dialogue, and build and maintain consumer trust.”
To improve upon current processes, Kennedy urged Congress to take action on federal data breach notification legislation that is practical, proportional and sets a single national standard that replaces the patchwork of state laws in place today.
“A federal law that preempts the patchwork of state laws in place today, will help ensure that customers receive timely notification and actionable information following a breach,” Kennedy said.
As regulators and retailers were testifying about what government and industry can do to protect consumers, a troubling new study was released showing consumers aren’t doing much to protect themselves. For example, 39% of 2,037 adults who participated in a survey conducted by Harris Poll on behalf of a group called Private WiFI said they had accessed sensitive personal information when using public WiFi. Roughly 26% said they had accessed a bank account, 19% paid a bill and 8% said they sent an email with information such as a social security or account number.
The survey findings were self-serving as Private Wi-Fi is in the business of selling VPN (virtual private network) services, but the message was clear.
"The public needs to know just how easy it is for hackers to steal their private and sensitive information out of thin air. VPN technology can protect them, and it's an easy, affordable solution," said Kent Lawson, CEO of Private WiFi. "But they shouldn't wait until after their identity has been stolen to seek protection. They should do so pre-emptively to avoid the inherent threats of being put in a compromising position - such as identity theft - that could happen when they use a free WiFi hotspot."