Matt McCoy, Legaltech News
Edelson scholarship winner Matt McCoy
argues that the federal system is not as nimble and not as fit to regulate data
security as state law.
Matt McCoy is
a student at the University of Washington School of Law and a current extern at
the Federal Trade Commission focusing on data breach, security, and malware
cases. He wrote this article as part of his application for the Edelson
PC Consumer
Privacy Scholarship, and, as one of three winners, received $2,500 towards law
school tuition.
Data breaches are now commonplace. The new normal.
Just before I sat down to write this, data at the Muslim dating site Muslim Match was breached , resulting
in user login credentials and conversations between users becoming public. This
type of data is inherently and intensely private information. And now, it is
for the world to see.
Yes, consumer privacy is a new and quickly evolving
field, but this statement is a red herring. The biggest privacy issue we face
as consumers is a data breach. It is true now, will be true in five years, and
will continue to be true until our society shifts from its current, complacent
manner. New technologies will come and go, but they will all collect data.
Ironically, the absence of federal law in this area
has been a blessing and has forced states to be the innovators of policy. For
instance, California's data breach notification law was a novel idea in 2002,
and now 47 states, Washington D.C., and some U.S. territories have them. State
governments are in a sense better situated to regulate the quickly evolving
field of consumer privacy because they are more nimble and more responsive to
their democratic electorate than a log-jammed federal Congress and an appointed
federal administrative bureaucracy. Even more, because data and its collection
seamlessly transcends borders and jurisdictions, many companies are compelled
to follow the most stringent state policies to avoid the costs of a piecemeal,
user-by-user approach to compliance.
We are therefore presented with a Brandeisian utopia
where the states are laboratories for change, and the most restrictive state
law in any specific instance, and for any specific data type, effectively
becomes quasi-federal law. This gives any one state the power to move the ball
forward, and enables their Attorney General to become an FTC-like, nationwide
enforcer. This "patchwork" of states' laws allows consumer privacy
laws to quickly update protections to evolving consumer needs.
But this patchwork does have its detractors, and
intermittently federal data breach and security laws have been introduced to
fold everything into one standard. However, as mentioned previously, the
federal system is not as nimble, and is not fit to regulate this industry as
the only dog in town. It is important that the state laboratories are kept
intact, and allowed to innovate.
The evolution of data breach notification laws is an
excellent example. The language of the first generation statutes, attempting to
remedy financial identity theft in the early 2000s, included only individuals'
names in combination with their Social Security numbers, state-issued
identification numbers, or financial account number and login credentials. But,
as the California Attorney General's 2012 data breach report notes, this
was woefully inadequate, as California law enforcement incurred a data breach
because an employee's email address and password combination was stolen in
another site's breach and was not notified because the breach was outside of
the statute's scope. The report advocated for passwords combined with a
username or email address to be included in the scope of California's data breach notification law , and the
legislature listened, making it law the following year. Many other states have
since followed suit.
Not only would a pre-emptive federal bill kill this
policy innovation, it may not even include it. Take, for instance, Senator Bill
Nelson's proposed legislation, Senate Bill 177 . This bill,
which only covers email addresses and password combinations when attached with
the individual's first and last name, would pre-empt state breach notification
law. If this were to pass, all protection gained from California's 2013 bill
would be gone, unless an individual's name is attached.
A comparison of the current data breach landscape,
which includes massive social media data sets containing hundreds of millions
of account passwords and associated email addresses, illustrates where this
approach falls short. The Myspace breach involved over 300 million consumers'
email addresses and password combinations, but would not be required
notification because it is not covered under the federal law, and the federal
law nullified the already-existing protections of the various state laws.
This is absurd. The damage these types of breaches can
do to consumers is obvious, and consumers should be protected. People reuse
passwords. This is common knowledge. Given the massiveness of these breaches,
it is a statistical certainty that many users reused these login credentials
for other sites, and maybe even for their own personal email addresses
themselves. And it is trivial, given access to these data sets, to run a script
automating logins at various other sites.
It is trivial, it is statistically certain, and it has
already happened. Mark Zuckerberg was hacked . The National Football League got hacked . Github Inc.
was the target of a password automation attack, and it is likely that other
sites were too that didn't have the security presence to detect it, or worse,
did not see the business case to disclose it.
If a company incurs a breach consisting of just email
address and password information, they should be required to disclose the
breach to its users. It is thanks to state innovation created by the absence of
federal law that this is already the law.
But even if a federal data breach notification law
included this, as well as an amalgamation of the strictest standards currently
existing, it would still be a detriment if it also pre-empted state law.
No comments:
Post a Comment