Strengthen state disclosure laws now

Perhaps you’ve received one of those carefully worded letters: Dear customer, you trusted your personal details to us and someone stole them.

Maybe you were one of the estimated 550 million customers who were impacted by the Ticketmaster breach. Or one of the 30 million Santander Bank customers, the 2.8 million Save-Rx customers, the more than 3 million accounts in the Financial Business and Consumer Solutions collection agency breaches.

This week. This. Week. And time is of the essence.

Cyberattacks are spiking with 3,205 breaches in 2023 — a record 78-percent jump over 2022 — which was already up 72 percent from 2021, according to the Identity Theft Resource Center.

It’s a race the good guys seem to be losing, with technology and cloud-based systems allowing cybercriminals to penetrate through security holes seemingly no amount of money and resources can plug.

“Organizations are spending more money than ever on cybersecurity — an estimated $188 billion globally in 2023, a figure expected to grow to almost $215 billion in 2024 — yet hackers always seem to stay a step ahead,” Stuart Madnick, founding director of the Cybersecurity at MIT Sloan research consortium, wrote in The Wall Street Journal.

So there are nefarious cybercriminals — forming growing numbers of ransomware gangs that franchise their malware operations like fast-food chains — and there are the safekeepers of our data (the breached), and the aggrieved parties whose information was stolen.

In these cases, two of the three parties know the breach has happened — but the victims aren’t notified sometimes until weeks or months later, and sometimes only after the hackers claim public credit for the attack.

We’re seeing that play out in real time in Traverse City Area Public Schools, which closed school for two days in March after a “network disruption” with assurances that “to date, no reports of identity theft or fraud” arose out of the incident. Three weeks later, Comparitech reported that the hacker group Medusa threatened to publish or sell 1.2 terabytes of data if the district failed to pay them $500,000. Two weeks later, on May 17, TCAPS’ 932 employees were informed that personal information about some — or all — of them had been published by the hacking group.

It’s a bad situation. On one side are parents, students and employees who want to know immediately whether their personal data has been compromised. On the other side are lawyers representing SET SEG and the Thrun Law Firm, which represents TCAPS, who are jointly micromanaging every word the district discloses about the breach.

Our state’s disclosure requirements need to be examined immediately on all fronts, but especially in the public sector where insurance companies are flouting public disclosure laws. That the victims in this case could potentially include children just underscores this point.

In March 2023, after a Minneapolis school refused to pay a $1 million ransom demand, Medusa released highly sensitive documents that detailed “campus rape cases, child-abuse inquiries, student mental health crises and suspension reports,” according to a story in The 74, a nonprofit news outlet that covers education. And Medusa ensured that the Minneapolis students’ files were able to be accessed “with little more than a Google search,” The 74 story said.

In Louisiana, Medusa hacked files related to the St. Landry school district, deploying a double-extortion scheme where criminals downloaded compromising records and demanded ransom from the victims, according to the Acadiana Advocate.

The outlet contends school officials did not notify these individuals for five months. Those kids deserved better from the people charged with protecting them, and that includes the state.

Allowing the insurance companies and attorneys to smother public disclosure, and the state’s complicity in this, is another breach — of public trust.

— The Traverse City Record-Eagle


Today's breaking news and more in your inbox

I'm interested in (please check all that apply)
Are you a paying subscriber to the newspaper *

Starting at $4.62/week.

Subscribe Today