A MASSIVE data breach at Marriott International is a reminder that the debate over protecting personal information is much bigger than the tech industry. Until Congress acts, businesses across the country will remain unprepared for persistent attacks, and Americans will remain at risk.
Marriott announced Friday that its Starwood reservations database had been infiltrated starting in 2014 by unidentified actors, exposing the data, from names and addresses to passport and credit card numbers, of up to a staggering 500 million guests. That makes this the second-largest breach in history — that we know of. Marriott is only one casualty in an epidemic enabled by corporate unpreparedness for the cyberthreats of the 21st century.
It is no surprise that conversation about safeguards focuses on Internet sites that have incentives to collect and sell as much personal data as possible. But customer information is key to day-to-day operations in countless industries, and firms spend little time thinking about how to keep it safe. An international survey of thousands of businesses this year found that 7 out of 10 admitted they are unprepared to cope with an attack.
Congress can change that. The first step is a federal privacy framework that focuses on the minimization of consumer information a company stores to what is essential to everyday operations. Fights are sure to arise over what “essential” really means; Marriott, for example, has legitimate reason to store data on clients in its loyalty programs even after stays have been completed. But customers should consent to the collection of their data for defined purposes, and companies should scrub data from their records when it no longer serves that purpose.
As important is what companies do to protect the data they are allowed to store. Congress could lay out those strictures , or it could give the Federal Trade Commission rulemaking authority. These rules could be prescriptive, telling companies exactly what measures to take to protect each category of data, or they could hinge on performance — identifying preventable vulnerabilities and holding companies to account when they fail to guard against them. In any case, the FTC needs the authority to levy meaningful fines for initial violations. Right now, it may well cost a company less to respond to a breach than it would to put in place the measures necessary to prevent one. Those incentives need an overhaul.
Today’s wisdom is that data is the new oil — a valuable resource. But this asset belongs as much to consumers as the companies who use it for profit. Government has an imperative to regulate not only the modern magnates in Menlo Park, Seattle and Mountain View, but also everyone else who leaves unguarded barrels behind unlocked doors.