Column: Months after Equifax data breach, we’re still no closer to privacy protections
This is the year privacy safeguards finally kick in for consumers after outraged lawmakers wasted no time passing legislation in the wake of the Equifax data breach, which exposed the personal information of more than 145 million Americans.
I’m just kidding.
After lots of huffing and puffing for the cameras, Republican lawmakers have blocked all legislation aimed at improving privacy protections or holding companies more accountable for the loss of people’s info.
Contrast this with what’s happening in Europe, where, all kidding aside, this year really will mark a major milestone as sweeping new privacy rules, known as General Data Protection Regulation, are implemented throughout the European Union.
Adding insult to injury, U.S. multinationals will spend big bucks complying with the new European rules and watching the backs of EU residents, while their attention to Americans’ privacy will be largely unchanged, which is to say they’ll make as little effort as legally possible keeping our data under wraps.
“Are Americans going to be left behind in terms of privacy? You bet,” said Herb Lin, a senior research scholar at Stanford University’s Center for International Security and Cooperation.
We found out in September that hackers had penetrated Equifax’s defenses and gained access to the names, Social Security numbers, birth dates and addresses of tens of millions of people, which the credit agency’s then chief executive, Richard Smith, called “a disappointing event for our company.”
If Equifax was disappointed, consumers were downright mortified, not least because the hacking apparently was discovered by the company in July and it took them more than a month to notify the public.
During that month, several senior Equifax executives, including the chief financial officer, sold off nearly $2 million worth of stock. After the breach was revealed, the company’s share price plunged more than 33%. Equifax insists the execs didn’t know about the hacking when they cashed in.
Rep. Greg Walden, the Republican chairman of the House Energy and Commerce Committee, promised at an October hearing to hold Equifax accountable for putting people’s privacy in jeopardy.
“It’s like the guards at Fort Knox forgot to lock the doors and failed to notice thieves emptying the vaults,” he declared, adding that he expected the company to cooperate with “particular legislation that arises out of this horrific breach.”
As it turned out, it was Walden and other Republicans who chose not to cooperate.
Several bills were introduced by Democratic lawmakers requiring companies to quickly notify customers of a security breach and to provide effective protections, such as no-cost credit freezes.
Those bills went nowhere as Republicans concentrated instead on cutting taxes for Equifax and other corporations, and amid pushback from industry groups, which rejected the prospect of increased oversight and regulation.
“The Equifaxes of the world are too powerful, and we have a business-friendly Republican Congress,” Lin told me. “They’re loath to impose regulations that could impede commerce.”
Yet a free market for people’s personal information is little more than a shopping mall for hackers. There have been nearly 8,000 known data breaches since 2005 involving more than 10 billion records, according to San Diego’s Privacy Rights Clearinghouse.
That’s a high price to pay for unimpeded commerce.
Now look at Europe and the General Data Protection Regulation, or GDPR, which takes effect in May.
The basic idea behind the law is that life is different in the digital age and we need rules that reflect the changed circumstances and that can help the little guy stand up to corporate behemoths seeking to profit from people’s data.
“The GDPR is a monumental step forward,” said Bart Huffman, a partner in the Information Technology, Privacy and Data Security Group of the international law firm Reed Smith. He called this “a watershed moment for privacy law.”
Among the more noteworthy elements of the European rules:
- Companies must obtain consent from customers before using or sharing their personal information, and this approval must be sought in clear, easily understood language. Companies must make it similarly easy for a customer to withdraw consent, if desired.
- Customers must be notified of any security breach within 72 hours if the privacy incursion is likely to “result in a risk for the rights and freedoms of individuals,” which is a sufficiently broad definition as to require notice in virtually all instances.
- Consumers have a right to know how their personal data is being used and to receive a free copy of any such information held by a business.
- There is a right to be forgotten — that is, an individual can require that a business erase his or her data and make no further use of it.
Perhaps most important, the General Data Protection Regulation has teeth. A violation of the law can result in a fine of up to 20 million euros ($24 million) or 4% of the company’s annual global revenue, whichever is greater.
As an example of what’s at stake, Apple reported $229 billion in worldwide sales in the fiscal year that ended in September. Four percent of that total is about $9 billion.
Kristen Eichensehr, an assistant professor at UCLA School of Law who specializes in cybersecurity issues, said the Europeans begin any privacy discussion with a presumption that individuals have a right to control their personal information.
“We don’t have a similar right in this country,” she observed.
For that reason, Eichensehr said, “it’s hard to imagine much of what Europe is doing being implemented in the U.S.”
Every expert I spoke with said the same. In the current political climate, there’s virtually no chance of enacting privacy protections at the federal level. Instead, it will be up to states to pass whatever pro-consumer rules they can muster.
That’s good news for Equifax.
You’re pretty much on your own.