To society’s chagrin, the stubborn grind-and-groan of policy-making often requires a major catastrophe to get rolling. Nowhere is this more clearly observed than in the arena of data regulations.
To be fair, governments could be forgiven for not being as quick and decisive when in comes to cybersphere policy. Whereas other areas of legislation have been around for generations (and in some cases millennium), the digital dimension is a relatively recent phenomenon. Other bodies of common law have had time to develop; concepts like liability, responsible parties, etc., have all been hammered out in many fields. It often takes years of painstaking legislative and judicial processes to clarify these concepts. When it comes to information technology, there are still fundamental questions that remain unclear. Are web platforms public utilities or private services? What is the level of liability Internet actors have over private data they acquire and process? How do we define “reasonable protective measures,” the absence of which render an individual or company negligent?
The wave of recent data legislation such as Europe’s General Data Protection Regulations (GDPR), the cyber regulations of New York’s Department of Financial Services and other globally relevant IT statutes, is part of a collective attempt to provide some answers. Unfortunately, the main driver of these new rules (that now govern much of the cybersphere) have been spurred by devastating incidents of data breach.
Considering the breathtaking scope of the most recent mega hack, the next big milestone in American digital data law may be quick in coming.
Late last month, Starwood Resorts, a subsidiary of Marriott Hotels, the largest hotelier in the world, reported on a years-long data breach that had hit company databases.
According to reports, as many as 500 million guests may have had their personal information compromised in an exposure that lasted four years. Details on how the hack was executed are as of now still unknown.
The effects of the report were immediate. After the announcement came, Marriott stock fell more than 5.5 percent by the end of the day, closing at $115.03. Hours after the breach was made known, two Oregon men filed suit against Marriott for exposing their data. Only hours after the first claim, a second lawsuit was issued by a group from Maryland. While no amount for damages was specified in the second lawsuit, the pair from Oregon is seeking $12.5 billion in reparations. The rationale for this sum was to give $25 for each of the 500 million alleged victims—reimbursement for the time it will take to cancel their credit cards.
To add to Marriott’s problems, the breach quickly drew the attention of legislators and regulators across the United States. Because Marriott operates in Europe as well, the incident also attracted scrutiny from EU officials in charge of enforcing GDPR.
Why the swarm of attention from policymakers?
The obvious answers is the size of the hack. If reported numbers are anywhere near accurate, the recently discovered Marriott breach would be among the largest ever in history.
But in addition to the sheer quantity of data that may have been stolen in the hack, the Starwood incident has another important strike against it. Other cyber attacks don’t quite have the same level of severity in terms of the type of information gleaned. Take the 2013 Yahoo breach, which affected as many as 3 billion accounts. That hack remains the largest breach ever in size. But that cyber attack and others like it don’t necessarily mean the loss of compromising information. The breach of a hotel guest list, however, is different. Highly sensitive details, from phone numbers, to addresses, to credit card numbers, are almost certainly included in the exposed data. Worse still, Marriott indicated that it may have stored the private keys needed to decrypt payment card information alongside the information itself in an unencrypted format, which, if true, constitutes a major lapse in accepted key management procedures.
So what can we expect the response to be on the U.S. government side? Well, that depends.
A cynical perspective, one may simply look at the history of recent mega hacks and conclude that the Marriott incident will become just another statistic. In similar cases from recent years, no major changes emerged to U.S. federal data policy. The devastating Equifax breach of 2017 is a good case in point. Due to the highly sensitive nature of the data lost (Equifax is, after all, a credit reporting agency), the hack was labeled by many as the most damaging cyber attack ever to occur. Then as now, legislators sprung into action. The House Energy and Commerce Committee held a hearing to examine the incident as well as legislative solutions to address vulnerabilities. The House Financial Services Committee Chairman Jeb Hensarling also organized a hearing. Calls for an investigation by the House Judiciary Committee were probably the most worrying for Equifax to hear. Over a year after the breach, however, no landmark legislation was passed, neither for raising the bar on protection standards nor holding companies accountable for hacks. Furthermore, the suits filed against many companies for negligence have ended in relatively small settlements. For example, last September, Uber agreed to pay $148 million to settle a class-action suit for its 2016 hack.
One senator from Oregon, however, Democrat Ron Wyden, has been driving the effort to bring about a paradigm shift in data policy. “If history is any guide, this mega breach will be like the others that came before it—the company will apologize, proclaim that it values its customers’ privacy, and then offer useless credit monitoring to the millions of Americans impacted by this year’s long breach,” the senator told media outlets. According to Wyden, the only thing that will create enough incentive for companies to get their act together on data security will be to make penalties for negligence much more severe. “The Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information,” said Wyden, adding that “Until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won’t take privacy seriously.”
Last month, Wyden introduced draft legislation to substantially increase liability for breaches involving personal data. While it is highly unlikely that this draft—which calls for imprisoning CEOs found liable—will become law, it is an attempt to feel out what is feasible. Sending executives to prison may be a bit extreme, but at least a serious discussion on establishing security policy with real teeth may be underway.