Docked in Lewes, Delaware, is a 166-foot ship called the DELRIVER that is rarely called out of port. Nonetheless, it’s staffed 24/7 by a four-person crew and stands ready for action at a moment’s notice.
The DELRIVER is an oil-spill response vessel, funded by the local oil industry to clean up spills in the Delaware Bay as soon as they happen. The last major spill in the area was in 2004, when the tanker Athos spewed 265,000 gallons of heavy crude from Venezuela into the Delaware River. The last spill of any kind that it responded to was a small diesel spill in 2014. Still the DELRIVER and its crew wait, just in case—because when a spill does happen, the first minutes and hours are crucial to the cleanup’s effectiveness.
Cleanup vessels like the DELRIVER exist because it’s understood that oil spills are not only disastrous but inevitable. So it isn’t sufficient just to try and prevent them. You also have to be ready to mitigate the damage.
In the internet age, it’s becoming clear that data spills—breaches, hacks, leaks—are inevitable, too. Industry efforts have focused on cybersecurity: keeping data in and hackers out. But lately even the biggest companies with top security teams have exposed their users’ personal information. Last month, Facebook announced that hackers had stolen the private data of some 30 million users, exploiting a series of bugs in the company’s login system. The victims are now vulnerable to all kinds of fraud, from phishing attempts to identity theft to attempts to gain access to their other online accounts. They could be feeling the effects for many years to come.
So what’s the data-spill equivalent of the cleanup vessel? Once their systems have been breached, what do companies or the industry do to try and limit the damage to those affected? In many cases, so far—including Facebook’s—the answer is: almost nothing.
Asked what it’s doing for users in the wake of the hack, Facebook told me it created a page where people can check whether their accounts were affected. It also sent customized messages to the victims, explaining what information was exposed, and offering some advice on steps they can take to protect themselves from suspicious emails, texts, or calls. And so far, that’s it. Does Facebook believe the victims are entitled to any sort of monetary compensation? The company had no comment.
Data spills aren’t the same as oil spills, of course. Whereas oil spreads gradually, data can be replicated and transmitted instantaneously and without limit. That makes a full cleanup virtually impossible, as my colleague April Glaser pointed out in the wake of an earlier Facebook snafu, the Cambridge Analytica leak.
When it comes to protecting users after a hack, “There’s a general inclination to do the bare legal minimum.”— Josephine Wolff
Still, there are things that can be done for data leak victims, such as buying them credit-monitoring services, identity-theft protection, or identity-theft insurance. The U.S. government offered those services to employees affected by the Office of Personnel Management breach. But relatively few private companies extend the same courtesy to their customers, users, or clients, experts say. That’s a norm that many believe needs to change—whether voluntarily or through tougher regulations.
“I definitely don’t think the industry has gone far enough in terms of finding ways to make people whole and mitigating the impact to someone else,” says Ashkan Soltani, former chief technologist of the Federal Trade Commission, who is now an independent privacy and security researcher. Part of the reason, he said, is that state and federal laws—and the courts that interpret them—often let companies off the hook.
Large breaches routinely trigger class-action lawsuit by the victims. But those lawsuits are rarely successful, because courts don’t recognize the exposure of one’s personal information as a harm in itself. Instead, data breach victims usually have to demonstrate that they have suffered actual monetary losses as a direct result of the hack.
The key precedent there is the 2013 Supreme Court case Clapper v. Amnesty International, in which the high court ruled that the plaintiffs lacked standing to challenge a federal surveillance law because they couldn’t show that they’d been personally hurt by the surveillance in question. The fact that they had to spend money to take extra precautions to guard their privacy was dismissed by Justice Samuel Alito, who opined, “Respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
That’s unfortunate, because as Soltani puts it, “a lot of the harms around data issues are downstream many levels” from the initial breach. “To prove that the Facebook data breach allowed an attacker to more easily access your Yahoo accounts or your health accounts is very hard to do.” And that only becomes harder as the breaches pile up: Did an identity thief get your data from Facebook, or Equifax, or LinkedIn, or somewhere else entirely? You might never know.
That gap in the law is one that California is trying to close with its new data privacy law, which Gov. Jerry Brown signed in June. The law has not gone into effect yet, and the details are still a matter of contention. Meanwhile, tech companies are hoping to undermine it with a federal privacy law that would take precedence. But as written, it includes the right for private citizens to sue companies over data breaches, and crucially, it stipulates that the loss of their personal information counts as a harm in itself, with statutory damages up to $750 per person. (Victims can still seek more than that if they can prove actual damages greater than that amount.)
Europe’s General Data Protection Regulation takes a different approach, allowing national governments to issue stiff administrative fines to companies that fail to protect personal data. Josephine Wolff, a cybersecurity expert and professor of public policy at Rochester Institute of Technology (who also contributes to Slate), told me she believes that could make people’s data safer by forcing companies to take data protection more seriously—and indeed, Facebook could face fines for the breach under GPDR.
Still, in the absence of tougher laws beyond Europe, Wolff said she doesn’t expect companies to start treating data breach victims better on their own. “Companies that have been breached tend to feel like, ‘We are the victim. Why is everybody coming after us?’ ” she said. They tend to be more concerned with the damage to their business and reputation than the potential threats to their users.
In that sense, Wolff said, Facebook’s reaction is not out of the ordinary. When it comes to protecting users after a hack, “There’s a general inclination to do the bare legal minimum.” In most cases, that means notifying those affected by the breach, which is required under most state laws.
That said, there is some hope that companies could be educated, guilted, or otherwise persuaded to do more—if they felt that their brands depended on it. Dave Burg, head of cybersecurity for the consultancy EY, told me it’s increasingly common practice for large companies to develop emergency plans to follow in the event of a breach of their customers’, clients’, or even employees’ data. His firm walks them through simulations to practice these plans. Some include measures such as paying for the victims’ credit monitoring and freezing their credit lines, he said.
One preventative measure that’s becoming more common is for companies to check users’ passwords against a database of stolen passwords, such as the one maintained by Have I Been Pwned, when they sign up. That wouldn’t have helped in Facebook’s case because the hackers in that instance managed to infiltrate users’ accounts without obtaining their passwords. But it could help contain the damage from other breaches.
Ultimately, Burg said, companies are unlikely to do much more to help breach victims unless they feel it’s necessary to maintain their bottom line” “If you look at earnings per share for companies that have been a victim of a large cyber breach, it usually recovers, and recovers quite quickly.”
Oil companies can recover from a spill, too. But they rarely get off the hook so easily for the damage. The Oil Pollution Act of 1990, passed in response to the Exxon Valdez spill, requires the company found responsible for the spill to pay the costs of cleanup and restoration. Even if the company isn’t held liable, the industry still pays: In those cases, the money comes from an Oil Spill Liability Trust Fund, paid for by oil taxes.