Large business data breaches – like the one affecting 100 million Capital One credit card customers and applicants – remain commonplace, so much so that they are becoming accepted as the new normal in today’s climate of consumer dealings. They shouldn’t be.
Criticism in the wake of the previous, well-publicized Equifax data breach of 2017 focused on the preventable nature of the breach and the lack of an efficient and effective response to it. In fact, in a December 2018 report, the House Committee on Oversight and Government Reform noted that the attack, which lasted for 76 days before being noticed by Equifax employees, was preventable, particularly because the major failing appeared to be Equifax’s ineffective system for ensuring regular encryption and security patch updates.
Similar criticisms are being made about the Capital One breach, where approximately 140,000 social security numbers and 80,000 bank account numbers were compromised when a lone hacker accessed personal information from more than 100 million Capital One credit applications. Not only did the hacker work alone, but she had access to unauthorized data for months, and boasted about it in online forums. So, what’s being done to protect consumers and bring these companies out ahead of modern hacking capabilities?
Most state and federal cybersecurity laws and regulations are still in their comparatively early years, and as a result there are relatively few cases to look to for precedential guidance regarding enforcement actions, penalties, and means of recompense for affected consumers. However, the trending response to massive data breaches seems to be massive monetary penalties.
In the case of Equifax, a breach that affected the personal information of almost 148 million people, class action lawsuits emerged as the most readily available means of getting to a monetary penalty. A proposed class action settlement was submitted in July 2019, which could resolve the lawsuits brought by consumers. The settlement will not be approved until at least December 2019, but it is set to include potentially up to $425 million to help consumers recover from the breach and, when the news initially broke, the announcement seemed to promise a payment of up to $125 per person. Similarly, Capital One already faces a class action lawsuit, which was filed just last week in the U.S. District Court in Eastern Virginia, on behalf of at least 100 class members. For now, Capital One is offering free credit monitoring and identity protection to the affected individuals, but we may see another large settlement in the future. Relatedly, Facebook has also been on the receiving end of a large monetary penalty: a $5 billion civil penalty was levied against Facebook by the Federal Trade Commission just last month. The penalty was imposed in response to Facebook’s failure to truthfully represent consumers’ ability to control their privacy on Facebook, as well as Facebook’s failure to adequately protect consumers’ privacy.
The elephant in the room when it comes to monetary penalties is whether they actually make a difference for the individuals whose information has been compromised. In the case of Equifax, only $31 million of the $425 million is set to be allocated toward cash payments to be distributed amongst the affected individuals who file claims. Just last week, the Federal Trade Commission warned the public that the initially projected $125 per person is likely to be much less given the amount of people who have already submitted claims. As an alternative to the $125 per person, affected individuals can also choose a second option, which would provide for at least four years of free monitoring of consumers’ credit reports at all three nationwide credit reporting bureaus and $1,000,000 of identity theft insurance, with an additional potential six years of free monitoring of consumers’ Equifax credit reports. The Federal Trade Commission is now encouraging consumers who were affected by the Equifax breach to request this alternative instead of taking the cash payment.
On the legislative front, efforts to advance federal legislation to address data security have been largely ineffective where bills have stalled or are overshadowed by other priorities. Recently, however, Senator Jerry Moran (R-Kan.) and Senator Richard Blumenthal (D-Conn.) drafted a bill that would apparently give additional enforcement powers to the Federal Trade Commission and pre-empt state laws. In April of this year, Senator Elizabeth Warren (D-Mass.) introduced a bill that would provide for a possible sentence of up to a year in jail for corporate executives of large companies where those companies have committed crimes or certain civil violations that affect “the health, safety, finances, or personal data of 1% of the U.S. population or 1% of the population of any state.” And in January, Senator Marco Rubio (R-Fla.) introduced a bill that would give rule-making authority to the Federal Trade Commission and impose deadlines for privacy regulations to be implemented, either by Congress or by the Federal Trade Commission itself, taking a step toward creating a comprehensive federal law regulating the collection and use of personal data.
It’s not clear whether any of these efforts will be successful, but legislative activity in the data security realm will certainly continue to remain a priority as long as massive data breaches and large-scale data security violations continue to occur.