Punish Companies That Store But Can’t Protect Your Data

I would be worried about the recent Marriot data breach, but I’m already taking defensive measures because I’ve been a victim of data breaches. At this point, who hasn’t? Nonetheless, this proposal is a decent start (boldface mine):

This doesn’t let Marriott off the hook. The breach occurred in the reservations database of Starwood Hotels and Resorts, a company Marriott acquired two years ago for nearly $14 billion. Apparently, none of the money went for an upgrade to Starwood’s data security systems because the breach began two years before Marriott made the acquisition and continued for two more years under new management.

Jake Olcott, vice president of communications at BitSight, a Boston-based data security company, said this suggests that Marriott failed to exercise “cyber diligence.” Olcott said it is a common problem when companies merge because “the IT and IT security folks are often not brought into the transaction until very late in the deal flow.” By then, both buyer and seller aren’t eager to hear any bad news that might derail the transaction, so any bad news about weak network security may have been shoved into the shadows.

Is that what happened this time? We may find out when the lawsuits are filed. At the least, the Marriott case is a good reason to insist on tougher state and federal sanctions against corporations that misplace our personal data. If Marriott had to pay even $100 for every stolen data file, it might have paid closer attention. (Under a new California law, consumers can sue for up to $750 when their information is lost.)

Regarding the California law, people should have the option to sue, but there should also be fines levied. It shouldn’t be up to individuals to enforce financial sanctions anymore than it should be up to individuals to enforce criminal sanctions. This is one reason why we have governments. Just start fining companies that can’t maintain data security. If this means companies aren’t holding on to your credit card data and other identifiable information, that really isn’t the end of the world. And let’s not even start on Equifax, which is essentially the privatized version of that awful Chinese social credit scores. Let them wither.

This entry was posted in Bidness, The Rule of Law. Bookmark the permalink.