Securing personal data is essential to protecting individual privacy and human rights in preventing breaches, guarding against misuse, and protecting the integrity of information.
Data security becomes more essential when sensitive data or a high volume of data on an individual is processed, due to risks of using it for more targeted or potentially harmful purposes. The rise of data proliferation and inferences pulled from big data bring the need for data security to the forefront. “Big data” is a term for the collection of large and complex datasets and the analysis of these datasets to form profiles or track patterns. With these advances in the collection and interpretation of data come increased vulnerabilities and unprecedented risks. Traditional methods of privacy or cybersecurity protections often fail to fully cover big data, necessitating new forms of data security.
According to the National Cybersecurity Center of Excellence, “Data security is the process of maintaining the confidentiality, integrity, and availability of an organization’s data in a manner consistent with the organization’s risk strategy.” This process involves “preventing unauthorized access, data corruption,” and other kinds of attacks and breaches.
Lack of Federal Data Security Requirements
Despite the myriad of threats to data security, the United States has not established cohesive federal data security requirements. The EU’s General Data Protection Regulation (GDPR) contains mandates related to data security and breach response, strengthening the fundamental rights of individuals and putting consumers back in control of their personal data, but American data subjects lack similar rights. In fact, the United States remains one of few democracies in the world with no national data protection agency.
In the absence of a U.S. data protection agency, the task of regulating and safeguarding data has been spread across various state and federal entities. For general online privacy enforcement, regulatory responsibility has fallen chiefly to the Federal Trade Commission. However, as EPIC states in its 2021 report “What the FTC Could Be Doing (But Isn’t) To Protect Privacy,” there are significant limitations inherent in the patchwork of data protection powers at the FTC’s disposal. In some cases, the FTC has also neglected to use the authority that Congress has already given it. Simply put, the FTC is insufficient to keep Americans safe in the face of mounting threats to their personal data.
Strict data security requirements are largely limited to specific sectors. For example, standards for health information security are contained in the Health Insurance Portability and Accountability Act(HIPAA) and those for financial information security are outlined by the Payment Card Industry Data Security Standard (PCI DSS). Individual states have also implemented data security regulations and breach notification requirements – however, these vary widely. While these individual statutes are a step in the right direction, it is clear that they are not enough. With the proliferation of data collection and surveillance systems, Americans do not feel that their data is secure and adequately protected.
Threats to Consumers
In the absence of federal data security requirements, both the scope and frequency of data breaches have increased in recent years, posing serious risks to consumers. One of the most notable incidents is the 2017 Equifax breach, which compromised the personal data of 148 million Americans. As one of the three major credit bureaus in the U.S., Equifax houses multitudes of sensitive information, such as names, home addresses, phone numbers, Social Security numbers, and driver’s license numbers. Data breaches have also impacted large banks, educational institutions, healthcare providers, and many other businesses. As another recent example, the Accellion breach in December 2020 affected dozens of companies and government organizations around the world.
Breach notification regulations can vary in coverage, leading to some citizens having fewer options for recourse than others, depending on location. State breach laws are also reactive and often only induce penalties if security measures are deemed not “reasonable” to the volume and sensitivity of the data involved.
Identity theft has also become an increasingly prevalent issue, with the FTC receiving nearly 1.4 million reports of identity theft in 2020 – about twice as many as it had in 2019. There is tremendous opportunity to limit identity theft through improved data security measures, but the U.S. government’s reactive approach to identity theft has not risen to this challenge.
EPIC’s Work on Data Security
EPIC believes in the need for comprehensive data protection legislation in the United States and previously launched “Data Protection 2016,” a non-partisan campaign that advocated spotlighting data protection as an issue in the 2016 election. EPIC also strongly advocates for the creation of a U.S. Data Protection Agency and supports Senator Kirsten Gillibrand’s non-partisan Data Protection Act, which would create a federal data protection agency and includes provisions to “oversee the use of high-risk data practices, and to examine and propose remedies for the social, ethical, and economic impacts of data collection.”
EPIC has also filed a number of amicus briefs in federal and state appellate cases concerning data security issues.
In May 2018, EPIC filed an amicus brief in the U.S. Office of Personnel Management (OPM) Data Security Breach case. Data breaches at the OPM in 2015 affected 22 million federal employees, their friends, and family members, compromising sensitive information such as names, current and former addresses, and Social Security numbers. In its brief, EPIC argued that “when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained.”
EPIC has also filed several briefs in cases concerning the right of individuals to seek redress for data breach, including a brief in Attias v. CareFirst, Inc in 2017. The case concerned a proposed class action that was filed against health insurer CareFirst after policyholder data was breached. EPIC urged the court to impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data they collect, arguing that data breaches underscore the need for companies to be held liable for faulty or inadequate security.
In Storm v. Paytime, Inc., EPIC also argued that consumers are facing unprecedented threats from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse, and consequential harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.
Recent Documents on Data Security
In re: Data Breach Reporting Requirements
Peter Maldini v. Marriott International, Inc.
US Court of Appeals for the Fourth Circuit
(Maryland) SB185: Security Questions
In the Matter of Zoom Video Communications, Inc.
In re Zoom
Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.
Securing Data Integrity Against Ransomware Attacks
National Institute of Standards and Technology | 2020
Click Here to Kill Everybody
Bruce Schneier | 2018
Risk and Anxiety: A Theory of Data Breach Harms
Danielle Citron and Daniel Solove | 2016
Support Our Work
EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.Donate