The recent wave of massive data breaches shows that businesses holding sensitive data need to do a better job of protecting it. That has fueled renewed calls to give businesses an incentive to improve data security by promulgating industry or statutory standards. The irony is that the breaches also show that it is extremely difficult for standards—statutory or industry—to sufficiently improve security. Target, for example, complied with all relevant industry standards but was easily breached.
The problem runs much deeper than the usual concern about industry capture. To begin with, standards are often too specific, addressing just a few of the wide range of problems associated with contemporary networks attacks. For example, Target’s point of sale systems were PCI (Payment Card Industry) compliant, but that provided no protection for the rest of Target’s complex network. Further, promulgated standards, no matter how wide reaching, are always behind the curve in the rapidly escalating war of network attack and defense. For example, PCI standards did not, at the time of the Target breach, require that credit card information be encrypted for the milliseconds it took to transfer it from the payment terminal to the network, so the hackers simply recorded the information at that point. Finally, standards are simply a roadmap for attackers. They just tell them what networks guard against and what they probably don’t.
So should we abandon the idea of using statutes or industry standards to give businesses an incentive to improve data security? That would almost certainly be a mistake since market incentives run the wrong way. Consumers have been unwilling to pay for the added value of security through slightly higher retail prices or credit card fees, and companies dependent on consumer sales don’t offer what consumers don’t want. Consumers end up paying even more to cover the high cost of data breaches, but that fact has not created any “pay more for security” reaction.
So the task is clear: formulate standards with sufficient detail to provide genuine guidance but with enough flexibility to encourage innovation and keep pace with rapid change. It is just the solution that eludes us.
This post was originally published on CKPrivacy.org (archived link)