Who Really Sent That E-Mail?

[Commentary] Americans are right to be concerned about a huge data breach at an online marketing company, Epsilon, which resulted in the theft of names and e-mail addresses for customers and employees of some of the nation’s largest businesses, including Citibank, Disney and Verizon.

Epsilon issued a statement assuring that no other information was compromised. But millions of consumers could still be vulnerable to sophisticated identity-theft ploys — “spear phishing” — in which scammers target e-mails to specific people and make it appear as if they came from a company they trust. Familiarity can lure victims into clicking on links, downloading malware, or responding to requests for account numbers or passwords. This is not an isolated case. The breach at Epsilon underscores the urgent need for a federal standard of data safety that ensures companies follow adequate policies and procedures to protect consumers’ information and determines companies’ legal liability for breaches. As Congress debates new data privacy rules, it should put data security at the forefront. Possibilities include imposing maximum periods for retaining personal data and rules about how to protect data that is flowing through corporate networks, stored on corporate servers or, increasingly, on the cloud. It certainly seems risky to have one company handle sensitive information about the customers of so many large firms. Consumers must also be vigilant. For starters, they should be wary about clicking on any e-mail attachment, even if it comes with a seemingly personal greeting from a business they know and trust.