By Andrea Little Limbago, Chief Social Scientist, Virtru
When Toyota announced the second data breach of the year, initial signs pointed to the group OceanLotus, a Vietnamese-linked state-sponsored espionage group. The Marriott breach and the almost 400,000 compromised customer records has been linked to China. These incidents continue the steady drumbeat of new data breaches linked to nation-states, but we’re also seeing a rise in other sources of data breaches. An unsecured database accidentally exposed two billion personal records, while Collection #1 and subsequent collections’ combined for 3.5 billion user records posted on a hacking site. Together, these compromises highlight the proliferation of attackers, the growing size of data breaches, and the prominence of unsecured and accidental data exposures. However, despite this proliferation, the United States lacks a federal privacy regulation to incentivize better protection and security standards while also introducing accountability. Absent a federal privacy regulation, individual states are initiating their own data protection and privacy regulations to help combat these threats and shift corporate incentives.
Data protection and privacy legislation are not usually included in discussions of the latest cyber defenses and the threat landscape. However, they should be viewed as core components for augmenting deterrence by denial. While many of the new and existing authorities develop deterrence by punishment, much less focus has been devoted to explicitly shifting incentives to prioritize data protections. In fact, ‘assume breach’ has become the dominant defensive strategy. While this may reflect the modern reality, our national defensive posture will never improve if we aspire to such a low bar.
Understanding the necessity for thoughtful regulation to help shift incentives to encourage greater defenses and data protection, and absent a federal law, individual states have proposed or passed their own data privacy and security legislation. At a recent Senate hearing on a federal data privacy framework, the discussion highlighted the growing patchwork of regulations in the United States, including over 90 data protection and privacy proposals currently at state capitols. Similarly, last year Alabama and South Dakota became the final two states to enact data breach notification laws. There are now over 50 different data breach notification laws in the United States, with Puerto Rico, the U.S. Virgin Islands, Guam, and Washington, DC also passing their own laws. Each of these data breach notification laws has different requirements and penalties and may be contradictory from state to state.
The most prominent piece of state privacy legislation is the California Consumer Privacy Act (CCPA), which will take effect in 2020. The CCPA focuses on unauthorized data access and intentionally targets both cyber attacks and third-party data disclosure violations. Individuals can hold organizations accountable for failing to protect their data, while organizations are required to implement “reasonable security measures” to protect their data. Accountability is core to any data protection framework as it provides the necessary incentives to drive organizational change in favor of security. Despite the range of cyber attacks and third-party data sharing, accountability has largely been absent in the United States.
Vermont has taken a different approach and passed a law focused on the data brokers themselves. As we saw with Equifax and the Office of Personnel Management breaches, organizations with significant amounts of personal data are ideal targets but may not prioritize implementing best security practices. Data brokers have largely remained off the radar but manage significant amounts of data. Vermont’s data broker law requires data brokers to take appropriate security measures and penalizes them for failing to do, while also prohibiting the use of the data for criminal purposes. This is the first such law in the United States that holds significant data aggregators and sellers accountable for data security.
Legislation introduced in Massachusetts, Washington, Colorado and Washington, DC further reflects the current movement toward greater privacy and security in the absence of a federal framework. Largely driven by the ongoing data breaches as well as unauthorized data sharing, these laws explicitly aim to incentivize greater data protection as well as transform data sharing and storing practices, while also looking ahead to the future data challenges with biometrics, surveillance, and facial recognition. Left unprotected, these too will be a gold mine for bad actors.
Given the steady pace of security and privacy hearings on the Hill coupled with new state-level privacy laws, as well as foreign laws such as the European Union’s General Data Protection Regulation, the likelihood for U.S. federal privacy regulation continues to grow. Until then, states are setting the bar and forcing the federal government to evaluate what core components should be included at a federal level. This federal push will not be a silver bullet and requires thoughtful and deliberate input from the security community. If it includes accountability and enhanced security measures as core components, federal data privacy regulations may finally provide the impetus for organizations to prioritize security and limit the hemorrhaging of data that is the current status quo.
About the Author
Dr. Andrea Little Limbago is the Chief Social Scientist of Virtru, a data protection and privacy software company. She specializes in the intersection of technology, information security, and national security, and specifically focuses on the geopolitics of cybersecurity, global data protection and privacy trends, and usable security. Andrea is also the Program Director for the Emerging Technologies Program at the National Security Institute at George Mason. She previously was the Chief Social Scientist at Endgame, a cybersecurity software company. Prior to that, Andrea taught in academia and was a technical lead in the Department of Defense. Andrea earned a Ph.D. in Political Science from the University of Colorado at Boulder. Andrea can be reached online on Twitter @limbagoa and at https://www.virtru.com/ .