Professor Richard Thaler this week collected a Nobel Prize for his insights into behavioral economics—the idea that, contrary to economic theory, humans are not rational actors when it comes to financial decisions, but can be nudged to make better choices. The most famous application of Thaler’s insight is a law that encourages firms to automatically enroll workers in 401K plans rather than require them to sign up. This simple nudge has dramatically increased the amount that tens of millions of Americans have saved for retirement.
When it comes to cyber-security, it’s clear firms like Equifax could have used a Thaler-style nudge to tighten up their sloppy IT practices. Recall that the Equifax debacle, one of the worst data breaches in history, arose because the company failed to update its software—and a big reason for this is because it lacked incentives to do so.
According to Megan Stiles, an attorney and cyber expert at Public Knowledge, the credit bureaus systemically under-invested in data protection because their short-term interest in profit took precedence over security.
Stiles says we’ve reached a point where credit bureaus and other data firms require more regulation, including incentives to invest in safety. She pointed to the oil industry as a possible model, noting that those who transport tankers of oil must carry insurance in case something goes wrong—and the insurance companies in turn demand they take precautions to obtain coverage.
It’s not hard to imagine how this model could extend to companies that store and transport data. In this case, a mandatory insurance regime could include provisions that require up-to-date software for coverage to apply. The upshot would be a new way of aligning the economic incentives of the credit bureaus with smart cyber security practices.
There are all sorts of other ideas, of course, for how lawmakers should respond to Equifax’s data disaster. But drawing on Thaler’s insights, and using economic tools to nudge the credit bureaus towards better behavior, may be one of the most promising.
Thanks as always for reading—more cyber news and fin-tech tidbits below.
Jeff John Roberts
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Hackers want loyalty points: Or so it seems based on the frequency that cyber crooks have been hitting hotel chains. Hyatt suffered its second major data breach in two years as hackers siphoned up customer credit cards (again). Brian Krebs explains the hotel heists are likely the work of an organized crime gang whose members use tailored social engineering and custom malware.
Equi-fail so hard. It’s been another fine week for everyone’s favorite credit bureau: Equifax had to take down a web page that was serving malware; reveal yet more breaches; and suffer the suspension of its no-bid IRS contract. Meanwhile, class action suits are coming fast—and, unlike earlier breaches, Equifax will likely have to pay cold cash money.
You had one job: The idea of an “air gap” is to sequester a computer network that contains top secret information from the rest of the Internet. Someone should have explained this to Seoul where a “ridiculous mistake” allowed South Korea-US battle plans for North Korea to remain online for a year—more than enough time for Kim Jong Un’s crowd to steal them.
Bitcoin is (still) going bananas: The popular digital currency has shaken off its September slump and is reaching absurd new heights of nearly $6,000. The latest bull run/mania appears to be driven by Japan and investment bank interest—and Coinbase’s new day trading option can’t hurt either. Crypto fans: you can always check out Fortune’s The Ledger for more news.
The end of porn Privacy? The site Pornhub is using AI as part of a facial recognition program to identify and catalogue professional porn stars. Some are warning the system will be used as copyright enforcement mechanism and, worse, that its use will quickly expand to identify amateur performers.
Need a fresh excuse for being late to work? Move to Sweden where DDOS attacks are causing delays on train lines.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
But as real as the threat of power-utility hacking may be, not every grid penetration calls for Defcon 1. Responding to them all with an equal sense of alarm is like conflating a street mugging with an intercontinental ballistic missile attack.
—An excerpt from a Wired explanation of hacking power grids. As it turns out, there have only been two full-blown power-grid penetrations (in Ukraine and Iran) while most so-called “hacks” relate to mundane intrusions of IT systems. It takes many more steps to plunge a region into blackness, so adjust your sense of panic accordingly.
Commercial Use of Drones Gets a Major Setback by Aaron Pressman
Dubai Airport is Replacing Security Checks With Face Scanning Fish by Don Reisinger
Amazon’s Clever Solution to Stolen Deliveries: Your Trunk by Jeff John Roberts