‘When small-business owners cheat their customers, they go to jail’

The right to privacy is finally getting its legislative time in the sun, as lawmakers across the US continue to introduce bills that may lead to the next greatest overhaul of data protection rules.

Hot on the heels of Europe’s General Data Protection Regulation (GDPR), the US is poised to pass its own all-encompassing consumer safeguards that are fit for the digital age.

“One of the things we will be looking at is GDPR. Is it working, is it not working, is it something that we may be moving to?” Republican Congressman Will Hurd told last year’s Aspen Cyber Summit in San Francisco, reports The Register.

“A year ago, the answer would have been not ‘no’, but ‘hell no’. I think more people are open to that now because of some of the breaches.”

Willingness to move towards mandatory regulation of the data practices of business has fallen in line with a slew of cyber-attacks including last year’s Marriott breach and the 2017 security incident at credit reporting agency Equifax.

Writing in The Washington Post last week, Presidential hopeful Elizabeth Warren said that executives should be held criminally liable for failing to protect their customers.

Warren simultaneously proposed a bill that would see CEOs of companies generating an excess of $1 billion in annual revenue handed a year’s prison sentence for a first time offense.

“When small business owners cheat their customers, they go to jail,” read the Democratic Senator’s op-ed.

“But when corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts.”

Warren is correct to highlight the extortionate lack of accountability on companies like Equifax – a billion-dollar business that saw a mere slump in its stock price and basic restructuring of its executive branch, despite the breach affecting almost half of the US population.

While the credit reporting agency was fined an, albeit measly, £500,000 ($654,000) under UK data protection laws, the company has managed to avoid any fallout stateside.

This is mainly due to a patchwork of ineffective rules that are unable to correlate the harm done to consumers after their personal information is compromised.

Last year, Warren made her first attempt at mitigating potential harm with the introduction of the Data Breach Prevention and Compensation Act – a proposal that would require compensation of at least $100 for victims.

“The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” Warren said in a January 2018 statement.

“If companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”

The bill, however, may prove somewhat unpopular within infosec circles with many believing that businesses – SMEs in particular – are also noteworthy victims in a cyber-attack, and that further education is needed in order to keep up with the realities of fast-moving cybercriminal networks.

Joseph Lazzarotti, attorney at Jackson Lewis PC who leads the law firm’s data privacy and cybersecurity practice group, has been keeping track of the numerous bills popping up throughout the US aimed at changing the way businesses collect, use, and share consumer data.

“I guess in a way you have to draw a line somewhere because I can see both sides of it,” he told The Daily Swig, speaking about California’s Consumer Privacy Act (CCPA).

The CCPA, passed in June 2018, could penalize the poor data practices of businesses collecting personal information of 50,000 or more consumers.

“It’s possible for a company who has 20 employees to collect that information and now, all of a sudden, you have this set of requirements that says if you mess up, if you don’t put the notice on the website at the right time, or respond to requests at the right time, then you’re hit with a fine.”

The overriding view that security should be everyone’s responsibility – whether it’s the data collection business, the vendor supplying data collection technology, or the consumer generating the data to be used – has made the notion of penalization an even greater task for legislators.

“I think there’s just a growing sense in different sectors that people are starting to understand that we’ve got to protect this information,” Lazzarotti said.

“One of the reasons why the US hasn’t been able to get a national data protection law in place is because it can’t figure out what agency is going to [lead] enforcement.”

The Federal Trade Commission, the consumer protection arm of the US government, has released guidelines on how companies should respond in the event of a breach and, according to Lazzarotti, appears primed to take on an enforcement role if a national privacy legislation is to pass.

But this too has left many privacy advocates concerned, with the ACLU warning in October how any pre-emption proposal at the state level would stop the development of stringent privacy measures that many local and state municipalities are now implementing.

“Courts and state legislators are realizing that when there’s a breach people can’t prove harm.”