How the US Government Can Reduce the Number of Breaches
In a free market, supply and demand should ideally self-regulate, maximizing value. The market (often in the form of consumers) responds to negative corporate events such as faulty products or warranty issues by refusing to purchase from those responsible, reducing the profits and overall financial outlook for that company. It is entirely reasonable to assume that security breaches would have a similar negative effect on companies, as consumers who no longer feel their financial information is safe with the company would take their business elsewhere. However, over the past several months, several egregious security compromises have seemingly led to very little financial harm to the breached organizations.
The Reaction of Markets to Security Problems
Target Corporation (TGT) suffered one of the largest recent breaches during the 2013 Holiday season, where over 40 million personal information records were compromised by attackers. When Target announced this breach, the stock price for the company sat at $60.01. In the days following the announcement, the stock price continued to rise slightly, eventually taking a dip in mid-January, which Target was quick to blame on unseasonably cold weather. Indeed, as the year progressed, Target’s stock eventually bounced back, showing a 28.56% gain since the breach was revealed as of this writing.
Outside of the retail sector, a similar lack of concern for security issues is reflected in stock values. For example, RSA is a security company which was found to intentionally build vulnerabilities into its software after accepting $10 million dollars from the NSA, who planned to use the vulnerability as a “backdoor” to gain access to confidential information. Such a revelation should be damaging to a company whose reputation is built on securing the data of its customers, and yet the stock prices show a distinct lack of concern. In the nearly a year since the revelation of RSA’s collusion with the NSA, the parent company of RSA, EMC, has seen its stock rise 20.16%, clearly indicating that the news did very little to damage EMC’s reputation as a whole.
Most recently, Sony was the victim of an incredibly large breach at the hands of North Korea. While unprecedented amounts of information were made public, and the breach itself made headlines for weeks, the price of Sony’s stock held largely steady around $21.00 per share, even initially moving up. While the price has yet to rebound in the same ways EMC and Target did, it seems to be only a matter of time before such a gain occurs.
The market clearly does not react to security issues with any degree of severity. For companies affected, these incidents seem to do very little to change how the market views their fiscal outlook. The stock market seems to give very little indication of any actual negative reaction to this kind of news, and company profits continue largely unabated.
The Reaction of Consumers to Security Problems
Which of these companies has better security?
From a consumer standpoint, information security is completely invisible. Consumers see very little information from these companies regarding their security postures, and therefore rarely (if ever) choose companies to work with based on security data. If forced to choose a company purely from a security perspective, most consumers would have little idea where to begin.
Security issues should be even more important for consumers, due to how companies are gathering more information than ever before. Loyalty programs, rewards cards, and such are used to not only keep consumers returning to a particular company, but also to track their spending habits, locations, and more. The data derived from these programs is mostly used by the companies for targeted marketing efforts, but attackers could potentially use this information for malicious purposes as well. Even if a consumer is conscious of the potential risk the collection of this information creates, the only other option is to not work with these companies, which is often not an option at all. Due to these complications, consumers often develop a false sense of security or remain indifferent to the issue of security as a whole.
With this effective consumer indifference, it should come as no surprise that the stock market places very little value in security as well. Similarly, in seeing no negative repercussions for not making security information readily available, companies are further encouraged to treat security as a non-competitive advantage and invest as little in it as possible within current traditional regulations.
Current studies, such as the PwC Global State of Information Security Survey for 2015, reveal that companies are placing even less of a priority on information security, reducing their security spend by (INSERT PERCENTAGE). Despite the wave of negative publicity resulting from security breaches, companies clearly feel that the long-term impact of security issues will be negligible.
Using of Externalities to Improve Security
In economics, an externality is the cost or benefit that affects a party who did not choose to incur that cost or benefit. Externalities can take two forms, positive (benefit) and negative (cost). Security breaches are a negative externality acting on consumers, who do not choose to have their information stolen when doing business. As shown, though, consumers (and subsequently, stock values) don’t act on the costs incurred from this negative externality, for a variety of reasons. Though consumers express concern over security, the widespread nature of consumer information and the lack of information make consumer actions hard, if not impossible.
The Federal Government has been using externalities to influence behavior for decades, by either providing a subsidy or tax when the free market is not able to regulate itself. For example, the government has providing incentives (subsidies) to organizations to use or produce cleaner products, while also taxing products that are known to be bad for the environment (higher taxes on fuel inefficient vehicles).
With the Target breach, the government is increasing its involvement in security issues, with Congress demanding Target increase security and be subject to stiff penalties. In the past, Congress has focused on the reactive consequences of a data breach, relying on the Federal Trade Commission (FTC) for punishment. Ideally, the FTC would enforce fines, affecting Target’s profits. Clearly, the markets are not worried about these penalties, and with good reason. A similar breach of TJX, the parent company of TJ Maxx, resulted in the FTC demanding TJX set up a security program (which they should have already in place) and submit to regular audits of the program (which, again, should already be a practice at TJX).
Since the current minimal FTC externality is clearly not causing companies to strengthen their security, perhaps the time has come for the government to more firmly step in and create a negative externality strong enough to force companies to act. The government could create a tax on organizations for failing to implement a security program, which it could monitor using organizational disclosures to an automated web portal. Organizations would submit a questionnaire to the portal, and an oversight board could use the responses to determine if an on-site audit is needed. Random audits would also be needed to ensure that companies are providing accurate responses.
With the tax revenue generated from the penalties leveraged against non-compliant companies, the government could setup an exchange for approved private companies to perform security-related services for non-compliant companies. The exchange would be vetted by industry experts and companies, and inclusion in the exchange would be based on standards such as a minimum of years in business, known errors and omissions, minimum number of employees and so on.
At first, this may seem to be just more federal regulation, but it should be viewed more as a replacement for specific security laws that are either outdated, or no longer needed. For example, several areas of the 2002 Sarbanes-Oxley Act (also known as SOX) were initially intended to work to improve the security of companies while addressing the fraud issues brought to light by the Enron scandal. While the fraud-preventing effects of SOX are still somewhat debated, the security impact is clearly minimal. A quick examination of the largest breaches since 2002 (using the infographic found here) reveals that the number of breaches and records stolen is increasing, not improving, even among companies that are SOX compliant. The costs of this new security program could be largely covered by removing the security sections of SOX and refocusing the funds and effort towards this new, more effective approach.
The Need for Action
The above proposal is just one method the government could use to exert pressure on companies to increase their security. While the final plan may differ from this proposal, it is clear at this point that something must be done. Data breaches are a growing issue, and consumer information is being accessed by criminals on a regular basis.
The worst effects of the security breaches have yet to come to fruition. The April 23, 2014 hacking of the AP’s Twitter account showed how susceptible markets are to misinformation. Once attackers realize the power they have to manipulate the stock values of corporations, through artificially inflating or deflating the actual profits of retailers, the ensuing chaos will be hard to contain. While most hackers currently focus on selling stolen information, these type of attacks could prove to be much more lucrative, and much more damaging. The resulting loss of confidence in the stock markets would be catastrophic for the worldwide economy, and a source of profits for the attackers. Should the Federal Government not step in now, it most certainly will when these attacks occur.