Of all the reactions thus far to the “jaw-dropping” Marriott hotel-chain data breach, the strongest unsurprisingly came from the U.S. Senate’s leading privacy advocate, Democrat Ron Wyden of Oregon.
“If history is any guide, this megabreach will be like the others that came before it—the company will apologize, proclaim that it values its customers’ privacy, and then offer useless credit monitoring to the millions of Americans impacted by this years-long breach,” he said in an email to Gizmodo.
Marriott, in an SEC statement disclosed on Friday, said that the personal information of “up to approximately 500 million guests” may have been accessed by intruders of its Starwood reservation system. Of those records, roughly 65 percent contained addresses, dates of birth, passport numbers, and more. Worse still, Marriott indicated that it may have stored the private keys needed to decrypt payment card information alongside the information itself in an unencrypted format—which, if true, constitutes a major lapse in accepted key management procedures.
“Clearly the current status quo isn’t working—the Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information,” said Wyden, adding: “Until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won’t take privacy seriously.”
Early this month, Wyden released draft legislation, dubbed the Consumer Data Protection Act, which would impose fines of up to $5 million on executives of companies with annual revenue of $1 billion or greater. Executives found to have intentionally misled the FTC could face up to 20 years in prison under Wyden’s legislation, which has not yet been formally introduced.
Jailing executives for failing to prevent so-called “megabreaches,” particularly when negligence is determined the leading cause, is not a new idea. But it is one that few lawmakers have jumped behind.
Senator Ed Markey, the Massachusetts Democrat who pressed the FTC to develop new security rules for data brokers in the wake the Equifax breach, agrees with Wyden that it may be time to consider jail as punishment for executives in the wake of data breaches arising from incompetence, his spokesperson told Gizmodo.
In a statement, Markey said Americans “deserve real action,” calling the breaches like the one at Marriott, “a black cloud hanging over the United States’ bright economic horizon.”
“It’s time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them,” he added.
Following Equifax, Exactis, and the myriad Facebook scandals involving wholesale heists of Americans’ private data, Congress fumbled at every pass to push through legislation that might deter sensitive data exposures born of corporate malfeasance. Privacy remains, at least in Washington, primarily a spring-time issue, as the November midterms illustrated, with only a smattering of candidates willing to dedicate any real time talking about privacy with an election in the balance.
Not all of Wyden’s colleagues favor pushing jail-time as a solution, however. Virginia Democrat Senator Mark Warner, for example, believes the answers lie instead in “major” and “costly” penalties for corporations, said a senior aide. Warner himself on Friday acknowledged that major breaches seem to occur nearly “every other day,” and he warned against accepting this as “the new normal.”
“We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need,” he said in a statement. “And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
The notion that we should jail executives for data containment failures is, according to Mark Testoni, chief executive at SAP National Security Services, “a little strong.” What’s sorely needed is a public debate, he said, similar to that which took place in Europe before enacting the General Data Protection Regulation (GDPR).
“A few years ago, this event would have been top banner—today it’s below the fold and not loudly covered on video media,” he added, noting that the public is apparently “becoming de-sensitized to these attacks.”
Whatever role financial and potential criminal penalties might play in shoring up corporate data security, the first step in solving the problem of “mega-breaches” may lie in more thoroughly educating both the public and the companies hosting their data. This is a solution, or at least part of one, that Testoni is first to acknowledge has its limits. He recalls, for example, public awareness campaigns in the 1970s aimed at stemming auto fatalities in the U.S. “Despite quantum progress since then, 30,000 people a year still die on the road, and we are desensitized to this—unless it strikes close to home,” he said.
“It’s important to remember that public education on the topic remains important,” he added. “Our behaviors as individuals and employees are often central to vulnerabilities. Much like awareness for auto safety, it’s a process, not an event, and we’ll improve but are unlikely to perfect.”