The Need for a Comprehensive Breach Notification Law (and Then Some)

While recently drilling down into trend lines regarding data breaches and cybersecurity spend, it has became readily apparent that we are flying blind regarding the true enormity of the hacking problem we are facing. That is because reporting of data breaches is driven by laws and regulations. Where those laws do not exist — or even when laws do exist but there is little to no motivation to enforce notification (e.g. large fines) — we find that breaches can easily be “swept under the rug.”

Europe now has statutory enforcement with the General Data Protection Regulation (GDPR), but for the US to not have an overarching breach notification law with teeth (i.e. major fines for failure to disclose) is very bad for a number of reasons. [Note we have a “patchwork” of various federal and state laws, but not a unified law.]

Having a centralized reporting and repository of breaches would allow us to better defend against the problem. Of course besides reporting to a central authority that an organization got hacked, the breached organizations should also be required to provide additional detail in a timely manner on the origins and attack vectors used, the underlying applications and technologies that were accessed, the number of records breached, etc. This would give us better insight into who is being attacked, what industries or technology stacks that are being most targeted, the methods by which the hackers are using, whether the attackers were insiders or outsiders, the country of origin of the attack, the type and amount of data that was breached, etc. This would give us a heat map on where we would need shore up our defenses.

[As noted in prior blog posts, the reality is that in the first year of GDPR, which requires breach notification and failure to notify has big fines, the EU stated that approximately 90,000 breach notifications have been received. The best estimates of US-based breach reports is in the few thousand breaches occurring in the same time period. Something is messed up that Europe has reported 30x the breaches than the best guestimates of the number of breaches in the US — the US is clearly running blind.]

Ironically we have national reporting of domestic crime, terrorism, etc., yet for something that impacts both our national security and the financial security and privacy of our citizens we don’t have something comparable. i.e. cybersecurity is not only a national security issue given recent attacks on our election system and critical infrastructure by nation states and organized crime, but increasingly a kitchen table issue for Americans.  Americans now must grapple with the impact of their financial, medical and other personal data being stolen and compromised via a growing number of data breaches of corporate and government organizations, while at the same time trying to continuously avoid the growing minefield of phishing, malware and other types of cyberattacks that indiscriminately target them in their daily use of the Internet.

It would also provide further motivation for organizations to not be on the list, i.e. having a robust breach notification law is both a carrot and stick.

In addition, in light that Americans’ personal data is increasingly being amassed by corporations and governments, citizens need to know if their personal data was breached. This would let them know to enable multi-factor authentication (which should be enabled anyway!) and/or change a password (especially if the same password is being used across multiple websites — which is a bad habit, but frequently happens). If financial data involved it would allow them to request a new credit card and/or make them more aware of possible suspicious transactions. It would also let them better consumer decisions regarding which organizations can and cannot be better trusted with their personal data. We are not protecting our citizens by not having a comprehensive breach notification law.

Finally, having a comprehensive and unified data breach notification law is the first step on the path towards letting citizens be able to control their personal data.

Why is that critical? Marc Andreessen famously said that “software is eating the world” and the food that software — which is what gives value to the Internet, your mobile phones, etc. — needs to consume to grow bigger and bigger and eat the world is … data. We see that trend accelerating in light that today’s hottest technology trends are machine learning, data mining, artificial intelligence, etc. — all based on the analysis of data.

Each of us is producing more and more “digital exhaust” aka “data exhaust.” Armed that with data about you, corporations can do in theory do good things for you, like present ads regarding vacation rental homes on an island that you were considering visiting, or recommend a type of shoe based on your searches for footwear.

But organizations can do not as good things with your data. They can shape and influence your politics by playing on your fears via sophisticated messages to your personal profile (e.g. Cambridge Analytica). Their analysis and algorithms based on data may profile you and lead to discriminatory actions against you. They can pester you by inundating with you targeted ads. Or they can hook you on their platform in unhealthy ways as we see with some young people on social media platforms.

And if that data is stolen by a crook, then it can be used maliciously to empty your bank accounts, do medical identity theft, blackmail you based on medical conditions, etc.

The reality is that a corporation or government can’t promise or guarantee that your data won’t be stolen. Therefore breach notification should be tied together with allowing people to gain control over their own personal data (which also includes their own digital exhaust). e.g. rights to see what personal data an organization has on you, the right to ask for that data to be deleted (aka “right to be forgotten”) or corrected if wrong, and the ability to be able to move that data from one entity to another (e.g. banking transaction records).

As noted in this history of the GDPR, the right to privacy in Europe was part of the 1950 European Convention on Human Rights, which states that “Everyone has the right to respect for his private and family life, his home and his correspondence.” The GDPR is an extension of that core European Union right. Compared to the US, as noted by the Columbia Journalism Review, that “although the U.S. Constitution’s Fourth Amendment is often broadly construed as providing a ‘right to privacy,’ the reality is that, unlike the EU, the United States ‘does not have a single, overarching data privacy and protection framework.'”

In light of today’s software world of increasing amounts of personal data, and the sharp increase in cyberattacks, that right to privacy at least as it applies to our personal data needs to be in place in the US. It is not, although there has been recent legislation offered up. Given that the GDPR has been offered up as the gold standard of data protection and privacy, and which any US legislation will be compared to, I am going to drill down in more detail on GDPR in the coming blogs.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s