After data thefts, customers often left in the dark

A day after the U.S. Department of Justice announced the largest theft of consumer financial data in U.S. history, most of the dozen companies that were hacked have yet to come forward or otherwise been identified. Why? After all, the customers and depositors that rely on these businesses should know if their personal information was jeopardized in the alleged cybercrime, a complex attack that federal prosecutors say involved 75 shell companies and yielded hundreds of million of dollars in illicit proceeds.

Yet what potential victims in the U.S. are legally entitled to know regarding the fate of their data depends entirely on their state of residence, with no federal statute specifying what companies must disclose to consumers.

'There is no federal standard for identity theft," said Michael Greenberger, director of the University of Maryland's Center for Health and Homeland Security. "In Maryland, a corporation only has to disclose that a consumer's name was hacked -- not a Social Security number or any other data points that could be used to reverse-engineer an identity. Whereas in New York and Wisconsin, there is a long list of data points, including your Social Security number, driver's license number, even your passport number, that consumers have to be notified about."

Corporations that get hacked are in murky legal waters regarding their responsibilities to customers. Releasing too many details about a data breach can sully their reputation, as well as give other hackers insights into their vulnerabilities. But withholding information from consumers can invite costly class-actions, with the law fuzzy on what companies must to protect consumers from data thefts.

Consider the case of Neiman Marcus. In 2014, the luxury department store chain disclosed that hackers had captured information gleaned from 350,000 payment card transactions, resulting in 9,200 customers accounts being hit by fraudulent activity. The retailer said the breach did not include the loss of Social Security numbers.

Although the retailer reimbursed account holders affected by the fraud and offered free credit monitoring for a year, some consumers sued in a class action. This summer, a panel of the U.S. Seventh Circuit Court of Appeals ruled that Neiman Marcus customers "should not have to wait until hackers commit identity theft or credit card in order to get class standing." Judges cited Neiman Marcus's offer of free credit monitoring as evidence that consumers had something to worry about. The company is appealing the ruling.

"For years now, corporate leadership thought cybersecurity and data protection was the IT department's problem," Greenberger said. "Now it is the C-Suite's problem."

It is, in fact, a national problem affecting all levels of government.

Earlier this year, President Barack Obama backed the creation of a national standard for identity theft that, among other things, would require for the first time that businesses notify consumers about breaches involving their personal data. "Right now almost every state has a different law on this," President Obama said. "It is confusing for consumers, it is confusing for the companies and costly to have to comply with this patchwork of laws."

In June, the government disclosed that confidential data for 4 million current and retired federal employees had been stolen. And last year the U.S.Post Office said that 800,000 personal files had been hacked, including data belonging to members of the Postal Regulatory Commission and the U.S. Postal Inspection Service.

The Federal Trade Commission is zeroing in on the issue, reasoning that consumers may be falling prey to deceptive trade practices when companies say that their personal information is secure but it proves not to be.

Meanwhile, although cyberattacks have increasingly targeted federal agencies of late, resulting in a number of high-profile data breaches, state governments have on the firing line for years.

In 2010, for example, a hack in Texas exposed 3.5 million files that included Social Security numbers and other personal data belonging to retired state employees and and unemployment beneficiaries. In 2012, a malicious email resulted in the compromise of data for 4 million taxpayers and 700,000 businesses on file with the South Carolina Department of Revenue.

"Organizations that operate their own systems have to understand that hacking is being done now on an industrial scale," said Marc Pfeiffer, assistant director at Rutgers University's Bloustein Local Government Research Center, noting that the school had been hit by such an attack. "You can hire people to attack other sites and even buy cyberviruses made to order on the dark web."

With hacks of companies, agencies and other organizations increasingly in the public eye, lawmakers are mulling legislation to stem the tide. The House of Representatives and the Senate have each passed measures aimed at combating cybercrime.

The bills -- the "Cyber Security Information Sharing Act" in the Senate and the "Protecting Cyber Networks Act" in the House -- would encourage businesses to disclose to authorities when they experience a data breach, according to an analysis by Jules Szanton, a researcher with the University of Maryland's Center for Health and Homeland Security. Neither bill makes such a disclosure mandatory, but does say that cooperating firms would be indemnified from any potential lawsuits stemming from a breach.

The bills passed with bipartisan support, but opponents contend the legislation represents an invasive and unconstitutional expansion of the government's access to private data. The bills are slated be reconciled in conference, with a vote not expected until January.