With the recent passage of data breach notification laws in Alabama and North Dakota, all U.S. states and the District of Columbia now require that companies let us know when our personal data are breached. It only took 15 years.
It isn’t a surprise that breach notification has become the token data protection regulation in the United States. The burden on companies is minimal, requiring only that a company has knowledge of breaches and can contact customers, so it encourages better security without putting limits on how companies collect or use data. However, it’s also one of the most important from a data disaster recovery perspective. Breach notification is what lets you take steps to stem the damage of a breach — like when you cancel your credit cards — and to make informed decisions about which companies you can trust with your information. In other words, it’s far from a comprehensive fix for all data protection problems — it would not, for example, have prevented the Facebook/Cambridge Analytica scandal, which was not the result of a data breach or hack — but as an element of sound digital security policy, it’s a no-brainer best practice.
In spite of that, the U.S. Congress has yet to pass a federal breach notification law that applies to the whole country, leaving us with a patchwork of unequal state standards. Here’s a look at the current status of data breach notification in the U.S., and why we need a federal standard that shores up damage control.
The status quo: limited, hit-or-miss protections
Each of the 51 U.S. data breach protection laws has different standards and requirements, with varying levels of protection for users. There is no agreement among states about the types of data that, if breached, should trigger notification. Generally, states will require notification if a data breach includes your name as well as another data point, like your social security number, financial information, or account login details. Notably, states overwhelmingly require notification only if some sort of financial data or password information is involved.
That’s a problem because data breaches often entail other kinds of harm. A better, more rights-respecting standard — one that could be incorporated into existing state standards and a new federal law — would require companies to notify us of breaches of our personal information tied to other harms. After all, if your personal photos are leaked, your privacy has been harmed, even if there is no financial loss. The same goes for breach of data collected via an Internet of Things device, like a fitness gadget. And what about a leak of your app download history or chat records? Breaches of data in these categories are often what we care about the most, and protection of this sensitive information is even more important to marginalized populations.
In the U.S., there are established ways to recover from credit card fraud (even though they remain a headache). But we don’t have pathways for addressing leaks of other types of sensitive information. A federal notification requirement could give industry the necessary incentive to invest in developing solutions that protect our data and our rights.
Under current laws, many states have a number of exceptions to requirements to notify us when our information is leaked, so it’s (again) hit or miss on protecting us. Some exceptions are reasonable. For instance, a state may not require notification if data are breached but the compromised information is encrypted, and it’s not likely to be decrypted (although this creates some room for discretion, since some forms of encryption are more effective than others). Other exceptions are not so reasonable. Some states allow companies to skip notification if they determine that the chance of financial harm is low, even if the relevant data were otherwise breached. But a company is often not well positioned to make that kind of determination, and leaving it to a company is especially troubling when there are no requirements that a judge or other independent body evaluate the determination.
So what happens when companies fail to follow data breach rules? The consequences can be very serious, for the users and the companies. A good demonstration is what happened with Uber. In October 2016, a data breach at Uber compromised the personal information of no fewer than 57 million users (almost 1.5x the population of the state of California). For over a year, Uber hid this massive breach, and even used its vulnerability disclosure program to pay the attackers’ ransom. As a result, last month the Pennsylvania Attorney General filed a lawsuit against the company. A number of other states and countries are also investigating Uber. Even though enforcement of the law might be too little, too late to help the people affected by the breach, the investigations will likely discourage other people from using Uber and send a message to other companies: if you hide breaches like this, you will suffer losses, including the loss of reputation and users’ trust.
What we need: A better standard, applied across the nation
Given the scope of Uber’s breach, a federal standard and a federal investigation would have served us better — addressing all affected persons in the U.S., not only those living in the states that are investigating the breach. A properly crafted federal policy would help ensure that companies like Uber not only tell us when our data has been breached, but also inform us about what measures they are taking to mitigate the risk of misuse/abuse. It would also help the companies, since they would have the same minimum notification standards with which to comply. Even if some states implemented laws with additional protections, things would still be simpler than they are today, with 51 separate laws in play.
It is crucial that any new federal standard does not prevent states from adding protections. A federal breach law should create a floor of minimum standards that companies must meet, not a ceiling prohibiting tougher state enforcement. In addition, those developing the federal standard should look at the most protective standards available for guidance, at the state level and internationally. For example, in the European Union, the General Data Protection Regulation (GDPR) requires companies to notify individuals of a breach whenever there is “a high risk to the rights and freedoms of data subjects.” Not only is this a strong standard, but it also addresses notification from the perspective of the user, meaning it could apply to more than just typical financial or password data.
While it’s clear that a federal standard — especially a comprehensive and user-centric standard — would bring many benefits, it must be carefully implemented for maximal protection of our data and rights. One issue to consider is “notification fatigue,” where we would get so many notifications that we could get overwhelmed and fail to take the proper corrective actions. A federal law could direct research into this issue, examining potential solutions, including studying the way that individuals currently recover from data breaches and developing new ways to empower them.
How we get there
Members of Congress have already proposed a number of data breach notification laws, but while some proposals are better than others, none have been great for the people these laws are supposed to protect. Even one of the better efforts had provisions to preempt stronger state laws. As we wait for the right bill, ordinary people remain vulnerable and without sufficient redress under many state laws.
Complicating matters is the data privacy scandal involving Facebook and Cambridge Analytica, about which Facebook CEO Mark Zuckerberg will shortly testify before Congress. As we note above, what happened was neither a data breach nor a hack, so it wouldn’t (and shouldn’t) fall under the purview of data breach notification laws. It does, however, make clear that we may need legislation to require notification when our data are voluntarily shared with any third party.
For now, enforcement of state data breach laws can continue to serve to pressure companies to implement better data security practices, and as individuals, we can take steps to better protect ourselves in the digital environment — for example, by using different passwords for different services, regularly changing passwords, using multifactor authentication, and choosing encrypted services whenever possible. If lawmakers advance a federal data breach notification law that you should support, we will be sure to let you know.