Hacking Threats Raise Data Security Concerns for State Attorneys General

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Robert A. Gottfried

Feb. 25 — “Data breaches have become a fact of life,” Walmart Senior Director, Public Affairs and Government Relations Angie Stoner said at a Feb. 24 panel at the winter meeting of the National Association of Attorneys General (NAAG).

Walmart's security team analyzed over one billion attacks in 2014 alone, she said.

Moderating the panel, NAAG President and Mississippi Attorney General Jim Hood (D) said that with the current generation of children growing up in the computer age, “we're going to see a lot more hackers than we have seen in the past.” The “way we work through this issue of cyberhacking in the next ten years is going to be by cooperation between the business community and government,” he said.

Possible Federal Breach Law 

There is a growing effort to pass a data breach notification law at the federal level that would affect the 47 states that have their own breach notification statutes, Hood said. “If you notice, there's a federal law pending before the Congress, and we might as well get on that train.” Following President Barack Obama's release of a federal breach notice legislation proposal, Sen. Bill Nelson (D-Fla.) introduced a similar measure Jan. 13. Rep. Michael C. Burgess (R-Tex.) told Bloomberg BNA that he is close to unveiling a data breach bill.

“There's going to be a question of federal preemption, and none of us attorneys general want to see our notice requirements preempted by a federal law, but as a practical matter you know something like that is going to happen,” Hood said.

Compartmentalization of Data 

Hemanshu Nigam, founder and chief executive officer of SSP Blue, a company specializing in online safety, security and privacy consulting, stated that one of the biggest issues in the coming decade will be data compartmentalization. “When hackers are going to come—and they will come—they will succeed in breaking your door down.”

The the real question “in the next 10 years of our evolution is going to be: what do they get to when they get in?” Nigam said. The cybersecurity model needs to change in the business world to prevent hackers from having free run of a corporation's data when they gain access, he stated. As it becomes increasingly difficult, if not impossible, to keep hackers out, companies must create internal barriers to protect data from attacks, he said.

Christopher Boyer, AT&T Inc. assistant vice president, global public policy, agreed. For the last five years and going forward, a major focus has been moving data away from the edges—the perimeter—of a website and into more distributed security, he said. By housing data in virtual containers in the cloud with security around each container, “instead of having a big wall that when you get in you have access to all the different assets behind the wall, you now have a wall around each one of the individual asset sets,” Boyer said. If a hacker gains access, this makes it much easier to quarantine different containers, he added.

Securing Payment Systems 

Stoner discussed ways to make hacking less profitable. The future of payment systems is among the most important security topics, she said.

In addition to mobile payment technology, Stoner pointed to the adoption of chip-and-PIN payment cards. Chip-and-PIN credit cards require customers to input a personal identification number at the checkout line—as most debit cards do already—rather than requiring a signature.

Stoner cited a 2013 Federal Reserve study that found chip-and-PIN transactions were 700 percent more secure than the more common chip-and-signature cards used in the U.S. today. While chip-and-PIN cards don't prevent hackers from accessing customer data, they make it harder for thieves to use any stolen information. Eighty countries using chip-and-PIN technology have seen a reduction in fraud, Stoner said.

To contact the reporter on this story: Robert A. Gottfried in Washington at rgottfried@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com


Request Bloomberg Law: Privacy & Data Security