Speech given by Tatyana Bolton at the AGA Cybersecurity Subcommittee Virtual Session on February 25th, 2021.

Introduction 

Thank you all for having me here today, my name is Tatyana Bolton and I am the policy director for Cybersecurity and Emerging Threats at R St Institute, a think tank based in Washington, DC. I’ll start with a bit of a story.

In July 2017, the U.S. credit monitoring agency Equifax discovered that it had been hacked. Some of the most private, personal data of over 148 million Americans—including social security numbers, dates of birth and home addresses—had been digitally stolen.

But for six weeks after that breach, those 148 million Americans went about their daily lives, unaware their personal information had been stolen. That’s right, Equifax waited six weeks to make this breach public.

In that amount of time, criminal actors could have wreaked havoc with that stolen data. They could have cleared out bank accounts, opened new lines of credit, impersonated people to gain access to healthcare and education records, and so much more. The fact that hackers didn’t do any of this is because the average customer was “lucky”—as it turned out, the data had been siphoned away by the Chinese government, not your run-of-the-mill criminal hacker. Since Chinese President Xi Jinping’s goal doesn’t seem to have been opening a new line of credit at Nordstrom with my social security number, I’m in okay shape today.

I wish we could say that the U.S. learned something important from the Equifax breach—from losing the personal data of nearly half the U.S. population to our greatest long-term geopolitical adversary. But I really don’t think we did.

So I’m here to talk to you all today about the need to change the legal and regulatory structure that govern how U.S. entities understand the value of the date they hold, how they protect that data, and how they respond when that data gets attacked. This is of critical importance to state Attorneys General, as I well know having worked at the Ohio Attorney General’s Office, as you work to protect your consumers from data breaches. But unfortunately, this is an area in which the United States has long lagged behind our peers abroad. It’s something that matters for both high-level geopolitical security and the individual personal security of your average American citizen. And it’s very central to the work that you do, as Attorneys General, in shedding light on how to better protect consumers and to take action when things go wrong.

Goals and Layout

Today, I’m going to first start by briefly defining the difference between data security and data privacy. They’re not the same thing. Then, I’m going to explain what the current legal and regulatory framework looks like in the United States, and the challenges of adopting changes to our current standards.

Then, I’ll wrap by briefly touching on where AGs can make an impact in this space, what the benefits are going to be to the system and overall level of security. And how supporting both national data breach notification legislation and national data privacy/data security legislation can make your jobs easier.

Definitions

So, what is data security? Data security is what you traditionally think about when people talk about the need to protect data. It’s making sure bad actors don’t get unauthorized access to information that they can use for malicious purposes. Think firewalls and passwords.

Data privacy is something more. Privacy is the steps organizations take on their own end to store, handle, and transmit information responsibly. There are a number of ways organizations go about this. They may restrict what data they collect in the first place, as well as who has access to the data they do collect. Promoting data privacy means believing that consumers have the right to understand what data is being taken, where it is being stored, and how it is being used.

Very crudely, data security defends against outside attacks, while data privacy further ensures that data is not misused by the organizations/companies themselves. Privacy also reduces the possible consequences of data breaches, when they inevitably occur, by having less data at risk.

Data Security and Data Privacy Laws in the United States

Each state and territory of the United States has its own individual data security and data breach notification laws. This makes for 54 different laws with different definitions of what constitutes “personal data,” what security controls need to be put in place to protect said data, what constitutes a “breach,” what the deadlines are for reporting breaches, what carve outs exist, and what recourse impacted customers have.

This patchwork is confusing. It’s unwieldy. It’s not good for consumers, administrators, regulators, or even the companies themselves. And it’s also not good for Attorneys General, as I’m sure you’ve seen navigating the murky waters of existing data security and data privacy laws.

For this reason, there’s been a push building in recent years to devise one national data breach notification law and one data security and data privacy law.

It’s been done before, in other countries. The most famous is the General Data Protection Regulation (GDPR) that passed in the European Union in 2016—and which generally inspired other similar laws, like California’s state law. GDPR combines the two ideas I’ve been discussing above: it’s a data breach notification law, but it’s also a data security and data privacy law.

