There's an old joke that goes, "The opposite of pro is con, so the opposite of progress is Congress." Getting laws proposed and passed can be a tough job, even in a more relaxed political climate, but the current state of the US Congress makes most new legislation a hard sell, regardless of the content. That's one roadblock government advisers from the cybersecurity industry face when they press politicians to propose and pass federal data privacy laws. The other barriers are inconsistent data privacy laws in some US states.
A US version of the EU's General Data Protection Regulation (GDPR) is long overdue. GDPR is a group of strict regulations around handling, selling, and storing EU residents’ data. GDPR protects consumers’ rights to privacy and security by levying fines against companies that don’t comply.
Last week, I talked with Wade Barisoff from the cybersecurity firm Fortra(Opens in a new window) about the current state of data privacy protections in the United States. Barisoff highlighted the need for federal data privacy regulations and cited the European Union’s GDPR as an effective example.
"GDPR was significant, not only because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled,” Barisoff said, “but also because it was the first legislation with real teeth.”
US consumers would benefit from federal data privacy regulations that have harsh consequences for companies that fail to comply. If you live in the United States, you may not have much control over what companies can do with your data once they get their hands on it, so take time today to lock down your accounts with multi-factor authentication and review the privacy policies of your apps.
Scrutinizing Data Breach Statistics
There's little recourse for US-based identity theft victims' whose data was stolen because a US-based company failed to report a breach. In the 2022 Data Breach Report(Opens in a new window) from the Identity Theft Resource Center (ITRC), CEO Eva Velasquez noted a significant disparity between the average number of breach notices issued each business day in the US (seven) compared with the 356 breach notices issued daily in the EU in 2021.
"Common sense tells us that data breaches are underreported in the United States," Velasquez explained in the report. "The result is individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic—a scamdemic—of identity fraud committed with stolen or compromised information."
The Data Breach Report also states that because most state governments do not require companies to include the details surrounding data breach incidents, most US-based companies do not disclose this information at all. The ITRC concludes that businesses may not include the details surrounding these incidents to avoid future lawsuits for failing to protect consumer data. Embattled password management company LastPass earned a special mention in ITRC’s report for failing to explain the details behind a 2022 attack in which cybercriminals gained access to its customers' information.
The State of Data Privacy Laws in the United States
Barisoff told me that data privacy regulation in this country has a long history within certain industries. For example, the Health Insurance Portability and Accountability Act, or HIPAA, was signed into law in the US almost 30 years ago. It is still used to create data privacy protection policies for healthcare companies.
Barisoff told me that regulation beyond decades-old industry guidelines is difficult because capitalism is a heck of a drug. "We've never really climbed this mountain yet because data is worth money," Barisoff said. "Google has built its entire empire just on data and understanding what people are doing and selling that. There's more of a focus on capitalism, and there's a lot of powerful players here in the US that basically made their entire company off of private data."
State-Specific Data Protection Laws
Lawmakers in some states are trying to push back against tech companies by proposing and passing statewide data privacy laws. Barisoff says these laws are a start, but enforcing them may be messy. "The only consistency will be the fact that each new law is different," he noted.
We’re already seeing this effect now. Last year Texas sued Google, alleging that the tech company’s Photos and Assistant apps violated state biometric privacy laws. Residents in Illinois made and won a similar lawsuit against Google in 2016. Barisoff says state-by-state data privacy law creation and enforcement makes it harder for companies to comply with regulations.
"As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of 'What’s good for California isn’t good enough for Kansas' creep in,” warned Barisoff.
“This developing complexity will have a significant impact on organizations operating across the country," he concluded.
Always Protect Your Personal Information
Until the federal government decides to create and enforce blanket data protections for all US citizens, you must do the work of protecting your data. You’re not on your own, though! PCMag's security analysts have recently offered a lot of advice for avoiding identity theft and finding ways to protect your personal information online. Below is a list of our best how-to guides and explanations for increasing your data privacy protections.
So You've Been Pwned: What To Do When Your Private Data Goes Public
Like what you're reading? Get an extra story delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.
What Else Is Happening in the Security World This Week?
Madison Square Garden CEO Defends Use of Facial-Recognition Tech. 'If you’re suing us, we’re just asking of you—please don’t come until you’re done with your argument with us,' says CEO James Dolan.
Bitwarden Warns of Scam Ads on Google Posing as the Password Manager. Users notice ads on Google Search trying to lure visitors to imposter Bitwarden sites. The company urges people to navigate to Bitwarden.com instead of relying on Google.
FBI Secretly Infiltrated Hive Ransomware Group's Network for 7 Months. The access allowed the FBI to pilfer decryption keys for the group's ransomware and hand them off to thousands of victims.
Hacker Tries to Auction Stolen League of Legends Source Code for $1 Million. The hacker reportedly demanded Riot Games pay $10 million to prevent the leak of the source code, but the company is refusing to pay.
Apple Adds Physical Security Key Option for 2FA on iPhones, iPads, Macs. Apple says an external security key can be one of the factors in two-factor authentication, adding a security layer for high-profile users vulnerable to cyberattacks.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!Sign up for other newsletters