Companies Slow To Alert About Data Breaches
Rumors of a data breach at a major New York bank started circulating more than a week ago in cyber-security circles. So for insiders, news that JPMorgan Chase had been victimized was more confirmation than revelation, just the latest headline from a digital crime wave that shows no sign of ebbing.
But for the millions of customers of JPMorgan Chase, the news reports that began appearing Wednesday were the first indication that their personal information might have been stolen by hackers. Like Target, Neiman Marcus and countless other companies, the nation’s largest bank chose to keep evidence of a cyber-crime private until journalists forced the issue.
This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.
The result is that days, weeks or longer can pass between when a company learns of a cyber-crime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties — such as a credit card company — that the risk of fraud or identity theft is elevated.
“There have been so many breaches where companies have held information for so long that more disclosure would force companies to do a better job being accountable to consumers,” said Ed Mierzwinski, consumer program director at U.S. Public Interest Research Group. “It’s a real pain in the neck to clear your name. … You have to spend time — a lot of time — clearing your name. And you don’t get paid for that.”
The seriousness of the JPMorgan Chase breach, which involves at least one other bank as well, remains uncertain, though some reports said account data may have been compromised for some customers.
Bloomberg News first reported the intrusion Wednesday afternoon, saying that the FBI was investigating the possibility that Russian hackers had launched an attack in retaliation for U.S. sanctions prompted by Russia’s actions in Ukraine. Other investigators have expressed skepticism about that possibility but not ruled it out.
JPMorgan Chase posted a notice on its website saying, “The security of your Chase accounts is one of our highest priorities,” with general tips on how to protect personal banking security. But it didn’t directly address the numerous news reports of a data breach, nor did it offer details about what happened and who might be affected.
A representative for JPMorgan Chase said it will notify consumers if it determines they have been impacted but declined to say when or how. JPMorgan Chase also declined to comment on when it first learned of the data breach.
The interests of consumers and authorities sometimes diverge, said Neil MacBride, former U.S. Attorney for the Eastern District of Virginia and now a partner at Davis, Polk & Wardwell. “Consumers want immediate notification from the breached company while law enforcement may want several days or weeks to investigate a crime scene before hackers are tipped off that the cops are on their tail.”
Notification is a notoriously cumbersome and costly process for companies that have data breaches. Forty-seven states and the District of Columbia have laws governing such disclosures, and a company with a nationwide customer base may have to comply with them all.
There also are notification requirements specific to banks under federal law. Publicly traded companies must report “material breaches” from cyber-crime in disclosures to investors. And the Federal Trade Commission investigates some corporate data breaches, especially when there is evidence that security measures were not up to industry standards.
The result is a mish-mash of rules and regulations that, in practice, force companies to disclose data breaches but rarely require them to do so quickly. New York’s data breach law, for example, requires disclosure “in the most expedient time possible and without unreasonable delay,” but allows for delay to accommodate “the legitimate needs of law enforcement” during an ongoing investigation.
The work involved in notification — and the public relations price for companies that have failed to keep their customers’ data safe — was a top goal of those who pushed for state notification laws. They wanted to raise the cost of data breaches in order to provide companies with incentive to implement better security practices.
“It wasn’t about providing a lot of notice to consumers. It was about seeking some visibility about lax security procedures,” said Deirdre Mulligan, a professor at the University of California, Berkeley School of Information who help craft California’s data breach law, which when it passed in 2002 was the nation’s first.
But 12 years later, as the incidents continue to pile up, some experts say the time has come to revisit the subject — with the goal of prioritizing the interests of the consumers who are affected.
“We’ve got this kind of patchwork, but given the frequency and visibility of these breaches, we ought to have a much more rigorous conversation in this country about data security policy,” said Woodrow Hartzog, a Samford University law professor who specializes in privacy and security.
Until then, companies typically are free to take the initiative of notifying their customers quickly. EMC Corp.’s RSA Security division, which makes security tokens for computer networks, publicly disclosed it had suffered a breach in March 2011. Its chairman, Art Coviello, posted an urgent message on its website acknowledging the intrusion by what Coviello described as an “ advanced persistent threat.” Intelligence officials later said they traced it to China.
“This was an extremely unusual event where the corporation very quickly identified the breach and disclosed it,” said Michael Brown, then a senior cybersecurity official at the Department of Homeland Security and now a vice president and general manager at RSA. “And we on the government side were very impressed.”
The company’s action, he said, enabled the alerting of its customers in the private sector and in government about ways to detect if they were vulnerable and to protect themselves. “There’s nothing worse,” he said, “than having an environment where potentially something’s going to come out and not having relayed coherent information to the customers.”