DPC16_Banner_300x250-COPY

PrivacyTraining_ad300x250.Promo1-01
Is the Congressional Response to the Target Breach Off-Target?

In the aftermath of the Target breach announced last month, there has been understandable anxiety on the part of consumers and understandable concern by lawmakers about how to respond to large-scale breaches of this type.

In recent weeks, there have been calls by members of Congress for hearings on the Hill. Several Senators have demanded an investigation by the Federal Trade Commission (FTC) and have discussed legislation beefing up the FTC’s enforcement powers—although as I’ve written here previously, the FTC has not exactly needed an engraved invitation to investigate data breaches in recent years and does not seem to have been inhibited at all by the lack of clear (some might say any) authority to do so. And just this week, Sen. Patrick Leahy (D-VT) reintroduced the Personal Data Privacy and Security Act, which among other things would create a national breach notification standard.

The congressional focus on consumer protection is certainly laudable. In particular, I worked on previous iterations of Sen. Leahy’s bill when I oversaw the Justice Department’s (DOJ) computer crime section, and it’s an important piece of legislation. A national breach notification standard would make compliance easier for companies experiencing data breaches, which now must navigate a patchwork of breach notification laws in 46 states and several U.S. territories. The only people who benefit from this complicated regulatory landscape are lawyers, like me, who advise companies on breach notification. Simplifying these rules may not be good for lawyers, but it will be good for their clients.

Because it’s not enough to improve our ability to clean up the mess after a breach occurs—we also need to focus on doing more at the front end to identify and punish hackers and to stop stolen data from ever being used.

But if the congressional response focuses entirely on breach notification and on strengthening the hand of the FTC, then Congress will be, well, off-target. Because it’s not enough to improve our ability to clean up the mess after a breach occurs—we also need to focus on doing more at the front end to identify and punish hackers and to stop stolen data from ever being used.

Imagine if, within hours of discovering the attack, Target brought in computer forensics experts who were able to trace the stolen card data back to a server where the hackers were storing it, find that stolen data and delete it, encrypt it or otherwise render it unusable by the thieves. How many millions of dollars in fraudulent transactions could be prevented? And that’s not to mention the evidence identifying the bad guys that could immediately be turned over to law enforcement for further investigation and eventual prosecution. Isn’t that course of action—preventing the bad guys from profiting from their crimes and helping law enforcement take action to identify and punish them—smarter and cheaper than just focusing on the legal and financial fallout after the stolen data has been used?

So why isn’t this happening right now? 

Because the Justice Department’s view is that the Computer Fraud and Abuse Act (CFAA)— the statute used to prosecute hackers—technically could be violated if a company were to take the kind of steps I just described. DOJ also believes that allowing these kinds of measures by victim companies—sometimes called “active defense” but often derisively referred to as “hacking back”— is bad policy, because companies could end up damaging computers owned by innocent third parties that have been taken over by the hackers and used to facilitate their crimes. I used to share that view when I was at DOJ, but my views have changed considerably— I guess you could say this is preaching by the converted.

But even if DOJ’s budget for cybercrime were doubled tomorrow, that still would not be the solution, because law enforcement cannot investigate and prosecute its way out of this problem. Instead, we need to rely on the combined resources and capabilities of the government and the private sector.

The reality is that cybercrime is not a problem that law enforcement can solve on its own. While at DOJ, during a 2011 hearing on cybersecurity, I told a Senate Judiciary subcommittee that the scope of the cybercrime problem far outpaced the resources available to pursue it. That was certainly true back in 2011, but it is even more so today, after years of hiring freezes, the sequester and an extremely challenging budget environment.

But even if DOJ’s budget for cybercrime were doubled tomorrow, that still would not be the solution, because law enforcement cannot investigate and prosecute its way out of this problem. Instead, we need to rely on the combined resources and capabilities of the government and the private sector. As one of my colleagues likes to say, the government has clear authority to go after hackers but not enough resources, while the private sector has the resources but lacks clear authority.

So how can Congress help address this problem? 

There is a disagreement among commentators about whether the kind of measures I described above do indeed violate the CFAA as currently written. That debate is a topic for another time. But Congress can resolve the issue by amending the CFAA to clarify the authority of companies to take measures to trace and recover or disable their stolen data, without fear of criminal exposure. This can be done in a reasonable, responsible way, in coordination with law enforcement. Should companies be subject to civil liability if, in the course of taking these actions, they cause damage to an innocent third party’s computer (a computer that, by the way, is already under the control of hackers)? Maybe, maybe not. But should they be guilty of a crime? Absolutely not.

There can certainly be debate among reasonable people about the precise types of active defense measures that companies should be permitted to take, and about how coordination with law enforcement should work both legally and practically, but we need to have that debate. And we need Congress, informed by that debate, to make clear that some sort of active defense is permissible, so innocent victim companies can take appropriate action without worrying that they will be treated as criminals.

Congress can resolve the issue by amending the CFAA to clarify the authority of companies to take measures to trace and recover or disable their stolen data, without fear of criminal exposure. This can be done in a reasonable, responsible way, in coordination with law enforcement.

There is no one silver bullet for the problem of data breaches and other cyber-attacks. We need strong, well-resourced law enforcement. We need good consumer protection measures. We need companies to adopt sensible cybersecurity measures. But we also need companies to be able to take reasonable actions to track down and delete or disable their stolen data—whether we’re talking about 40 million credit and debit card numbers or a company’s trade secrets or other intellectual property—before the hackers can do further harm. And we need to use the information developed along the way to help law enforcement punish those hackers and deter others.

One other aspect of the early reaction to the Target breach is noteworthy, and frankly a bit troubling. The focus on breach notification and FTC authorities, and the tenor of some of the public comments made by folks on the Hill, seem to reflect an assumption that the breach is Target’s fault. Target is being treated as if it’s guilty until proven innocent or, I should say, “negligent until proven reasonable.” That’s simply unfair.

Just because a company is hacked doesn’t mean it did anything wrong. A company can have the best cybersecurity in the world and still get hacked. Often, companies that are the victims of cyber-attacks are just that—victims.

Class-action lawyers may be ready to blame the victim here, but the rest of us should withhold judgment. It’s way too early in the investigation to be assigning blame— except to the hackers themselves.

Written By

Jason Weinstein, CIPP/US

2 Comments

If you want to comment on this post, you need to login.

  • Tommy Ward Jan 13, 2014

    I believe that encouraging cyber vigilante actions by corporations is very wrong.  Why should we  believe that the same companies that were successfully breached would be competent to launch such counter-attacks and hit the right targets?  I suggest that focusing on some of the fundamental issues which make the attacks economically feasible is a much better approach.  Replace the antiquated shared secret based payment card technology with one based on public key technology, so that  data stolen at point of sale can't be reused for future transactions.  Reform the credit industry so that knowledge of a few data points is not enough to commit identity theft.  
  • Steve L Jan 13, 2014

    Stolen (brick and mortar)card holder data would be rendered useless if the card brands would just require PoS systems to display the name read from the mag stripe and require all merchants to verify identification against that display.  The problem with this approach is that VISA and MC prohibit verifying that information unless it meets a certain red flag.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

Privacy Meets Cloud Security at P.S.R.

This is where privacy and cloud security pros connect and expand their reach. Early bird rates available for a limited time!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Find Unmatched Education at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress is back and better than ever. Register today.

GDPR Comprehensive Is London-Bound!

Registration is now open for the IAPP GDPR Comprehensive in London this fall. Everything you need to know, right here.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»