Letter from the Editor

IT seems as if every day, we hear about another data breach. It has become a familiar story: a company admits its systems were breached and sensitive customer information was stolen. It seems that either the hackers have gotten better and busier, or companies are just more vulnerable with multiple access points and weaknesses in complicated systems.

But there’s another element to this as well. We’re changing into a society that demands more privacy and better security measures from the companies we do business with. Five years ago, it wasn’t common for a board of directors of a company to be informed of a sizeable security incident, according to Chris Novak, the director of investigative response for Verizon, which does investigations into hacking. “They were handled as if they weren’t a big deal,” he says. Nowadays, the board frequently calls him into weekly meetings after a data breach.

Companies, senior executives and boards know they’ll ultimately be held responsible for any lapses in their security systems, as the Target Corp. data breach proved in 2013, when up to 70 million records were potentially compromised. The breach ultimately cost Gregg Steinhafel, who had spent 15 years as the company’s CEO, his job.

Even though consumers freely give away their personal information every day, entering demographic data into this or that website in exchange for access, giving away their entire phone contact list in exchange for a free app, the government has been slowly moving in the direction of mandating more privacy. With the passage of the Health Insurance Portability and Accountability Act of 1996, the move toward mandated protections for consumers was well underway. The Gramm-Leach-Bliley Act of 1999 required many financial institutions, including banks, to send privacy notices to consumers that detail ways that they can opt out of sharing their information with third parties.

And under the European Union’s new general data protection (GDPR) provisions, financial institutions will have a new set of rules that govern how they handle the private information of residents of the European Union. Even a company doing business in the United States that happens to have some European account holders will have to comply, starting in May 2018.

It’s a safe bet that this general trend toward greater privacy and protection will continue here and abroad. The growing number of devices connected to the internet, from refrigerators to watches, expose us to even more breaches of our private information, and as more people find their information stolen and their identities robbed from them, you can expect that Congress or state legislators will act. The focus on the privacy of consumer and business data will escalate in an age where we are increasingly connected online and increasingly giving away the goods.