110 million Americans had their personal financial information breached at Target. That 's one out of two adult Americans.
I was in Sacramento recently to testify in front of a joint California Assembly committees investigating the breach. Remarkably, Target refused to send a single representative to Sacramento to answer questions about the largest data breach in American history.
The fact that Target didn't show up to face legislators tells us all we need to know about how sorry Target is and how committed it is to our privacy.
Target is targeting our privacy. There's a big red bullseye, a target -- like the one on the T-shirt I wore as I testified -- that retailers like Target have put on us because they haven't done enough to protect our private financial data. And the reason is that there's no financial incentive to do so.
The reason Target won't face legislative questions is the same reason that our personal financial information and data is at such grave risk: there is no price to pay. There are few financial penalties to companies like Target when our personal data is taken.
Beyond public embarrassment, Target has little financial incentive to care.
Consumer, pay the consequences but we have no remedies.
According to the Committees' own staff research, 1 in 4 consumers whose personal information that is taken becomes a victim of identity theft. One in 4 victims of a data breach is also a victim of identity theft. If these numbers apply to Target, that would potentially create more than 25 million identity theft victims.
There's a harm. The retailers had a role in creating that harm. And yet they have no liability under California law or most state law for what they have or have not done to safeguard the sanctity of our personal information.
The problem with privacy violations is that unlike thefts of money or property the law does not recognize a harm and does not provide a remedy.
As the Committees' staff research states: consumers have no remedy under the law for the loss of financial privacy suffered through these data breaches, and the 1 in 4 risk of ID theft they face. Zero remedies.
So why would retailers invest in greater security, or meet voluntary industry standards, or move away from risky magnetic strip technology?
If they don't have to pay a price they don't have an incentive to change. And that leaves our private financial information with a big bullseye on it.
What can we do?
We need a California and United States financial information act that mirrors our Medical Information Privacy Act.
When there is a data breach of our medical information in California and most other states, the drug company, hospital or medical center is liable to the consumer for $1,000 per violation.
Guess what? Medical data breaches are fewer and farther between. When they occur, companies pay a big price.
The same should be true for our financial data. We need a Financial Information Privacy Act.
Change notification standards to be immediate.
Write minimum-security standards into the law so that they are no longer voluntary.
Set limits on the time data can be retained. And limits on what information can be collected and retained
Most importantly: create a private right of action. Put a price tag on retailers' mistreatment of our private financial information.
Until there is a price to pay, Target and other retailers will continue to make us targets.If you are as offended as I am by Target's absence today in Sacramento, please share our Target design online to show your displeasure.
When a company as big as Target won't provide a single representative to answer questions about the largest data breach in American history, it is time for legislatures to step up and deliver on the promise in Article 1 Section 1 of our state constitution: Privacy is an inalienable right.