The storm of consumer-focused data breaches started off as intermittent downpours -- Choicepoint, TJ Maxx, SONY, LinkedIn, Twitter, Adobe Systems -- and is now a torrent: Target, Neiman Marcus, Kickstarter, White Lodging, the Sands Casino, and now everyone who's attended or worked at the University of Maryland since 1998. In each case, hackers weren't after the company's intellectual property or trade secrets: they were after your information, because it's the key to your money.
In fact, though it's been widely reported that the Target breach cost $240 million so far, that amount doesn't take into account the fraudulent charges individuals had to fight and is itself split among the many financial institutions whose customers were affected by the breach. Meanwhile, Target said in January that it expected to lose only 2-6 percent of sales over last year, and only in the first quarter.
That is why these breaches are just going to keep happening: in the absence of laws or regulations forcing all companies to protect your data (and your money) better, companies simply aren't going to lose enough money in a data breach to "justify" the costs of better security.
Meanwhile, all of us will end up paying more to offset the costs of these breaches, in terms of higher account fees, lower service levels and the like. But better laws requiring companies to protect the customer data they use, collect and store do not appear to be coming your way any time soon.
Deep in the midst of this current and ongoing cyberinsecurity epidemic, the White House issued its long-awaited "guidelines" for cybersecurity and critical infrastructure last week. In the document, its authors wrote:
Similar to financial and reputational risk, cyber security risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers.
Why might a document laying out guidelines and best practices have to remind its readers and target audience that there are serious costs to bad cybersecurity practices? Because the guidelines have no force of law and no incentives to encourage companies to comply -- and the Administration says it has no plans to track if or how anyone even bothers to comply with the framework, anyway.
It's not like these companies don't know what best data security practices are - reports indicate that at least one Target employee raised alarms before Black Friday last year -- and it's not like there aren't a plethora of other companies who would help them if they don't have the internal resources. But updating systems, doing regular information security checks and focusing on employee training can be time-consuming and expensive.
But when the costs of any one data breach are shared by so many companies and individuals, the cost of rigorous data security to any one company might well be more than what it stands to lose in a given breach. We see this with the slow roll-out of more secure chip-and-pin cards, which are broadly used elsewhere in the world but won't be widely available in the U.S. until after 2015: it's an (increasingly) expensive system to implement, and no one entity pays enough because of the fraud the old system encourages to bother going first.
Cybersecurity is fast becoming a classic market failure: the costs of protection thus far outweigh the potential costs of a breach. But unlike most other classic examples of market failures -- education and environmental protection, to name two -- the government seemingly has no appetite to step in and resolve the market problem with laws, regulations or even tax incentives. Instead, they're stuck reminding companies how costly a breach could eventually be.
So the next time you hear about a data breach -- and with recent history as a guide, that'll be fairly soon -- and you wonder why this keeps happening, just remember that it all comes down to money: yours (that the criminals want), and the cold hard cash that some corporations and institutions haven't spent to keep your information secure.