I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.
I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.
As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?
Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?