Is it a safe new world in the rush for data?
Henry Zheng

In the age of information, data is the new oil, and the pirates of our era are hackers breaching company defenses to steal troves of consumer data. But when millions of people have their records stolen, few have the same intense emotional response as when a thief enters our house to take our valuables. The remoteness of the attack and the abstractness of our personal information doesn't help, allowing companies with lax security measures to proceed with a slap on the wrist from regulators.

U.S. banking giant Capital One is the latest company to be hacked. It said in a press statement that over 100 million people in the U.S. had their information such as names and credit scores compromised, while thousands had their Social Security or bank account numbers stolen.

There are no details on whether Capital One will be legally liable for the breach, or whether there will be a class action suit brought forth by those whose data were compromised. The company – the 10th largest in the banking industry by assets – claims that it stands to lose 150 million U.S. dollars from the breach.

This amount is a small fraction of its net income, which was about six billion dollars in 2018, according to its corporate filings on Nasdaq. The estimated loss would be less than 10 percent of its profits from last year.

In a similar breach at credit rating agency Equifax in 2017, hackers stole data affecting 147 million customers. It was caused by the company's neglect of a vulnerable web server. Soon after, Senators Elizabeth Warren and Mark Warren introduced a bill to hold credit agencies responsible for data breaches. However, the consequences for the company were minimal, and its former chief executive even retired with his full 90-million-dollar retirement package. The Federal Trade Commission said last Monday that Equifax will pay at least 575 million dollars in fines, but it has yet to do so.

VCG Photo

VCG Photo

If data is the new oil, then China has the largest reserves. Enterprises in the country have also suffered breaches of user data, such as the 2011 leak of six million users' personal information from the China Software Developer Network. Regulators, however, have responded much more quickly. The China Cybersecurity Law came into effect in 2017, and a year later saw the rollout of a national standard for protecting and dealing with personal data.

What would help with the implementation is greater concern about user privacy, which China's tech giants often gloss over. Back in 2018, Baidu CEO Robin Li said that "Chinese people are more open or less sensitive about the privacy issue. If they are able to trade privacy for convenience… in a lot of cases, they're willing to do that." His comments sparked outrage from netizens on China's social media platform Weibo.

As for foreign enterprises in China, knowing what regulations to follow can often be a headache. A report by AmCham Shanghai released back when the cybersecurity law came into effect noted that one issue was the ambiguity of the legal language. Daniel Rechtschaffen, government relations manager at AmCham Shanghai, wrote in the Diplomat that though such ambiguity allows for flexibility at the local level, this lack of clarity makes it difficult for multinationals to implement processes to comply with the law.

The data explosion in recent years will seem trivial when the Internet of Things (IoT) and 5G become ubiquitous. IoT devices such as smart fridges and remote-access cameras will create even more data. Such internet-connected devices is projected to reach about 75 billion worldwide by 2025, according to Statista.

Every aspect of our lives will truly be digitized, placing tremendous importance on the adherence of companies to stringent security measures. Otherwise, a cyberattack that will cripple critical infrastructure is likely to happen, such as the 2016 malware that hit servers crucial to running major sites such as Twitter and Amazon by hijacking vulnerable IoT endpoints.

So if we don't feel the pangs of urgency when our information is stolen because the perpetrator is doing it from far away to something as intangible as our credit ratings, maybe we'll wake up when our very tangible self-driving cars and smart appliances are hacked.