It's time we hold companies responsible for data breaches

Data security regulation is the only measure keeping retailers from burning us all, over and over again

Laws have never been able to keep up with the pace of technology. Tragically, it often takes a highly publicized event of gross malfeasance to rattle the legal system into enacting measures that address the gap.

The lack of stoplights and driving laws at the advent of the automobile, the dearth of workplace safety regulations in the age of the American sweatshop -- time and again, tragedy precedes legislation, even when common sense would suggest otherwise. And with the onslaught of technology only accelerating, we place ourselves increasingly in the crosshairs in more and more corners of our daily life, with little legal aid in sight.

[ Prevent corporate data leaks with the "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Take the Triangle Shirtwaist tragedy in 1911. The technological advances of the sweatshop era, which enabled large numbers of workers to be packed into tighter quarters to mass-produce goods with the aid of machines, came with little attention to laws to ensure safety -- including prohibitions against locking employees in a workshop. But that's what Triangle Shirtwaist company owner Max Blank did, same as many other factory owners of the era.

Not only did Max Blanck get off scot-free for the deaths of the 146 Triangle Shirtwaist employees who died when a fire swept through the locked factory, but when he was arrested a few years later for locking the doors to another factory with workers inside, he was fined a mere $20.

Many people might have had the forethought to realize that locking people inside a building would lead to serious problems, but clearly this concept eluded the owners, or they had enough of a financial incentive to act otherwise. Subsequently, we have laws that expressly prohibit the act. It also allows us to prosecute those who violate such laws. 

The way things are today, we may need to see the Internet burn to the ground in the United States before we can muster enough popular support for an open Internet. It's appalling to those of us who have the brainpower to see the end result of the Comcast-Time Warner Cable merger, the AT&T-DirectTV deal, and the pathetic "regulations" proposed by the FCC. The gruesome outcome of these events is easily predictible. Yet here are the powers that be, ignoring the smoke.

What other industries will have to burn to the ground before we act to reduce the damage that can be caused by a lack of commonsense legislation? The retail industry and credit-card processing, most likely. I've spoken out about this before, following the last massive security breach, but it's apparently happened again.

I don't have all the details yet, but I received a call from Capital One last Thursday informing me of a security breach that allowed criminals to steal credit card information. As a result, my credit card has been suspended and must be reissued. I asked which specific retailer was responsible for the breach, but the call center representative did not have that information. I'm not surprised -- there are no legal requirements for a company to divulge these events. And it may not have been a retailer; it may have been a credit-card processor, like Global Payments or Heartland Payment Systems.

Hundreds of millions of people have already been negatively affected by these breaches, and there is no end in sight. Sadly, there are few meaningful repercussions for losing customer data. The markets don't seem to care about data breaches, presumably because other than "aw, shucks" apologies by the company, there's little other impact on the business.

This is where regulations need to catch up to technology -- quickly. We need to penalize companies that cause large-scale data breaches impacting millions of people. Before you argue otherwise, these companies do cause these breaches; they are not victims.

We need to declare personal data as a private, regulated commodity. If they are going to collect and maintain data on their customers that can be used by bad actors to steal money and the identities of those customers, they need to be held accountable in ways significant enough that the markets do care. Only then will we see actual change in the way that data is managed and secured.

Personally, I'm not a fan of regulations. In a perfect world we wouldn't need any because they too have a habit of being misused and heavily applied. One needs only to look at any ordinary HOA agreement to see evidence of that. However, there are always going to be people who lack the common sense or have enough financial motive to willingly dispense with basic smarts, and thereby cause disasters and tragedies that affect hundreds, thousands, or millions of people.

If extremely strict regulation and heavy financial and possibly criminal penalties are what it takes to prevent or reduce these massive data breaches, then so be it.

This story, "It's time we hold companies responsible for data breaches," was originally published at Read more of Paul Venezia's The Deep End blog at For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.