Lessons for America from China’s Massive Data Breach
In what is likely one of the largest data breaches in history, the Shanghai police database incident could expose data from one billion Chinese citizens. This includes sensitive data like birthplaces, phone numbers, national identification numbers and crime details. Some have questioned the scope of the breach, but at least parts of it have been verified. And all this came to light only after a hacker offered to sell the data that was allegedly left unsecured and accessible for more than a year.
This breach is comparable to about 236 million people being impacted in the United States. Given China’s quest to gather vast amounts of data on both its own citizens and Americans, it is not outside the realm of possibility that American data could be at risk; indeed, U.S. TikTok user data has reportedly been accessed in China. To make matters worse, China is apparently bad at keeping collected information secure and unavailable to the rest of the world. There are three main takeaways the United States and its citizens can rely on to help prevent and defend against similar breaches.
First, privacy laws directed at government agencies need to be reviewed to ensure they are up to date. Some agencies may not have any laws at all. Most of the talk around privacy law and regulation is directed at the private sector instead of the government, but effective and current standards for government handling of data is equally as important.
Currently, there are laws that target the privacy practices of federal agencies like the Privacy Act of 1974, and select sectoral privacy laws like HIPAA can apply to government entities. Some claim the Privacy Act needs to be updated because it reflects the technologies of the 1970s. Another problem is the Privacy Act largely does not apply to states or local government agencies, which means lawmakers and government officials should act to ensure laws appropriately cover government data practices at all levels. Fortunately, a number of state data breach notification laws have provisions for public entities.
The latest draft of the American Data Privacy and Protection Act, a comprehensive data privacy and security bill with bipartisan and bicameral support, specifically excludes governmental organizations and those collecting data for those organizations from its list of “covered entities.” The Act would still provide valuable protections and rights for individuals — like notice if a company transfers data to select countries like China — but would not apply to government entities.
Second, government entities should see this breach as the latest wakeup call and continue to take actions to improve cybersecurity at all levels. The United States has had its fair share of incidents over the past decade, from the Federal Election Commission hacked by the Chinese to the larger-scale SolarWinds cyber-attack. The police database breach reminds us how the compromise of even a single government entity can have implications for potentially years to come. If even a fraction of the records claimed to be held by the hacker exist, the privacy implications for Chinese citizens are almost unfathomable.
The same is possible if this happened to a U.S. government entity, which hold some of our most sensitive information, from healthcare data to driver’s licenses. Many of the government records live at the local, county and state levels, which are always at a cybersecurity disadvantage compared to the private sector or even the federal government. Not to mention, data breaches and incidents for public administration, like local townships and courts, continue to be a problem. In fact, public administration experiences roughly 10 percent of breaches and accounts for 12 percent of incidents across all industries.
Third, the exact scope of the data breach in China is not known. But at least some of the files included the names and passport numbers of Americans, especially Americans that have traveled to China. These individuals should be on the lookout in case their data was breached and there are steps that can be taken proactively. This could result in identity theft, credit card fraud, compromise of online accounts, or privacy concerns. For some, this may unfortunately lead to flashbacks of the Office of Personnel Management (OPM) hack.
The data breach in China — albeit substantial — is not isolated. The United States should see this as an opportunity to make improvements at home to help reduce the chance of a similar breach.
