For companies like Equifax [EFX] to take massive breaches of personal data more seriously, Congress might consider implementing similar penalties to those paid by oil companies following spills, according to two former national security officials.
Former CIA and National Security Agency Director Michael Hayden and former White House National Coordinator for Security, Infrastructure Protection and Counterterrorism Richard Clarke argue a lack of governance and governmental pressure led to Equifax succumbing to a hack of over 145 million citizens’ personal data.
“Companies like Equifax will continue to screw up until there is a penalty for doing so,” Clarke said, speaking on a panel with Hayden at a Washington Post cyber event last Tuesday.
Clarke discussed possibly creating a model similar to legislation implemented following the Exxon Valdez incident in 1989 where companies were charged for each gallon of oil leaked.
In the aftermath of massive data breaches, companies would be charged by the person for each piece of publicly-identifiable information lost, according to the idea Clarke posited
The panelists believe a system where companies are charged per data loss might have a greater effect than a system of regulations aimed at correcting cyber security practices.
“Rather than coming in with a clipboard going in and giving you checkmarks, the government sets up a structure that drives the business case over a long term to be responsive and responsible,” said Hayden.
Clarke expressed skepticism that such a plan would be implemented in the short-term, believing a series of regulations are still appropriate in the meantime. On a policy level, Clarke believes Congress should begin with a setting a national standard for breach notification.
White House Cyber Security Coordinator Rob Joyce was unsure of increased regulation helping companies such as Equifax to mitigate their data breach issues. Joyce disagreed when asked to respond to a proposed plan from New York Gov. Andrew Cuomo to potentially revoke the licenses of companies that fail to protect consumer’s data.
“I think there needs to be some oversight and regulation in that. One thing I’m convinced of though is we need to be careful about Balkanizing regulations. It’s really hard on companies today with state regulators, local regulators, and only harder with potentially multiple federal regulators and federal law,” said Joyce.
Internally, companies needed to better prioritize cyber security spending their information technology (IT) budgets, according to Clarke.
“Companies today are on average spending between three and five percent of their IT budget on cyber security. That is a recipe for disaster. If that’s where you are, you’re going to get hacked,” said Clarke, who believes an amount closer to eight or 12 percent would be more appropriate.