[BreachExchange] No more waiting: it’s time for a federal data breach law in the U.S.

[Audrey McNeil]

https://www.accessnow.org/no-more-waiting-its-time-for-a-
federal-data-breach-law-in-the-u-s/

With the recent passage of data breach notification laws in Alabama and
North Dakota, all U.S. states and the District of Columbia now require that
companies let us know when our personal data are breached. It only took 15
years.

It isn’t a surprise that breach notification has become the token data
protection regulation in the United States. The burden on companies is
minimal, requiring only that a company has knowledge of breaches and can
contact customers, so it encourages better security without putting limits
on how companies collect or use data. However, it’s also one of the most
important from a data disaster recovery perspective. Breach notification is
what lets you take steps to stem the damage of a breach — like when you
cancel your credit cards — and to make informed decisions about which
companies you can trust with your information. In other words, it’s far
from a comprehensive fix for all data protection problems — it would not,
for example, have prevented the Facebook/Cambridge Analytica scandal, which
was not the result of a data breach or hack — but as an element of sound
digital security policy, it’s a no-brainer best practice.

In spite of that, the U.S. Congress has yet to pass a federal breach
notification law that applies to the whole country, leaving us with a
patchwork of unequal state standards. Here’s a look at the current status
of data breach notification in the U.S., and why we need a federal standard
that shores up damage control.

The status quo: limited, hit-or-miss protections

Each of the 51 U.S. data breach protection laws has different standards and
requirements, with varying levels of protection for users. There is no
agreement among states about the types of data that, if breached, should
trigger notification. Generally, states will require notification if a data
breach includes your name as well as another data point, like your social
security number, financial information, or account login details. Notably,
states overwhelmingly require notification only if some sort of financial
data or password information is involved.

That’s a problem because data breaches often entail other kinds of harm. A
better, more rights-respecting standard — one that could be incorporated
into existing state standards and a new federal law —  would require
companies to notify us of breaches of our personal information tied to
other harms. After all, if your personal photos are leaked, your privacy
has been harmed, even if there is no financial loss. The same goes for
breach of data collected via an Internet of Things device, like a fitness
gadget. And what about a leak of your app download history or chat records?
Breaches of data in these categories are often what we care about the most,
and protection of this sensitive information is even more important to
marginalized populations.

In the U.S., there are established ways to recover from credit card fraud
(even though they remain a headache). But we don’t have pathways for
addressing leaks of other types of sensitive information. A federal
notification requirement could give industry the necessary incentive to
invest in developing solutions that protect our data and our rights.

Under current laws, many states have a number of exceptions to requirements
to notify us when our information is leaked, so it’s (again) hit or miss on
protecting us. Some exceptions are reasonable. For instance, a state may
not require notification if data are breached but the compromised
information is encrypted, and it’s not likely to be decrypted (although
this creates some room for discretion, since some forms of encryption are
more effective than others). Other exceptions are not so reasonable. Some
states allow companies to skip notification if they determine that the
chance of financial harm is low, even if the relevant data were otherwise
breached. But a company is often not well positioned to make that kind of
determination, and leaving it to a company is especially troubling when
there are no requirements that a judge or other independent body evaluate
the determination.

So what happens when companies fail to follow data breach rules? The
consequences can be very serious, for the users and the companies. A good
demonstration is what happened with Uber. In October 2016, a data breach at
Uber compromised the personal information of no fewer than 57 million users
(almost 1.5x the population of the state of California). For over a year,
Uber hid this massive breach, and even used its vulnerability disclosure
program to pay the attackers’ ransom. As a result, last month the
Pennsylvania Attorney General filed a lawsuit against the company. A number
of other states and countries are also investigating Uber. Even though
enforcement of the law might be too little, too late to help the people
affected by the breach, the investigations will likely discourage other
people from using Uber and send a message to other companies: if you hide
breaches like this, you will suffer losses, including the loss of
reputation and users’ trust.

What we need: A better standard, applied across the nation

Given the scope of Uber’s breach, a federal standard and a federal
investigation would have served us better — addressing all affected persons
in the U.S., not only those living in the states that are investigating the
breach. A properly crafted federal policy would help ensure that companies
like Uber not only tell us when our data has been breached, but also inform
us about what measures they are taking to mitigate the risk of
misuse/abuse. It would also help the companies, since they would have the
same minimum notification standards with which to comply. Even if some
states implemented laws with additional protections, things would still be
simpler than they are today, with 51 separate laws in play.

It is crucial that any new federal standard does not prevent states from
adding protections. A federal breach law should create a floor of minimum
standards that companies must meet, not a ceiling prohibiting tougher state
enforcement. In addition, those developing the federal standard should look
at the most protective standards available for guidance, at the state level
and internationally. For example, in the European Union, the General Data
Protection Regulation (GDPR) requires companies to notify individuals of a
breach whenever there is “a high risk to the rights and freedoms of data
subjects.” Not only is this a strong standard, but it also addresses
notification from the perspective of the user, meaning it could apply to
more than just typical financial or password data.

While it’s clear that a federal standard  — especially a comprehensive and
user-centric standard — would bring many benefits, it must be carefully
implemented for maximal protection of our data and rights. One issue to
consider is “notification fatigue,” where we would get so many
notifications that we could get overwhelmed and fail to take the proper
corrective actions. A federal law could direct research into this issue,
examining potential solutions, including studying the way that individuals
currently recover from data breaches and developing new ways to empower
them.

How we get there

Members of Congress have already proposed a number of data breach
notification laws, but while some proposals are better than others, none
have been great for the people these laws are supposed to protect. Even one
of the better efforts had provisions to preempt stronger state laws. As we
wait for the right bill, ordinary people remain vulnerable and without
sufficient redress under many state laws.

Complicating matters is the data privacy scandal involving Facebook and
Cambridge Analytica, about which Facebook CEO Mark Zuckerberg will shortly
testify before Congress. As we note above, what happened was neither a data
breach nor a hack, so it wouldn’t (and shouldn’t) fall under the purview of
data breach notification laws. It does, however, make clear that we may
need legislation to require notification when our data are voluntarily
shared with any third party.

For now, enforcement of state data breach laws can continue to serve to
pressure companies to implement better data security practices, and as
individuals, we can take steps to better protect ourselves in the digital
environment — for example, by using different passwords for different
services, regularly changing passwords, using multifactor authentication,
and choosing encrypted services whenever possible. If lawmakers advance a
federal data breach notification law that you should support, we will be
sure to let you know.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180411/94f14a1c/attachment.html>