The story of "The Silver Skates" celebrates the bravery of a little Dutch boy who stuck his finger in the dyke to prevent a terrible breach. Today, cyber incident responders are modern Hans Brinkers who use their fingers on computer keyboards to stop personal information hemorrhages.
July 1, 2021, began like any other day. A quick perusal of the morning news revealed the usual "big" data breach, exposure of 700 million (92%) LinkedIn users' private information. A similar incident has affected 500 million LinkedIn subscribers not two months earlier. I sighed.
Data breaches are today nearly as predictable as afternoon rain in the tropics. They've become so routine that we hardly notice them, lazily accepting them as a way of life.
Suppose every night after you parked your car, it routine malfunctioned and sprayed dirty motor oil all over your driver's seat. Instead of trying to fix it, you decided to live with it. Now you have to get up two hours earlier to clean up the mess each morning. Or you put a clean sheet of plastic on the seat each day. Or you started wearing ratty clothes which became saturated with oil, and you smelled like an auto garage. Is this the right way to solve such a problem?
Accepting private information breaches as a norm is like tolerating the oily driver's seat. It's unacceptable. You need to take your car to the shop. In cyberspace, you need to start insisting on better personal information protection in computer systems and networks.
The European Union (EU) already insists. Its General Data Privacy Regulation (GDPR) protects "fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data." It creates rules for the processing and movement of Europeans' personal data. Should you doubt the Europeans' intent here, you can trace the GDPR's lineage back to the 1948 UN Declaration of Human Rights. Ratified by the fledgling UN in the wake of World War II, this declaration affirmed that "the inherent dignity and … equal and inalienable rights of all … is the foundation of freedom, justice and peace in the world."
These values are consistent with our American democratic ideals. Unfortunately, the EU Court of Justice has ruled twice (in 2015 and 2021) that current US laws and regulations are insufficient for GDPR-compliance. Each US company seeking to do business in Europe must individually achieve GDPR compliance instead of being grandfathered in under a US-EU agreement.
The pressure on Washington to pass new privacy legislation does not come from just overseas. In the domestic arena, state legislatures are considering and ratifying new privacy laws of their own. State laws like the California Consumer Privacy Act (CCPA, 2018) and the California Privacy Rights Act (CPRA, 2020) ratcheted up national awareness about consumer privacy. CCPA gave Californians
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
CPRA expanded and introduced new consumer rights and adopted select GDPR principles.
US companies now face some complex privacy law challenges. Without federal privacy legislation, they will have to comply with the different privacy laws in 50 individual states. Or Congress could ratify a federal privacy bill that preempts all (or most of) the provisions of state privacy laws. Which alternative do you think the commercial world would prefer?
US companies also need the government to find a way to expedite GDPR compliance. No doubt about it, it's a thorny issue. It may be solved by a trade agreement or revisions to the law. The bottom line is that GDPR compliance is dulling our economic competitiveness in Europe, and this issue needs to be resolved.
We have a responsibility as citizens to be well informed on important issues and provide feedback to our leaders. Most scholars agree that privacy is essential to democracy. So think about it. Is privacy still important to us as a democratic nation? Why do computer breaches happen so often? What privacy provisions could protect us better? Do we need a new federal privacy law or is additional regulation sufficient? How does GDPR fit into all this?
Congress needs to hear from us, its constituents, before it can pass new privacy legislation. Let's live up to our responsibilities. Let them know we believe in privacy so they can enact additional measures we need to protect it.