The past six months we have witnessed an un-paralleled level of questionable business practices resulting from data breaches. As trusted brands, Uber as well as Equifax and others, who have been entrusted with significant amounts of personal data have failed the American public. The breach missteps and follies only continue. Each time most within the security and privacy communities have rolled our eyes in disbelieve.
While it is important we do not victimize the victims, and acknowledge there is no perfect defense. At the same time it is equally as important for organizations to be prepared for an incident and be transparent on how they respond. Every organization has an implied and legal responsibility to apply best practices to help prevent incidents, detect events and be prepared to respond and remediate the impact. Judging by these past incidents the concept of data stewardship and accountability has gone by the way side. All too often these organizations are caught flatfooted, or attempt to hide the incident for a range of what appears as self-serving reasons. Perhaps they have recognized the current regulatory landscape has little meaningful ramifications or that they will not be held personally accountable. Self-regulation appears to be failing and the existing regulatory construct does not appear to be a deterrent or taken seriously by executives and their boards. In the case of Yahoo and Equifax, the CEO’s walk away with millions of dollars while the impacted consumers are left on their own.
With each major breach event I have hoped it would be a watershed moment, becoming a catalyst for change. Today US companies are faced with a complex mosaic of 48 State breach laws, plus several sectorial regulations. While nearly everyone complains about the challenge to navigate this maze of regulations, no progress to develop a national breach regulation has occurred. Ironically, generally there is rough consensus on several key requirements defining; 1) reasonable baseline security, 2) personal or covered information, 3) notification triggers and requirements and 4) remedies. Having personally worked on over a dozen such draft bills, I have been disappointed how partisan efforts and trade groups have driven these efforts off the road, ignoring the impact on consumers.
I am hopeful this time it will be different. The allegations against Equifax and Uber have ratcheted the issue to new heights. On May 26, 2018 the EU Data Protection Directive (GDPR) will be enforceable. While many companies will be prepared, the vast majority will not be, nor do they recognize the risks. Technically they only need a single resident of the EU for regulations to kick in. GDPR requires regulators to be notified within 72 hours of learning of an incident, while US companies has shown disregard and taking in some cases 6 to 12 months. The US is by and large sadly behind the rest of the world recognizing privacy rights and data breach reporting requirements.
Last week the Senate Commerce Committee ranking chair Senator Bill Johnson (FL-D), proposed legislation making it a criminal act to not disclose such data. This has the potential to wake up the C-suite. As we look forward to new legislation, I propose legislation be modeled after CAN-SPAM the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003). Enacted in 2004, CAN-SPAM is a single Federal Law, pre-empting individual State Laws, permitting State right of enforcement. Primary enforcement would be left to the Federal Trade Commission and State Attorney Generals could join in actions or file on their own. Similarly, there needs to be a penalty, not relying on harms or damages be proven. We need to take the best from leading States such as California, New York, Massachusetts and others. As a benefit to industry such legislation should also provide safe-harbor from Federal and State laws as well as the threat of class-action suits to companies who have employed reasonable security and are in full-regulatory compliance.
At the end of the day both consumers and business will benefit from federal breach legislation. Having a consistent set of rules and regulations will raise the bar of breach prevention and readiness, saves tens if not hundreds of thousands of dollars in legal costs, while most importantly enhancing consumer protection and expediting timely notifications.
Who knows, perhaps in the long run we might be able to “thank” Uber for driving us to this destination.
Note The views expressed in this op-ed do not necessarily reflect those of the Internet Society.