On September 7th, 2017, Equifax announced it suffered a massive data breach, compromising the personal information, including credit card numbers and social security details, of at least 145.5 million people. Most consumers breached are citizens of the United States, but a few were from the UK and Canada. The Equifax breach is a continuation of an increasing trend of large-scale hacks, interrupting business and placing sensitive customer data at risk. As ex- Ashley Madison users are well aware, breaches are not limited to just financial costs.

The Equifax breach has unsurprisingly motivated federal legislators to talk about introducing new data breach laws, but similar legislative movements have failed in the past. Even if such a law were to pass, and companies would be required to give their potentially affected customers notice in a timely manner, would that be enough? There are statutes which criminalize actions like “accessing a computer to defraud and obtain value,” but no legislation which demands a specific level of security. Both President Obama and President Trump have also issued executive orders to help combat the nation’s cyber-security risks, but President Trump’s order has had lackluster enactment so far and President Obama’s order merely enabled voluntary programs. The federal legislature should strongly consider promulgating rules which create mandatory minimum security measures for companies which collect vast quantities of consumer data.

There are a few arguments which might oppose federal regulation. The first is that federal regulations are not needed because market forces will cause companies to better protect themselves; consumers will flock to companies who will better protect their data. This argument is fatally predicated on the notion that consumers have a meaningful choice about who receives their data. I do not recall signing up for Equifax, do you? Nor am I aware of all of the companies which may have obtained my data second-hand through sales or other distributions. Leaving firms to dictate their own security is the status quo. The increasing trend in breaches indicates that firms either are not listening to the market or that they are willfully ignorant of their own risk.

The second argument against federal regulation is that the regulations ought to be left to the states. New York has already taken the lead and passed mandatory cyber-security standards and other states will likely follow. Federal regulation is more appropriate than state regulation in this instance because of the national threat of cybercrime. For example, Equifax is headquartered in Atlanta, Georgia but its breach compromised over 40% of the U.S. population. Citizens of New York or Wisconsin could advocate for change in their home states but have no voice in Georgia. Should the population of one state, through the democratic process, decide for whatever reason to not pass cyber-security regulations, that state population has left the rest of the U.S. population’s personal information vulnerable without any kind of voice in the debate. One centralized federal minimum would also dramatically reduce cost of compliance on businesses. Instead of figuring out whether and to what extent a company’s security measures may be regulated for every state in which the company might do business, businesses can simply look to the federal rules.

A final argument may be that Congress should not regulate cyber-security because technology moves at a rapid pace and Congress notoriously does not. This issue is easily resolved through creating a dedicated regulatory agency or granting an existing agency the power to promulgate security standards. Regulatory agencies possess the expertise and expeditiousness Congress lacks. An analogy may be drawn to NHTSA, the National Highway Traffic Safety Administration. When Congress and the U.S. population became sufficiently concerned with the dangers posed by driving, Congress created NHTSA to regulate auto safety. Since then, NHTSA has promulgated regulations enforcing minimum safety requirements on what was, at the time, a fairly unresponsive industry, which have dramatically reduced the risk to the public caused by auto accidents. Insufficient, unregulated cyber-security threatens Americans today in much the same way insufficient auto safety threatened Americans in the mid 1900s. It is time Congress took action.

Eric Hyla

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *