How many data breaches will it take before our leaders accept the need for a national privacy law?
More than half a billion Facebook users, including 32 million in the United States, found out over the weekend that their personal information was accessed by hackers.
Names, birth dates, locations, phone numbers, email addresses and other information were posted on a website used by cyberthieves. The data appeared to be several years old.
Whereas disclosure of that information may pose relatively little risk to people’s privacy, the same can’t be said for a separate, more recent data breach involving the insurance company Health Net.
In that case, people’s names, addresses, birth dates, insurance numbers and confidential medical records were hacked.
No less alarming, Health Net waited two months before notifying policyholders of the incident. Two months!
The company says the servers of a third-party vendor, Accellion, were hacked between Jan. 7 and Jan. 25. Notices to policyholders were dated March 24.
“We have no reason to believe that your information was used incorrectly,” the company told customers. All this means, however, is that Health Net has no idea if anyone has been defrauded or harmed as a result of the breach.
The company is providing policyholders with a year of free credit monitoring and identity theft protection.
“Your personal information is important to us,” Health Net declared. “We regret any issue this may have caused you.” No one at the company responded to my request for further information.
I say enough is enough.
It’s time lawmakers recognized that the private-sector custodians of our personal information aren’t up to the task of keeping us safe.
It’s time that we followed Europe and even China in enacting a national privacy law that lays down clear, unambiguous rules for data collection and storage — and significant consequences for companies that come up short.
David A. Hoffman, a professor of public policy at Duke University, called a national privacy law “critical to help protect Americans.”
“Our current patchwork of federal and state laws does not provide robust, harmonized and predictable enforcement of privacy protections for individuals,” he told me.
“Instead, our laws primarily put the burden on individuals to find out who has their data.”
J.W. August is one of those individuals. The San Diego resident told me he’s been a Health Net customer “for years and years.” He was outraged when he received the company’s breach notice the other day.
“It makes me grind my teeth,” August, 76, said. “These people have my data and they’re just not responsible.
“Why isn’t something being done about this?”
That’s exactly the right question. It seems like not a week goes by without word of yet another incident in which people’s personal info falls into the hands of bad guys or spills onto the internet.
According to the Identity Theft Resource Center, there have been about 12,000 known data breaches since 2005. The number of records accessed by hackers runs close to 12 billion, according to the Privacy Rights Clearinghouse.
While the number of reported breaches declined last year from a year before, the total number of records accessed more than doubled, according to a recent report from the consulting firm Risk Based Security.
The Accellion breach that affected Health Net’s medical records also exposed the data of other big companies and organizations, including Stanford University, UC Berkeley, Kroger and the law firm Jones Day.
Obviously our existing regulatory framework — or lack thereof — isn’t up to the challenge of highly skilled and determined cybercriminals. We need to do better.
“A single national omnibus bill would be a clearer standard than what we have now,” said Richard DeMillo, chairman of Georgia Tech’s School of Cybersecurity and Privacy.
It’s not like members of Congress have to reinvent the wheel. One template they could follow is California’s Consumer Privacy Act, the strongest state privacy law in the country. A more robust California Privacy Rights Act takes effect in 2023.
Among other things, the California Consumer Privacy Act mandates that businesses tell customers what information they’ve gathered about them and to stop selling those data if requested.
More sweeping rules can be found across the Atlantic. Europe’s General Data Protection Regulation took effect in 2018 and now serves as the global standard for privacy safeguards.
Among the more noteworthy elements of the European law:
- Companies must obtain consent from customers before using or sharing their personal information. Companies must make it similarly easy for a customer to withdraw consent.
- Consumers have a right to know how their personal data are being used and to receive a free copy of any such information held by a business.
- There’s a right to be forgotten — that is, an individual can require that a business erase his or her data and make no further use of it.
- Any violation of the law can result in a fine of as much as 20 million euros (about $24 million) or 4% of the company’s annual global revenue, whichever is greater.
A key provision in light of Health Net’s feet-dragging response to the January breach is a requirement that European companies notify authorities of any data loss within 72 hours of discovering the event.
Moreover, businesses must notify customers “without undue delay” if there’s “a high risk to the rights and freedoms” of people affected by the breach. That’s a fancy way of saying you can’t keep stuff like this under your hat.
Could we see something along these lines at the national level any time soon? Probably not, said Georgia Tech’s DeMillo.
It’s hard to imagine, in the current political climate, Republicans and Democrats agreeing on even the most common-sense measures to protect people from hackers, he told me.
“Conservatives would almost certainly push for language for a weak federal law that preempts stronger state statutes,” DeMillo said.
The breaches involving Facebook and Health Net show that this problem isn’t going away, and that the existing privacy measures of many large companies (and their partners) are inadequate.
Perhaps it would take a hack attack on Congress to get lawmakers to act.
Then again, in light of the stunning inaction that followed the Jan. 6 riots, even that probably wouldn’t get us the help we need.