GDPR does a lot of things right. GDPR mandates consumers be notified of harmful breaches within 72 hours of discovery.  It standardizes data breach reporting requirements across the EU and the broader European Economic Area. It mandates that organizations themselves follow certain minimum basic standards of protection and care, and that systems are designed to protect privacy rather than simply to optimize cost or business efficiency. It gives consumers additional rights to understand what of their data is collected, and to request that this information be deleted as well- or, the right to be forgotten.

But there’s also been some unexpected consequences of GDPR. A study found that a week after GDPR implementation, market concentration increased by 17 percent because websites dropped smaller vendors. High compliance costs imposed a disproportionate burden on small businesses, and helped companies that had larger market share already, like Google.

Legislative Progress and Failures

So why don’t we have federal data security/data privacy or data breach notification laws? Well, there are a couple main sticking points.

1.Preemption

The first big issue is whether the federal law should be able to preempt existing state laws. On the one hand, states are great incubators of ideas and it is clear through your work that individual state action can have significant benefits for consumers. In our federated system, states should have the power to iterate and improve on national legislation. The federal government isn’t the end all be all of all action. Some states may have stronger legislation than federal legislation. On the other hand, multiple state laws create a patchwork of laws that conflict and overlap. This produces a greater burden on businesses, consumers, and regulators. At best, contradictory state laws impose a heavy regulatory and administrative burden on companies looking to navigate them and confuse consumers trying to understand their rights, and in your case, prevent Attorneys General from banding together to protect consumer data rights and privacy.

I argue that a federal law should be passed, and should preempt state laws. Reducing regulatory burden and creating a cohesive set of rules is more important in this case than protecting states’ abilities to incubate and innovate new laws.  Without preemption, it is very unlikely that we will get the consensus we need to pass a national law.

2.Private Right of Action

The second sticking point is, of course, the issue of penalties and enforcement. One of the key concerns is whether individuals should have the right to directly take to court companies that mishandle their data, collect it inappropriately, or lose it in a breach. This is the question of whether or not we should have a private right of action.

On one hand, without some type of penalty mechanism, you cannot have safe and free flow of commerce—you see this outside of the United States in countries where enforcement mechanisms are lacking, like Russia and Brazil. On the other hand, it’s a stifling burden on businesses as they contend with tens or, in the case of an Equifax, even hundreds of thousands of possible individual cases in the event of a breach. We’ve seen how this has failed in medical malpractice nuisance suits, which can bring a bad reputation to the name of attorneys.

We’re going to need to find a way to split the difference and learn from our experience. One idea that’s been floated in Congress is to allow a limited private right of action in the case of death, bodily injury, or wrongful imprisonment abroad as a result of an governed entity’s action.

Both extremes—that is, allowing for an unlimited private right of action or none at all—are both wrong. We need a reasonable middle ground that reduces nuisance suits without taking away the right of individuals who are harmed to seek redress.

What can AGs do to protect privacy and consumer data

Having national data privacy, data security and data breach laws, instead of our current state-by-state legislative patchwork, will help provide regulatory certainty to businesses, customers, and state Attorneys General. After all, it’s much easier to navigate uniform federal laws detailing how data should be protected, who can and cannot sue once data is breached, reducing the amount of frivolous lawsuits and allowing all of you to focus on the most significant and serious cases.

Having a unified national framework also makes it easier for the states to unite in a combined lawsuit, as AGs have done most recently on the issue of payday lenders and monopolistic tech practices. It is much more effective for states to come together in the case of a breach than having 50 states suing separately over different violations of their respective laws.

Conclusion 

We are within striking distance of solving these problems partly by paving the way to create a national data security and data privacy law, and to create a standardized breach notification law. What this will require is some serious efforts in consensus and compromise at both state and national levels to reach the broader goal of implementing a lasting and effective data security and privacy framework in the US. Accomplishing this objective would serve the public, the private sector, and the work of Attorneys General in the long-term.  

Featured Publications