Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Safety. Security. Show all posts

Protect Your Online Data Now, Rather than Waiting for the Government

 

The old joke goes, "The opposite of pro is con, so the opposite of progress is Congress." Getting laws proposed and passed can be difficult even in a more relaxed political climate, but the present state of the US Congress makes most new legislation, regardless of content, a difficult sell. That is one of the challenges that government advisers from the cybersecurity industry face when urging politicians to suggest and pass federal data privacy laws. Other obstacles include inconsistent data privacy laws in some US states.

It's long past time for the United States to adopt the EU's General Data Protection Regulation (GDPR). GDPR is a set of stringent rules that govern how EU residents' data is handled, sold, and stored. GDPR protects consumers' privacy and security rights by imposing fines on companies that fail to comply.

In conversation with Wade Barisoff of the cybersecurity firm Fortra (Opens in a new window) last week about the current state of data privacy protections in the United States. Barisoff emphasized the importance of federal data privacy regulations, citing the European Union's GDPR as an effective example.

"GDPR was significant, not only because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled,” Barisoff said, “but also because it was the first legislation with real teeth.”

Consumers in the United States would benefit from federal data privacy regulations that enforce severe penalties on companies that fail to comply. If you live in the United States, you may not have much control over what companies can do with your data once they have it, so lock down your accounts with multi-factor authentication and evaluate the privacy policies of your apps today.

Analyzing Data Breach Statistics

There is little recourse for victims of identity theft in the United States whose data was stolen because a company in the United States failed to report a breach. In the Identity Theft Resource Center's (ITRC) 2022 Data Breach Report(Opens in a new window), CEO Eva Velasquez noted a significant disparity between the average number of breach notices issued each business day in the US (seven) and the 356 breach notices issued daily in the EU in 2021.

"Common sense tells us that data breaches are underreported in the United States," Velasquez explained in the report. "The result is individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic—a scamdemic—of identity fraud committed with stolen or compromised information."

Based on the Data Breach Report, since most state governments do not require companies to include factual data surrounding data breach incidents, the majority of US-based companies do not publish this information at all. According to the ITRC, businesses may choose not to include the details surrounding these incidents in order to avoid future lawsuits for failing to protect consumer data. LastPass, the embattled password management company, was singled out in the report for failing to explain the details of a 2022 attack in which cybercriminals gained access to its customers' information.

The Legal Status of Data Privacy in the United States

According to Barisoff, data privacy regulation in the United States has a long history in certain industries. In the United States, for example, the Health Insurance Portability and Accountability Act, or HIPAA, was signed into law nearly 30 years ago. It is still used to develop data privacy policies for healthcare organizations. Barisoff told me that going beyond decades-old industry guidelines is difficult because capitalism is such a powerful drug.

"We've never really climbed this mountain yet because data is worth money," Barisoff said. "Google has built its entire empire just on data and understanding what people are doing and selling that. There's more of a focus on capitalism, and there's a lot of powerful players here in the US that basically made their entire company off of private data."
 
Some state legislators are attempting to retaliate against tech companies by proposing and passing statewide data privacy legislation. According to Barisoff, these laws are a beginning, but imposing them may be difficult. "The only consistency will be that each new law is different," he noted.

This effect is already being felt. Texas sued Google last year, claiming that the company's Photos and Assistant apps violated state biometric privacy laws. In 2016, residents in Illinois filed and won a similar lawsuit against Google. According to Barisoff, the creation, and enforcement of state-by-state data privacy laws makes it more difficult for businesses to comply with regulations.

"As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of 'What’s good for California isn’t good enough for Kansas' creep in,” warned Barisoff. 

"This developing complexity will have a significant impact on organizations operating across the country," he concluded.