One thing that we seem to be unable to avoid in the modern world is data security. Every time we turn around, another major company has been hit with a data breach, a malware attack, or even a DDoS attack. And every time, no one is held responsible, except for the consumer, who has to then do a lot of personal work to mitigate the results of the problem. Now, the US government is looking to hold the providers accountable instead of passing the responsibility on to you.
What is the problem with data security?
Creating a secure software platform is complicated. It requires a lot of thought, planning, and infrastructure to ensure that customer data is safe and secure. However, most major companies have little to no incentive to expend any extra time and resources in order to do things right. The result is breached security and stolen data.
So, every time a company is hit with one of the breaches, we hear the same thing.
We don't know how it happened, but we're working diligently to find and correct the source of the problem. We believe that customer data was not affected, but we're offering a free year of identity theft monitoring in case we're wrong.
But, when they say they're looking to fix the problem, they only mean the specific instance of incompetence that caused THIS breach. They're not looking to solve the problems that exist within their corporate culture that allowed it to happen in the first place. This is why LastPass and T-Mobile have had regular breaches of their data - they simply don't have the incentive to care.
How to fix the problem
The Biden Administration believes that the way to solve the problem is to force the providers to take on responsibility for the aftermath of a breach. By placing the blame, and therefore the liability, onto the companies whose security is breached, they hope to force the companies to take a step back and start thinking about proper security measures as opposed to easily hacked or re-routable nonsense.
The government's National Cybersecurity Strategy document has been updated to include this statement,
The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem. Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors' choices can have a significant impact on our national cybersecurity.
Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector's risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation. New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.
This document itself has no legal teeth. However, it does direct agencies and lawmakers to look into the problem and to work towards a solution, including suggesting possible outcomes. The most realistic outcome is to hold companies legally and financially liable for attacks that breach their security, especially when customer data is involved. This should include consumer and business data, as neither of these actors are in the best place to protect the data in the system.
If you are giving your information to someone, you should have a reasonable expectation of privacy and security. The past few years have proven just the opposite - no one can be trusted to protect you and your privacy. This is exactly where the government is supposed to come in - to manage relationships between two entities in which one can substantially harm the other.