It has taken the U.S. 16 years to enact Data Breach laws in each state. California led the way, with the first, in 2002 to protect its citizens. Last in line was Alabama, which just signed their law in March 2018. There is no overarching consistent data breach law at the federal level. It is all handled independently by each state. This causes some confusion as there are different standards and requirements. Businesses must understand and conform to each, in addition to all the international privacy laws.
Over the past decade, privacy compliance has become a massive bureaucratic beast, requiring policies, lawyers, audits, and oversight to meet a sometimes vague and complex regulatory landscape that is often changing. A legion of privacy professionals now exists throughout the world.
All for Good Reason
The world of technology leapt forward beyond the limits of paper records which were difficult to duplicate, share, and transit. We have successfully created a world where digital information can easily be created and disseminated across the planet in the blink of an eye. This has led to the desire to gather more data on people and their behaviors. Their financial status, social influence, purchasing preferences, political viewpoints, and many other facets are valuable to influencers and product vendors.
Innovation adoption moved too fast and mistakes were made. Companies who develop products and services were far too quick to begin gathering such valuable knowledge nuggets of their customers. Consumers and governments were lax or greatly delayed in establishing proper controls to protect people’s data. End users were blasé in caring what they shared, who could obtain it, and chose to remain ignorant in how it could be used to their detriment. It all seemed harmless, until it wasn’t.
Unscrupulous yet profitable data sharing crept into the mix. Criminals realized the windfall of nearly unprotected data just waited for them to scoop it up. The results began to turn the mindset of society. Data was valuable, even in the wrong hands.
People were being manipulated and treated with unfair bias, based upon private data that was now in the open. Personal financial data and healthcare records were the first major issues. Fraudsters who obtain a few select pieces of information could cause an economic tornado for victims, opening credit lines, loans, making fraudulent purchases, and even filing for fake tax refunds. Harvesting login credentials and passwords opened systems and services to manipulation and hacking. Even subtle data collection, such as web browsing habits, searches, and product purchases were used to create profiles that marketeers could wield to improve sales. Recently, social media connections have been used to manipulate the attention economy to sway viewers political and social opinions. It is a free-for-all, fueled by personal data.
Rules to Play Nice
As late as they are arriving, it has become apparent that regulations are needed to establish guard-rails that will begin to force boundaries of data gathering, handling, and protection to stem the hemorrhaging losses.
It has been a long sixteen years, to get a fundamental data breach law on the books in every state. The first privacy laws in the U.S. are primarily focused on breach notification. That is only the first step. Like Europe, we must also address the collection, protection, fair-use, and ability for subjects to correct and control their data. The upcoming EU General Data Privacy Regulation (GDPR) is the latest version that unifies privacy regulation across the European Union. The U.S. is far more fragmented and less comprehensive.
Enforcement is also required. Stiff penalties help with the encouragement for compliance and can take many forms. Regulatory fines, litigation, and customer loyalty are all plausible forces to positively shift protections to the users and away from other self-serving entities. In the U.S. the damages for non-compliance can vary but are considered minimal. The GDPR however can penalize a company up to 4% of their global revenue, which establishes a new high-water mark. Overall, no one carrot or stick will be a quick fix, but progress, maturity, and stability is needed.
This is a race. We must move faster, with greater purpose, and better foresight in cooperation with businesses, consumers, and legislatures if we are to limit damages while enabling the technology everyone wants in their lives.
Interested in more? Follow me on your favorite social sites for insights and what is going on in cybersecurity: LinkedIn, Twitter (@Matt_Rosenquist), YouTube, Information Security Strategy blog, Medium, and Steemit