Monday, October 6, 2014

US: Please Come Down Hard on JPMorgan

The U.S. Government needs to come down hard on JPMorgan Chase for its woeful performance in disclosing and responding to a privacy data breach that reportedly affects 76 million customers.

Free market principles can, eventually, affect cybersecurity change. When data breaches like the 40 million record breach at Target in late 2013 and the 56 million record breach at Home Depot earlier this year, customers can effectively respond with their feet. That reportedly happened with Target, and anecdotally, I’ve become a much more frequent patron of both my local town hardware store and Lowes. By withholding business from organizations that suffer a breach of your personal and financial information, customers can punish the company financially. It may take a lot of customers to really have an effect on the bottom line, but when they act in unison, customers are an economic force to be reckoned with.

The recent breach at JPMorgan Chase is different. Unlike Target and Home Depot that publicly acknowledged breaches (after they were independently report, but still), JPMorgan Chase reportedly suffered a relatively minor breach. It was so minor, that the company spokesman responded to the reports with this:

“Companies of our size unfortunately experience cyber attacks nearly every day. We have multiple layers of defense to counteract any threats and constantly monitor fraud levels.”

It was only after submitting a financial statement to the U.S. Security and Exchange Commission that JPMorgan Chase admitted to the much broader breach. The filing is brief, stating:

On October 2, 2014, JPMorgan Chase & Co. (“JPMorgan Chase” or the “Firm”) updated information for its customers, on its Chase.com and JPMorganOnline websites and on the Chase and J.P. Morgan mobile applications, about the previously disclosed cyberattack against the Firm. The Firm disclosed that:
  • User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.
  • The compromised data impacts approximately 76 million households and 7 million small businesses.
  • However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.
  • As of such date, the Firm continues not to have seen any unusual customer fraud related to this incident.
  • JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to.
The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter. In addition, the Firm is fully cooperating with government agencies in connection with their investigations.

There has to be more than just a financial filing though, right? I initially went to multiple JPMorgan Chase web sites looking for more information, and found nothing. After searching for articles on the matter, one pointed to a FAQ on the incident. When I returned to the Chase.com web site to try and figure out the navigation path to the information about the incident, I continued to be baffled until I took a more critical read of the lower right-hand corner of the web site.

Without context, most customers would probably just look at that “Important Update About Cyber Security” item and figure that it was a link to some generic security policy. It’s only after I was specifically looking for it did I even notice it beneath the login field. The text, “Here’s what we know to date” gives some clue that there’s something that a customer should know there, but that anything may be wrong is simply implied, not referenced. Without knowing in advanced, customers have no clue that something may have happened to their account information unless they happen to get curious and click on the “Learn more” link. Why be so vague if not to minimize the chance that less-informed customers find out that their bank lacked appropriate security controls to protect their personal information?

Perhaps the company was hoping that no one would notice such a major change in the story if it was buried in a standard financial filing. Or, maybe the company just doesn’t see it as a big deal since it promises no financial data was disclosed. Whatever the reason, JPMorgan Chase has treated its customers with an extraordinary level of disrespect and indifference in response to the breach.

Full disclaimer: I am an involuntary customer, bound by a mortgage that my original lender sold to JPMorgan Chase. I did not choose to be a JPMorgan customer and, because of the nature of my business relationship with the company, I have no control over that relationship. I, like millions of other mortgage customers, cannot just simply walk away from JPMorgan Chase. We are bound to the company, forced to continue our commitment to supporting its bottom line without the simple reciprocal commitment to protect our personal information. Since we cannot effectively wield our economic power to punish the company for its misdeeds, free market principles no longer apply to it. Our helplessness drives the need for government intervention.

JPMorgan Chase has failed its customers. Information that we held in its care has been violated, and the only response that the company has provided is an admission in a required financial report. The fact that I, as a customer, have received no official notification that a breach has occurred is indicative of the company’s position of power over me, again, as an involuntary (and now unwilling) customer. If the company is allowed to continue operating outside of free market principles with regards to mortgage customers such as myself, then only the U.S. Government can represent those customers in action against the company. It’s for this reason that the government should levy a significant fine on JPMorgan Chase, if only to remind it that, while it may hold significant power over involuntary customers, that power doesn’t come without some reasonable level of responsibility and accountability.

That’s not to say that customers can’t do anything. We have two rational, though improbable options: 1) Pay off the mortgage; 2) Refinance the mortgage with a new lender. The latter is probably the more practical response, though, as I’ve implied earlier, there is no guarantee that the new lender will not just sell the mortgage back to JPMorgan Chase and repeat the cycle of helplessness.

I’ve been on a writing hiatus for about six months because life just got too crazy. Building an innovative cybersecurity technology, traveling across six time zones for work and pleasure, working through a major house renovation, and having a family will do that to you. It has been a crazy year for security and privacy, one that will certainly be remembered for Heartbleed (open source usage incompetence), Target (post-attack incompetence), and Home Depot (nearly complete incompetence). I’m reluctantly hoping that Winter will force me to stay indoors more often so that I can write versus my preferred state of paddling the Charles River.