Building Trust 5 December 2017

Will Uber Drive Us to Federal Breach Legislation ?

Craig Spiezle
By Craig SpiezleFormer Strategic Advisor

The past six months we have witnessed an un-paralleled level of questionable business practices resulting from data breaches.  As trusted brands, Uber as well as Equifax and others, who have been entrusted with significant amounts of personal data have failed the American public.  The breach missteps and follies only continue.  Each time most within the security and privacy communities have rolled our eyes in disbelieve.

While it is important we do not victimize the victims, and acknowledge there is no perfect defense.  At the same time it is equally as important for organizations to be prepared for an incident and be transparent on how they respond.  Every organization has an implied and legal responsibility to apply best practices to help prevent incidents, detect events and be prepared to respond and remediate the impact.  Judging by these past incidents the concept of data stewardship and accountability has gone by the way side.  All too often these organizations are caught flatfooted, or attempt to hide the incident for a range of what appears as self-serving reasons.  Perhaps they have recognized the current regulatory landscape has little meaningful ramifications or that they will not be held personally accountable. Self-regulation appears to be failing and the existing regulatory construct does not appear to be a deterrent or taken seriously by executives and their boards.  In the case of Yahoo and Equifax, the CEO’s walk away with millions of dollars while the impacted consumers are left on their own.

With each major breach event I have hoped it would be a watershed moment, becoming a catalyst for change. Today US companies are faced with a complex mosaic of 48 State breach laws, plus several sectorial regulations.  While nearly everyone complains about the challenge to navigate this maze of regulations, no progress to develop a national breach regulation has occurred.  Ironically, generally there is rough consensus on several key requirements defining; 1) reasonable baseline security, 2) personal or covered information, 3) notification triggers and requirements and 4) remedies.  Having personally worked on over a dozen such draft bills, I have been disappointed how partisan efforts and trade groups have driven these efforts off the road, ignoring the impact on consumers.

I am hopeful this time it will be different. The allegations against Equifax and Uber have ratcheted the issue to new heights.  On May 26, 2018 the EU Data Protection Directive (GDPR) will be enforceable.  While many companies will be prepared, the vast majority will not be, nor do they recognize the risks.  Technically they only need a single resident of the EU for regulations to kick in.  GDPR requires regulators to be notified within 72 hours of learning of an incident, while US companies has shown disregard and taking in some cases 6 to 12 months.  The US is by and large sadly behind the rest of the world recognizing privacy rights and data breach reporting requirements. 

Last week the Senate Commerce Committee ranking chair Senator Bill Johnson (FL-D), proposed legislation making it a criminal act to not disclose such data. This has the potential to wake up the C-suite.  As we look forward to new legislation, I propose legislation be modeled after CAN-SPAM the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003). Enacted in 2004, CAN-SPAM is a single Federal Law, pre-empting individual State Laws, permitting State right of enforcement.  Primary enforcement would be left to the Federal Trade Commission and State Attorney Generals could join in actions or file on their own.  Similarly, there needs to be a penalty, not relying on harms or damages be proven. We need to take the best from leading States such as California, New York, Massachusetts and others.  As a benefit to industry such legislation should also provide safe-harbor from Federal and State laws as well as the threat of class-action suits to companies who have employed reasonable security and are in full-regulatory compliance.  

At the end of the day both consumers and business will benefit from federal breach legislation. Having a consistent set of rules and regulations will raise the bar of breach prevention and readiness, saves tens if not hundreds of thousands of dollars in legal costs, while most importantly enhancing consumer protection and expediting timely notifications.

Who knows, perhaps in the long run we might be able to “thank” Uber for driving us to this destination.

Craig Spiezle

Managing Director, Agelight Advisory Group
Chairman Emeritus, Online Trust Alliance
Follow Craig on Twitter @craigspi

Note The views expressed in this op-ed do not necessarily reflect those of the Internet Society.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...