So, Chipotle got hacked. The restaurant on Tuesday announced it had discovered a breach in its payment system that may have affected credit card transactions between March 24 and April 18. “We want to make our customers aware that we recently detected unauthorized activity on the network that supports payment processing for purchases made in our restaurants,” the company said in an statement on its website.
This is actually a fairly prompt response time for a company that has suffered a cybersecurity breach. Often it will be months or even years before a large company reveals to its customers that it was attacked, even if that attack may have exposed customer data. Hackers hit JP Morgan Chase in 2014, compromising the accounts of more than 76 million households and 7 million businesses in one of the worst data breaches in history. The company discovered the breach in July, fixed it in August, and didn’t disclose it publicly until October.
The broader lesson, however, is that large companies are being hacked more and more regularly. When I was an editor at Motherboard, we started a column called “Another Day, Another Hack” just to keep track of them. Myspace, Linkedin, Adobe, Badoo, Comcast, Domino’s, Dropbox, Dungeons and Dragons online, Anthem, Experian and T-Mobile at the same time — and those are just the biggest, more recognizable ones. The list is already endless.
But here’s the thing: Cybersecurity disclosure laws have not caught up with the level of epic hacking we’re now seeing. In the US, there is no federal regulation that requires companies to disclose when they’ve been breached, even if customers’ data is exposed. California was the first state to enact a disclosure law in 2002, and for a while it was the only one — now all states have some form of disclosure requirement, with the exceptions of Alabama and South Dakota.
In 2015, then-President Barack Obama proposed the Personal Data Notification & Protection Act, which would have introduced a 30-day notification requirement and established a national standard that companies could adhere to instead of the 48-state patchwork laws. It, like other attempts to pass cybersecurity disclosure laws through Congress, was a failure.
We’re still pretty passive as consumers about this kind of violation. When T-Mobile lost my Social Security Number, I was annoyed — but there was nothing I could do, and no immediate damage was done. I froze my credit and moved on, trying to forget that there might be a little packet of my information for sale on the dark web for $2. Identity theft is on the rise, however, along with these mega-breaches. We ignored it when it was Target, Tumblr, and Adult Friend Finder. Maybe we’ll listen now that the thieves have hit us in our burritos, and start pressuring lawmakers for national standards around disclosure and stricter penalties for not adequately protecting our data.
