The only laws I would be in favor of are required transparency laws where you have to report all breaches with serious fines/jail for failure to comply.
This is already the case. The information comes from JPM's (mandatory) SEC filings. I forget the time frame but stuff like this (information that could reasonably be expected to have a material impact on the stock price) has to be reported within a pretty narrow window of becoming known to management, like 72 hours or so.
The market will quickly sort things out if it has the appropriate information.
By all appearances the opposite is true. I mean, where do you move your business to? I have no idea which is the most secure bank, only which ones have so far discovered and reported breaches. Neither Target nor Home Depot seem to have been punished very severely by the market if their stock prices are anything to go by.
Why would I care if my credit card information gets taken? If there's a fraudulent charge, I don't have to pay for it. Therefore, I have no financial incentive to take my business elsewhere or otherwise care about security.
The cost is borne somewhere (likely in the % fee credit cards charge merchants), but individual users have no incentive to care about it.
What was the actual information taken? How was the breach perpetrated? Two pretty big pieces of information we are missing. There may also be daily breaches that aren't significant enough to impact earnings that we never hear about.
No, we do not have any kind of transparency.
The second issue (where do I go?) can't be worked out at all until we have some idea of "where do I really not want to be?"
First you said you wanted a report of all breaches, now you're asking for the investigation to be run in public - rather a massive move of the goalposts. Without expressing any sympathy for the banks, I'm having trouble thinking of any business that would be willing or even able to do business under such conditions.
No, what I'm saying is that we don't have transparency in the reports. All we get is "something happened", with very few details of what "something" is. My goalposts never moved; only your interpretation of them.
Would you not agree that a data breach brought on by a disgruntled employee selling records is materially different than the same data breach caused by failure to patch systems? I don't care about the investigation (where did you get any implication I think investigations should be public); I care about the results.
>>Would you not agree that a data breach brought on by a disgruntled employee selling records is materially different than the same data breach caused by failure to patch systems?
Directly contradicts this one:
>>I don't care about the investigation (where did you get any implication I think investigations should be public); I care about the results.
The result is that people's credit card information got stolen. The investigation and the details -- i.e. whether it was an internal or external breach -- are not relevant to me as the customer.
Perhaps you have a different definition of investigation than I do. I see the investigation as the active bit where you are talking to people, looking through logs, trying to figure out what happened. At the end of that, you would have a report that said "this is what happened: this is the data that was lost and this is how it was done". That doesn't imply that every interview and every log file gets published.
Of course there is going to be some level of sanitization, but today we get no information beyond "we lost a bunch of data" (oh, look, they told us names, address, email, "and other information used to categorize customers", whatever that means).
If you decide it's not relevant to you, brilliant. Don't pay attention to it. It is relevant to me, because I don't have any other way to decide who I should trust with my information security. A company losing hundreds of credit cards a day to hundreds of different hacks is much less secure in my mind than a company that loses 70M names and addresses (as far as I know, the Chase hack did not expose credit cards; mine was not replaced). The former goes unreported; the latter gets splashed all over the news.
They may not have been "punished", but merchants, banks and the payment companies have finally been convinced that swipe cards should be replaced. The changeover with next year's "liability shift" won't be cheap, but it will result in a more secure system.
This is already the case. The information comes from JPM's (mandatory) SEC filings. I forget the time frame but stuff like this (information that could reasonably be expected to have a material impact on the stock price) has to be reported within a pretty narrow window of becoming known to management, like 72 hours or so.
The market will quickly sort things out if it has the appropriate information.
By all appearances the opposite is true. I mean, where do you move your business to? I have no idea which is the most secure bank, only which ones have so far discovered and reported breaches. Neither Target nor Home Depot seem to have been punished very severely by the market if their stock prices are anything to go by.