Data Security

Data security concerns become more severe when sensitive data or a large volume of data about an individual is processed, due to the risk of misuse for more targeted or potentially harmful purposes. The rise of data proliferation and inferences drawn from big data brings data security to the forefront. “Big data” is a term for the collection of large and complex datasets and the analysis of these datasets to form profiles or track patterns. With these advances in data collection and interpretation come increased vulnerabilities and unprecedented risks. Traditional methods of privacy or cybersecurity protections often fail to fully cover big data, necessitating new forms of data security.

According to the National Cybersecurity Center of Excellence, “Data security is the process of maintaining the confidentiality, integrity, and availability of an organization’s data in a manner consistent with the organization’s risk strategy.” This process involves “preventing unauthorized access, data corruption,” and other kinds of attacks and breaches, such as botnet compromise and ransomware. 

Lack of Federal Data Security Requirements

Despite the myriad of threats to data security, the United States has not established cohesive federal data security requirements. The EU’s General Data Protection Regulation (GDPR) mandates data security and breach response measures, strengthening the fundamental rights of individuals and putting consumers back in control of their personal data, but American data subjects lack similar rights. In fact, the United States remains one of the few democracies in the world with no national data protection agency and no federal comprehensive data privacy law.

In the absence of a U.S. data protection agency, the task of regulating and safeguarding data has been spread across various state and federal entities. For general online privacy enforcement, regulatory responsibility has fallen chiefly to the Federal Trade Commission. However, as EPIC states in its 2021 report “What the FTC Could Be Doing (But Isn’t) To Protect Privacy,” there are significant limitations inherent in the patchwork of data protection powers at the FTC’s disposal. This is true despite fundamental similarities across existing data security frameworks, as EPIC notes in Section 6 of its 2022 FTC comment Disrupting Data Abuse. In some cases, the FTC has also neglected to use the authority that Congress has already given it. Simply put, the FTC is insufficient to keep Americans safe in the face of mounting threats to their personal data. 

Strict data security requirements are largely limited to specific sectors. For example, standards for health information security are contained in the Health Insurance Portability and Accountability Act (HIPAA) and those for financial information security are outlined by the Payment Card Industry Data Security Standard (PCI DSS). Individual states have also implemented data security regulations and breach notification requirements – however, these vary widely. While these individual statutes are a step in the right direction, it is clear that they are not enough. With the proliferation of data collection and surveillance systems, Americans do not feel that their data is secure and adequately protected. 

Threats to Consumers

In the absence of federal data security requirements, both the scope and frequency of data breaches have increased in recent years, posing serious risks to consumers. One of the most notable incidents is the 2024 breach of National Public Data, a background check company, resulted in exposing data on 2.9 billion US citizens, including full names and Social Security Numbers. Consumers included in the National Public Data database did not consent to giving their data to the company, similar to the 2017 Equifax breach. Data breaches have also impacted large banks, educational institutions, healthcare providers, and many other businesses.

Breach notification regulations can vary in coverage, leading to some citizens having fewer options for recourse than others, depending on location. State breach laws are also reactive and often only induce penalties if security measures are deemed not “reasonable” to the volume and sensitivity of the data involved. 

Identity theft has also become an increasingly prevalent issue, with the FTC receiving more than 1.1 million reports of identity theft in 2024. There is tremendous opportunity to limit identity theft through improved data security measures, but the U.S. government’s reactive approach to identity theft has not risen to this challenge.

EPIC’s Work on Data Security

EPIC believes in the need for comprehensive data protection legislation in the United States, including data minimization provisions as proposed in the American Data Privacy and Protection Act (ADPPA) and in state laws like the Maryland Online Data Privacy Act.

EPIC has also filed a number of amicus briefs in federal and state appellate cases concerning data security issues. In 2024, EPIC filed amicus briefs supporting the FCC’s data breach reporting rule and the agency’s enforcement actions against Verizon and T-Mobile/Sprint for breaches of consumer location data. In 2023, EPIC filed an amicus brief in support of holding carriers like AT&T responsible for failing to prevent SIM swap attacks. In a SIM swap, the criminal intercepts all calls and messages from the consumer’s device; this is often used to subsequently defraud the consumer by impersonating them to financial institutions or draining their crypto wallets.

Additionally, in May 2018, EPIC filed an amicus brief in the U.S. Office of Personnel Management (OPM) Data Security Breach case. Data breaches at the OPM in 2015 affected 22 million federal employees, their friends, and family members, compromising sensitive information such as names, current and former addresses, and Social Security numbers. In its brief, EPIC argued that “when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained.” EPIC has also filed several briefs in cases concerning the right of individuals to seek redress for data breach, including a brief in Attias v. CareFirst, Inc in 2017 and Storm v. Paytime, Inc. in 2016.