Image: npr.org
Six months ago the EU General Protection of Data Regulation (GDPR) was implemented setting major fines if user data was not adequately protected. The GDPR required that users be able to ‘opt in’ for their use of their data – which is why users see cookie permission screens when they access a web site. The regulation gives users primary control over their data, and where it is stored. Information on a user must be stored in a non-identified manner. Breaches must be immediately fixed and reported within 72 hours. Companies are required to have a Data Protection Officer person who is responsible for GDPR enforcement and support to users. Users can require that their data be erased at any time. Individuals can request a portable copy of their data as well. Violators of the GDPR can be fined up to 20 million Euro or 4 % of their annual revenues.
Seer Interactive has surveyed both EU and U.S. sites and found that EU sites were much more secure than U.S. sites. Using simple Google index commands experts were able to glean usernames, addresses, phone numbers, and dollar figures of purchases or donations.
Source: Statista – 2018
Data breaches reached a peak in 2017 at 1,579 incidents with over 178 million records accessed. A super incident occurred at Yahoo with over 1 billion records accessed in 2017. In 2015 Experian, suffered a data breach exposing 15 million records. About 1 year ago, Equifax was hacked exposing over 143 million user records including social security numbers, addresses, phone numbers and bank account information. Hearings were held by Congress but nothing happened. Except that Equifax tried to fix the problem and eventually gave into offering a free account freezing service after major backlash at charging for the service. Identity theft is a huge issue it is the most common type of data breach at 59 % of all data incidents. There are reports of a new trend in identity theft by perpetrators sending a ransom email after an account has been hacked showing a user’s account and password, then threatening to post private information unless a major sum is not transferred to a Bitcoin account immediately.
Next steps:
Senator Mark Warner – (D-VA) declared after the Equifax incident, “It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” We agree data breaches of the Equifax and Yahoo magnitude are a real threat to the economic security of all Americans.
So, what has Congress done about making corporations running the Internet accountable to users for their lack of data protection? Nothing. Though two Democratic senators have tried to get legislation passed to protect users.
Senator Elizabeth Warren – (D-MA) and Senator Warner introduced legislation in January of this year to hold credit reporting agencies accountable for data breaches and user data protection.
The bill, called “The Data Protection and Compensation Act” would hold credit reporting agencies (CRAs) accountable for safeguarding all consumer information. The bill establishes oversight by the FTC on cyber security at CRAs. In addition, when breaches occur penalties are awarded $100 per consumer and an additional $50 per consumer personal identification record exposed. In the Equifax case, the penalty would total $1.5 billion. The FTC is instructed to use 50 % of the award to compensate consumers who were victims of the breach. In addition we believe that provisions should be inserted in every User Agreement requiring that the service provider be accountable to the user, make good any harm done and report directly to the user that their account has been hacked within 24 hours.
We do have a new House of Representatives being sworn in this January, where Democrats hold a majority, so it is possible that transforming legislation like the Warren – Warner bill could be introduced. Yet, the Senate looks to be controlled by the GOP next year so any likelihood of passage with President Trump in power is nil. Yet, we need to keep this issue in front our our political leaders and continue the national discourse because today Internet corporations are too complacent and will continue to be until penalties have teeth to wake them up to the priority of protecting user data tightly.