At one point, those of us involved in the Obama administration’s privacy and cybersecurity policymaking thought we were just one big data breach away from a national wake-up moment. But larger and larger breaches kept coming faster without triggering widespread reaction.
The Equifax breach looks different. Even though some involved larger numbers of records, none has touched so many Americans so closely, nor produced such widespread frustration. According to Equifax, some 143 million Americans have had at least names and Social Security numbers compromised. This puts identities and credit at risk in about half the households in America.
For many consumers, it came as a shock to learn that a company many have never heard of has so much impact on them. They do not do business with Equifax, yet they can scarcely participate in today’s economic life without credit. They do have a legal right to see and correct credit data, but their options to protect their identity and credit amount simply to being watchful — not much to put people’s minds at rest.
Businesses also have reasons to be frustrated. Equifax and other credit agencies play an important role in the financial system. Financial institutions now face questions from regulators as to whether and how they have relied on compromised Equifax data, and they need to assess their vulnerability to attacks using information from Equifax data as credentials. They too are more exposed to cyberattacks because of this breach.
In the wake of the Equifax breach, demands for action have escalated almost daily. Some congressmen have re-introduced legislation establishing a baseline requirement to employ reasonable security practices and establishing national deadlines and standards for notifying regulators and consumers of data breaches.
Several senators introduced a bill to regulate data brokers like Equifax by enabling consumers to object to sale of data about them as well as requiring privacy and security policies and breach notification. State attorneys general and legislators have weighed in with similar proposals.
Such proposals address significant data privacy and security issues, but today’s world of constant and ubiquitous data collected from billions of devices demands much more.
State data breach notification laws have helped to strengthen privacy and security practices. A federal law would set a consistent standard. Nevertheless, such laws mainly address what happens after a breach has taken place.
Data brokers are the largest sector in the business of collecting data about people. They are far from the only ones, however. The advertising and marketing world is full of businesses most people have never heard of that help target individuals for other people’s messages.
Increasingly, our ambient environment is a mesh of sensors receiving streams of data sent by our devices, surveillance cameras, advertising beacons and other instruments over which we have little or no control.
The Equifax breach has put data security and data brokers in a bright spotlight. But what about the many other lines of business and data gathering that are even less touched by our patchy system of regulating privacy and security?
What about online services, connected cars and drones? Surveillance cameras employing facial recognition technology and other technologies of smart cities? What about televisions, refrigerators and other connected devices inside our homes? What about wearables, like fitness bands and smart clothing?
Technology is advancing data collection and analysis at a rate beyond anything individual consumers can control and beyond the capacity of legislation and regulation to keep pace. The same data may be subject to different rules depending on who collects it or how it is used.
Continuing to address privacy and security with a series of one-off responses is like that classic “I Love Lucy” episode where Lucy goes to work on an assembly line packing candies: As the line keeps speeding up, Lucy gets farther and farther behind; “I think we’re fighting a losing game,” she says.
Mounting frustration and discontent are fraying the trust that is essential currency for the digital economy to function.
We are overdue for a serious discussion of broader solutions that encompasses not only technologies and data uses that fall outside specific sectoral laws today, but also unforeseen ones in the future. Mounting frustration and discontent are fraying the trust that is essential currency for the digital economy to function.
In the absence of broad action by the federal government, businesses will have to adapt to a proliferation of state legislation aimed at specific issues, while many also cope with the sweeping European Union data protection legislation that takes effect next May.
The Obama administration’s Consumer Privacy Bill of Rights, outlined in a 2012 White House report and released in the form of a “discussion draft” bill in 2015, is one such solution.
It would give force of law to a set of broad principles — individual control, transparency, respect for context in which data has been shared, focused collection, security and accountability — with details fleshed out by Federal Trade Commission adjudication, codes of conduct and evolving standards.
There are suggestions of some bipartisan interest in protecting consumer privacy. For one example, in the wake of the repeal of Federal Communications Commission privacy rules for internet service providers, Rep. Marsha Blackburn (R-Tenn.), chair of a key House subcommittee, introduced a bill that would empower the FTC to enforce customer approval of data sharing by all internet companies, not just ISPs.
This is not a comprehensive baseline, but does offer another starting point for discussion. It is time take up that discussion in earnest and haste. Otherwise, American consumers and trust in American businesses will keep playing a losing game.