Can the government regulate Internet privacy?

democrats sit in live stream joint session of congress

The headlines are becoming so common we almost tune them out: major credit card breaches at Target and Neiman Marcus; a major security bug at the heart of Apple’s operating systems; the “heartbleed” bug at the heart of OpenSSL … on and on. This week it’s arts and crafts chain Michaels, which looks to have been taken for up to three million credit and debit cards over two eight-month periods. (Not that we’re judging.) And let’s not forget the ongoing Snowden revelations.

Are you numb? Or do you want the government to “do something” to protect your data?

The court of public opinion

Privacy problems and security breaches are battering some people’s confidence. A recent poll by market research firm GfK found that one in three consumers claimed to have been directly impacted by misuse of personal data in the last year, with 60 percent saying their concern about data privacy has increased in the last year. (Almost nine out of ten now say they’re at least “a little” concerned about the safety of their personal information.) Further, over half of respondents say the U.S. government is not doing enough to protect their data, and almost 80 percent said there should be strong regulations governing how data brokers and others can repurpose personal information.

Similarly, a survey conducted last year by the Pew Internet & American Life Project found 66 percent of adults said current privacy laws are “not good enough” to protect Internet users’ privacy – and, intriguingly, the concern was uniform across respondents’ reported political affiliations. Didn’t matter whether folks were liberals or Tea Party supporters: most were concerned about their online privacy. In January, a separate Pew survey found 18 percent of respondents had had important personal information stolen (like a credit card or Social Security number), while 21 percent – that’s one in five – had had an email or social networking account hacked.

There oughtta be a law!

Folks crying for regulations over how corporations handle our data and manage privacy breaches will be relieved to know there are laws. It’s just that they’re mainly state laws. Currently, forty-seven of the fifty states have passed varying forms of privacy protection legislation, with Kentucky getting in line just this week and New Mexico looking like it’ll be next.

“The biggest concern is that a federal bill might actually be weaker than a lot of the state laws.”

State requirements vary widely, and are mostly concerned with the conditions under which residents must be informed that their personal data has been (or might have been) compromised. In one state, a single consumer might be informed immediately if his or her personal information was exposed, but in another state businesses might not have to inform anybody unless a certain number of consumers are known to have been impacted, or where risk analysis finds a breach was likely to have caused actual harm. In some states businesses have to contact consumers directly; in others, they can just post a notice on some dim corner of their Web site.

It’s not as if the federal government is totally out of the picture. Section Five of the Federal Trade Commission Act prohibits “unfair or deceptive practices,” which the FTC has determined can apply to lax data security procedures. In fact, the FTC’s assertion was upheld up last week in a case against Wyndham Hotels, which stored credit card information as plain text, failed to change default passwords…and got taken to the cleaners by Russian hackers on several occasions. However, the FTC can’t assess penalties for violations; at best, it can force companies into settlement agreements in which they modify their practices, pay damages, and promise to play nice for a few years.

What if the feds got more involved?

Proposals for national data protection regulations have been around for years – but so far haven’t gotten much traction in Congress, and there’s little agreement on standards, thresholds, or requirements. Should suspicion of a data breach be enough to trigger notifications, or does actual harm have to have occurred? For instance, a 2011 proposal from the Obama administration would have required any business with information on more than 10,000 people to disclose breaches affecting more than 5,000 people, but only to credit agencies and the federal government, not to actual consumers.

“The biggest concern is that a federal bill might actually be weaker than a lot of the state laws,” said Justin Brookman, Director of Consumer Privacy at the Center for Democracy & Technology. “One of the main points of data breach notification is not necessarily to let everyone know, it’s to impose a liability cost on companies when they have these terrible situations. That way there’s a strong incentive not to have breaches. If a federal law makes that cost less, that’s not a great result.”

Data Security

Speaking on background, executives at two nationwide retailers indicated American businesses might support a nationwide data breach law – even if it came with liability. One likened the varying state privacy laws to the sales tax situation in the United States, where rates, reporting, and collection vary widely by state, county, and municipal laws. A single privacy and data protection standard would be easier for businesses to manage and — in that executive’s view — exceed.

However, the other executive was wary of reporting requirements. If businesses were mandated to report every possible data breach for any number of customers regardless of whether any harm occurred, they might become the companies that cried wolf, he said. Consumers might receive so many warnings they simply tune them out – which also wouldn’t be a great result.

You mean we’d just get notices?

The approaches described so far focus on informing people whose information has been compromised after a breach. Surely, the better approach is to prevent data breaches in the first place. And what about data brokers, who collect and sell information about us to anyone with two nickels to rub together?

Don’t expect the federal government – or states, for that matter – to attempt to legislate data security practices. The bottom line that that laws and regulation move much more slowly than technology and business practice, and while governments may have requirements for particular contracts or services performed with the private sector, no one expects the government will try to broadly dictate how companies protect consumer data.

Much of the online economy is driven by tracking, analyzing, and reselling information about consumers.

What about data brokers? Consumers are wary of information being traded about them. That GfK survey mentioned earlier found the majority of people in every measured age group distrusted marketers with their personal data, and last year’s Pew study found 86 percent of consumers have taken some steps to minimize online tracking.

Some data security bills introduced before Congress have had provisions addressing data brokers, potentially obligating them to let consumers see, correct, or even delete information that has been collected about them. However, much of the online economy is driven by tracking, analyzing, and reselling information about consumers – think of all the targeted advertising and personalized services we see every day. Companies like Google, Facebook, and Amazon are likely to be wary of any requirement to let consumers control how data is collected and generated about them.

What are the chances of federal regulations regarding data brokers?

“Congress is so ossified, there’s so little floor time to move bills, it’s hard to see anything that’s not utterly uncontroversial getting traction,” said Brookman. “It’s possible something could move, but I think Republicans, Democrats, consumer advocates, and business probably want somewhat different things.”

So don’t hold your breath.

[Final image courtesy of scyther5/Shutterstock]