Who takes responsibility for security breaches?

The recent data breach involving the theft of user data relating to more than 40 million of Target’s credit and debit cards has once again put the spotlight on a problem that refuses to go away: who is responsible when online information is stolen?

This case is all the more paradigmatic, given that the theft relates to cards used in a retail outlet, rather than online (Target’s online activities were not affected): all companies, online or otherwise are vulnerable to such breaches.

No company wants to be attacked in this way, so to what extent should it be held responsible? Is it really possible for companies to avoid data theft, even when the experts say that there is no such thing as total security, or are we simply facing a problem that any moderately successful company can expect to occur?

Faced with a security problem of this type, calculating the cost of damage is extremely complicated. Information on cards is rapidly put into circulation, bought and sold all over the place, and the most likely outcome is that you will receive a bill for something you didn’t buy; finding the culprit is near impossible. It’s the same story with passwords: you can, and should, check to see if the email addresses you use when registered on web sites have been affected by a recent data theft (Adobe, Stratfor, Gawker, Yahoo! Vodaphone, Pixel Federation, or Sony), on sites that collect and collate information about affected sites, like this very convenient one, but that isn’t going to stop others from checking sites they might consider “interesting” to see if you use the same password on them, a practice that sadly, all too many of us indulge in.

Every department in a company will do their best to try to distance themselves as much as possible from these kinds of responsibilities, but what normally happens, at least in the United States, is that the Federal Trade Commission (FTC), which is to all intents and purposes the competent regulatory body, will impose a fine for negligence, which is generally not appealed against so as to avoid drawing attention to the matter. More than 40 companies have been fined in recent years for data breaches, but recently, a growing number have begun to challenge the fines, arguing that not only are standard practices vaguely defined, but that the FTC lacks the authority to impose them.

The standards in question are the so-called PCI-DSS, Payment Card Industry Data Security Standard, which brings together 12 requisites in six categories, thought up by a committee consisting of the leading card issuers, and which in all honesty is little more than a list of good intentions rather than tools for determining or demanding responsibility. The norms refer only to the information on credit and debit cards, and their validation is carried out by authorized auditors, except in companies that process less than 80,000 transactions a year, who can carry out a self-evaluation.

But the PCI-DSS standards no longer mean anything, due partly to their vagueness (what exactly does “develop and maintain secure applications and systems” mean? How secure? Who decides what is sufficiently secure and what isn’t?) and partly because they are so open to interpretation that they can be used by credit card companies to avoid their responsibilities.

In practice, it is as difficult to establish responsibility as it is the damage caused by data theft. What usually happens, even in cases where a client’s information has been used to process fraudulent transactions, is that the financial cost is not borne by the customer, but by one of the parties involved in the transaction, and which is usually the seller. Class action suits tend to result in symbolic victories whereby the companies agree to compensate small amounts, but this aspect does not include possible damages as a result of identity theft, falsifications on web-based services, and other offenses that are very difficult to trace. In the case of Target, how much responsibility should the company bear? Do the massive discounts it is offering its customers really address the problem or the possible damage they may suffer?

In many senses, the information that flows through online data networks is subject to a harsh truth: any system containing anything interesting is vulnerable. This puts the companies in the paradoxical situation when faced with a possible breach of their systems: they have to show that their security practices were “good enough” to overcome a series of standards that have been poorly defined and open to interpretation, and that what happened to them could have happened to anybody. Aside from being good, they, like Caesar’s wife, must be above suspicion.

In the meantime, we as users can do little more than try to minimize the impact of these types of attacks. This means using tough passwords and not using them over and over again: easy enough advice to give, but we all know that we are using the internet more and more, making it harder and harder to protect our identities. Using a password manager is not a bad idea, but comes with some strings attached in terms of usability. For businesses, aside from the obvious suggestion that they try to do things to the best of their abilities, which is pretty much the equivalent of telling a child to behave itself, there isn’t much else to say.

(En español, aquí)