Hackers who stole confidential information on more than 309,000 current and former students and faculty from computers at the University of Maryland College Park last week had to penetrate multiple layers of security to get at the data, and school officials still don't know exactly how they did it or who they were. The sophisticated attack, which compromised Social Security numbers, birth dates, university ID numbers and other personal information, was a stark reminder of how vulnerable the nation's institutions are.
School officials moved quickly to respond to the breach, which apparently took place sometime between 4 a.m. and 5 a.m. Tuesday and was discovered by staffers a few hours later. The next day University President Wallace Loh announced what had happened in an open letter to the campus and notified the state attorney general's office, which posted a list of things consumers could do to protect their information on its website. Mr. Loh also invited federal, state and local law-enforcement agencies to help investigate the incident, offered free credit monitoring for a year to anyone affected by the theft and set up a university task force to recommend further steps the school should take to guard against such crimes in the future.
But although UM officials appear to have done everything right after discovering the breach, that's not always how things turn out. During the holiday season last year, a week elapsed before Target told customers cyber criminals had gained access to personal information on millions of shoppers, and It took Neiman Marcus 10 days to announce that it had fallen victim to a similar attack. Those were just two among a series of large data breaches that recently have targeted financial institutions, schools, employers, retailers and others across the country who collect the kind of data cyber thieves can use to set up phony accounts under victims' names and steal their money.
Experts warn that more such attacks are on the way and that efforts to mitigate their impact are hampered by the current lack of national standards governing what institutions whose data has been breached are required to do, either in terms of notifying customers or in strengthening their defenses against hackers. While no institution is invulnerable to such attacks, the response to them is governed by a confusing and often contradictory patchwork of state laws that are wholly inadequate to protect a national economy.
For example, some states require retailers to disclose a breach within a specified period of time but others exempt companies from that mandate if the data are encrypted. Maryland requires retailers to list contact information for the state attorney general on their websites after a breach, while companies in Oregon must contact the Federal Trade Commission and those in Iowa have to report to police. The lack of uniformity makes it difficult for companies to come up with consistent responses to data breaches. Clearly this is a national issue that demands a federal response.
That's why pressure has been growing in Congress to develop federal standards for how companies handle data thefts. One bill would require companies to safeguard their data, assess the harm a breach might do and notify consumers as well as the appropriate federal agencies of all breaches affecting more than 5,000 customers. Meanwhile, the Securities and Exchange Commission has advised public companies hit with breaches to inform customers of that fact in a timely fashion, though it set no specific timetable.
In addition, the White House has issued guidelines aimed at helping companies that run essential services such as banks, utilities and cellphone towers better protect themselves from cyber attacks. Those guidelines are voluntary, however, and companies are free to ignore them unless Congress enacts them into law.
In the meantime, Maryland can strengthen its own defenses by beefing up the reporting and security requirements for companies and institutions whose systems are hacked. One way to do that might be to simply adopt the president's guidelines in their entirety and incorporate them into state law. We need to recognize that the threat posed by cyber attacks is real and growing, and we don't need to wait for Washington to act in order to better protect Marylanders from such crimes.
To respond to this editorial, send an email to firstname.lastname@example.org. Please include your name and contact information.