A Simple Proposal to Help Fix Corporate America’s Cybersecurity Problem

The public’s confidence in the capability of companies to protect customers’ personal information has taken a beating in recent weeks.

Customers of Sears and Kmart, Best Buy, Saks Fifth Avenue and Lord & Taylor, and Delta Air Lines recently learned that hacks have exposed their personal data, including credit and debit card numbers. And then there’s the disclosure that Cambridge Analytica harvested the personal information of nearly 87 million Facebook users.

Despite these disclosures and others, we continue to entrust our personal information to businesses without any standard for judging how safe it is. It doesn’t have to be that way.

When we head out for dinner in major cities, for example, the restaurant has a letter grade from the health inspector in the window. As a society, we recognize that when consumers dine out, they may be putting their health at risk. We require, in turn, that restaurants display the simple but powerful information about their hygienic standards.

There is no equivalent standard by which a consumer may judge the data security practices of a business.

That lack of public information about the cyberpreparedness of businesses is all the more striking given the relative severity of the threat. More than half the adult population of the United States was affected by the breach of Equifax last year.

Unfortunately, we have become inured to these hacks. Our response to breaches has become routine: more calls for regulation, followed by congressional hearings and failed regulatory proposals. Consumers go about their lives, numbed by the frequency and the lack of consequences. Meanwhile, the hacks get worse.

This cycle stems in part from a lack of information about the security practices of businesses. But forcing companies to explain how they are keeping the bad guys out would only help the bad guys.

The simple grading system used by restaurant regulators can and should be a model to inform the public about the digital security of businesses that store sensitive consumer data. A letter grade is a crude measure to assess a complex issue like cybersecurity to be sure, but what the metric lacks in nuance it makes up for with brute force.

Current measures to assess cyberpreparedness are either not compulsory or too complex. The federal government’s National Institute of Standards and Technology framework is widely respected, but it’s voluntary, underused and not easily digestible for the average consumer. Only seven Fortune 500 companies mentioned it in their annual filings with the Securities and Exchange Commission last year, and only one said it had adopted it.

MSCI — an index provider and independent research firm for institutional investors — ranks companies on cybersecurity. More than a year before Equifax’s breach was revealed, MSCI scored Equifax a zero out of 10 on privacy and data security. As prescient as it was, consumers would have had difficulty absorbing such a rating, which is just one of several components that MSCI uses to arrive at an environmental, social and governance, or ESG, rating of overall corporate citizenship.

A new grading system should start with the basics: Are companies on top of data security, and if hacked, do they know how to reduce the impact?

Each year, the Ponemon Institute, an independent research group, and IBM look at the cost of the average data security breach, as well as the average cost of each piece of data compromised. In 2017, the average cost of a data breach in the United States was $7.35 million, or $141 per record compromised. But if a company has an incident response team, uses encryption, trains its employees, has a business continuity program and monitors cyberthreat intelligence, that reduces the cost of the average data breach by nearly 47 percent. Using these five factors — weighed for their impact of cost reduction — is a simple starting point.

There are plenty of details to be worked out about a cybersecurity grading system. But the one nonnegotiable aspect would be that, once assigned, letter grades must be made highly accessible to the public. Companies should be required to display their grades prominently at their physical locations, on their websites, on certain documents (mortgage applications, for example) and on credit card readers.

A grading system would not solve every cybersecurity problem, nor prevent every breach. But our sad state of affairs — in which we are equal parts fearful, apathetic and ignorant about digital security — must change. Providing clearer information to the public is the most productive next step we can take.