- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Another day, another data breach. At this point, we all know how this will unfold. The markets have taken their five percent chunk out of Equifax. Everyone will get another year of credit monitoring. People will be fired. New people will be hired. Equifax's security budget will double. Lawsuits will be settled. Equifax isn’t going out of business, though maybe it should.
The decades-long belief that disclosure alone will get the markets to fix the problem clearly hasn’t worked. A stronger, tougher, national breach notification requirement like the one in Europe won’t make the market value security. Significant and certain financial costs could get the markets to take data breaches seriously. Raising the financial costs of losing personal records from the current average of $158 per year to a fixed fine (paid to the individual victim) of say $1,000 would be a good start.
Let’s dispense with the class action lawsuits (anyone who has checked with Equifax to see if their data was lost may have already waived their right to sue). Setting a high dollar figure per record and making that payment a certainty will make companies think twice before asking for this data (do you really need my Social Security Number to provide me with cable service?) and twice more before storing it.
If Equifax knew with certainty that the consequences of a data loss were going to cost them $1000 per compromised record, this incident might never have happened. While regulators can’t show up with clip boards and make companies more secure, significant financial penalties would start to get market forces working in favor of security.
But the real goal of public policy should not be to punish companies by forcing them out of business after a breach; it should be to create the proper incentives to prevent the data loss in the first place.
Even with high fines, many companies might choose to roll the dice and simply accept the risk that in the event of a data breach, they will go out of business. Legal shenanigans would inevitably ensue to create holding companies so that no assets are put at risk.
To avoid that outcome, U.S. policymakers should steal a play from environmental policy and require companies to carry insurance to cover the full societal costs of the loss.
If oil tankers want to operate in U.S. waters, they are required to have a “certificate of financial responsibility” issued by the U.S. Coast Guard National Pollution Funds Center. The certificate shows that the vessel carries the necessary insurance to cover the full loss of cleanup should the oil be lost.
These are massive and mandatory multi-billion dollar policies. And because insurers don’t want to pay them out, the maritime industry has developed rules and requirements for transporting oil like double-hulled ships that have made spills like the Exxon Valdez a thing of the past.
Applying this concept to cybersecurity, Congress should establish by law a process to set the societal cost for the loss of personal records by a company as well as a requirement that companies prove they have the insurance to pay out that cost in the event of a total loss. By doing so, Congress would give industry the necessary incentive to invest in security and for insurance companies to be able to measure the risk reduction.
If such a regime were in place, many companies might conclude that the business of buying and selling personal data is not such a great way to make money. That would be a good thing.
The services that Equifax provides are valuable. If it can’t figure out how to provide those services securely and prove it to an insurance company, another company would. Preventing a data breach like this is not impossible. There are companies that have been actively and successfully managing far more sophisticated threats for years. But it’s not cheap, and it’s not easy. It requires embedding security into the core of the business, what Equifax should have been doing from the start. A regime that increases the costs of a data loss and requires companies to prove they can pay it out would do what no amount of bad press has ever been able to do: make the boardroom value security.