Tags: massachusetts | national data breach registry

We Need a National Data Breach Registry Like Massachusetts'

We Need a National Data Breach Registry Like Massachusetts'

The Massachusetts State House on February 9, 2013, in Boston, Massachusetts. (Mario Tama/Getty Images)

Monday, 09 January 2017 01:42 PM Current | Bio | Archive

The Massachusetts Office of Consumer Affairs and Business Regulation rang in the New Year with some welcome news about information security, introducing a consumer-facing tool to help in the fight against identity theft.

In making public an online archive of data breach notifications affecting Massachusetts residents from 2007 to 2016, that state may have taken the first step to make America less cyber-insecure. We need a national database, and other consumer-first approaches to the identity theft pandemic.

Currently there is no uniform national approach. Instead, consumers concerned about their exposure to identity theft must traverse a labyrinth of state and federal laws and programs related to data security and breach notification. They range from the newly announced public database in Massachusetts, a promising development, to a host of weaker or non-existent consumer programs coast-to-coast. There continues to be no consumer-centric cybersecurity czar in Washington making sure the best practices and information is generally available — and different approaches are vetted to compile a living document of best practices.

Given the seriousness of our nation’s cyber-insecurity, this should be a matter for grave concern. Right now, it’s impossible to know just how safe our personally identifiable information is as well as when, or where or whether it has been compromised in the past. Given the vast number of companies and agencies and individuals our information has passed on the way to this or that convenience or requirement, a general state of alarm is appropriate.

We Need a Big-picture Solution

Passed in 1988 but not effective until 2000, the Schumer Box may point to a workable approach. You see this law every time you open an offer from a credit card company.

The Schumer Box puts all the small type in bold face so consumers know what they are getting into when they are considering a new credit card. It is to credit cards what the nutritional label is to food.

Breach Notification

While I think a national data breach database would be useful, it’s a passive tool. Consumers need to go to it, and perform a search. Making that information available at consumer contact points — sign up or transaction pages — is a better idea.

It’s crucial we develop multiple systems that talk to each other — facilitated by a consumer cyber security czar — that provide consumers with the particulars of any reportable breach that has exposed their information. Any such system would have to start with the premise that all breaches are not alike. A breach that exposed credit card information is nowhere near as dangerous as one involving Social Security numbers, or one that details banking data or includes personal health information. So any system would have to have levels of concern or classification of reportable breaches.

As I’ve discussed in previous columns (and will continue to do until a strong national strategy is in place) the creation of a mandated Breach Disclosure Box would be a big step in the right direction away from our nation’s coast-to-coast swamp of identity theft.

As I detail in my book, "Swiped," it’s comes down to the consumer. You are your best protection against identity theft. The 3 M’s need to be a part of daily life: Minimizing your exposure, monitoring your public records and financial accounts, and managing any damage that occurs from data compromises. Knowing if a company has a record of shoddy data security — think Yahoo — can help consumers make smart choices. To practice good information hygiene, you need good tools.

The Breach Disclosure Box would also force companies to improve their data security programs and put in place a breach-preparedness plan that promotes an urgent, transparent, and empathetic response to any compromise of consumer and employee data.

Here is some of the information such a box might include:

· How many times has this company been breached within the past five years?

· If yes, what kind(s) of information was exposed?

· Does this company encrypt all consumer and employee data?

· Does this company have a breach notification policy?

· What did the company offer affected consumers?

· What type(s) of information are customers obligated, or not obligated, to provide?

· Best practices for avoiding victimization (The 3 M’s)

As President-elect Trump enters the White House, here is a bipartisan issue that goes way beyond Blue State-Red State politics. When it comes to data-related crime, the sad truth is that we occupy a state of confusion.

Adam K. Levin is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on security, privacy, identity theft, fraud, and personal finance. A former Director of the New Jersey Division of Consumer Affairs, Levin is chairman and founder of IDT911 (IDentity Theft 911) and co-founder of Credit.com. Levin is the author of Amazon Best Seller "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves." Read more of his reports — Go Here Now.

© 2019 Newsmax. All rights reserved.

1Like our page
In making public an online archive of data breach notifications affecting Massachusetts residents from 2007 to 2016, that state may have taken the first step to make America less cyber-insecure.
massachusetts, national data breach registry
Monday, 09 January 2017 01:42 PM
Newsmax Media, Inc.

Newsmax, Moneynews, Newsmax Health, and Independent. American. are registered trademarks of Newsmax Media, Inc. Newsmax TV, and Newsmax World are trademarks of Newsmax Media, Inc.

America's News Page
© Newsmax Media, Inc.
All Rights Reserved