Combatting consumer data asymmetry

In the late 1800s, Chicago was the fastest growing city in the nation. The population boom led to construction with wood and other materials that was both cheap to procure and quick to assemble. The rapid expansion combined with a lack of regulation spelled doom for the city, which lost a third of its buildings when a spark ignited the Great Chicago Fire.

The digital economy is currently in a similar state. Rapid innovation and growth in new technologies have given us smart phones, connected televisions, and unprecedented communication efficiencies. However, just as in 19th century Chicago, the rapid expansion of the internet has outstripped regulatory authorities concerned with safety and security. Consumers today are suffering from an information asymmetry in the marketplace: What consumers do not know about the companies driving the digital revolution can — and does — hurt them.

As co-chair of the Congressional Cybersecurity Caucus, I see this play out in many forms. Investors often have very little information about the relative cybersecurity risk of publicly traded companies, which is why I have encouraged the Securities and Exchange Commission to strengthen disclosure requirements. When purchasing a new connected device, consumers are rarely presented with basic information about software patches and changing default passwords. But the information asymmetry is perhaps greatest when a customer’s sensitive data have been stolen and only the company knows about it.

{mosads}When you have entrusted a business with your information, any violation of that trust, even if caused by a criminal actor, is a cause for alarm. Beyond the immense privacy implications, much of the personally identifiable data stored by companies can be used for identification and authentication — and can thus be used for identity fraud. Prompt notification to affected individuals is essential to allow them to take steps to protect their identities. This right to be notified when personal data are compromised is fundamental and has been recognized as such by states across the country. Unfortunately, as highlighted by recent events — most notably the confusing saga that has swirled around the loss of up to 145 million Americans’ private information by Equifax — that right is interpreted differently depending on where you live.

That is why I have re-introduced the Personal Data Notification and Protection Act (PDNPA). This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information. Principally, the bill requires that companies notify affected individuals within 30 days of the discovery of a breach of sensitive personal information and provides for a single federal regulator, the Federal Trade Commission (FTC), to help coordinate breach notification. 

In creating this single national breach standard, the PDNPA acknowledges that what comprises personally identifiable information evolves and thus should not be locked into statute. Instead, the bill empowers the FTC to standardize the criteria for which data requires notification. This would let the FTC move in sync with the digital marketplace and quickly react if changes are required — such as if Social Security numbers stop being widely used for authentication.

The PDNPA additionally recognizes that even if a computer network is breached and personal data is taken, organizations can employ security measures such as at-rest encryption that render the data unusable. In fact, good stewards should already be taking these measures, which have been widely promoted by cybersecurity researchers and consumer advocates. To further incentivize these practices, the bill will provide a safe harbor to organizations that can prove to the FTC that they were resilient in the face of the breach and that consumers’ privacy will therefore not be affected.

We strive to live in a world without breaches, but we must recognize that cybersecurity is not a problem to be solved. Managing the risks we face in the Information Age means being resilient when networks are compromised, whether because of cryptographic protections or notification to affected individuals. It means giving consumers the right to know which businesses are good stewards of their data so that they can make informed decisions about whom to give their hard-earned dollar. And it means streamlining regulation so that companies can focus on cybersecurity, not compliance, and so consumers are provided actionable information promptly.

Passing the PDNPA will not fully stem the tide against those who wish to harm us in cyberspace. But it will help to ensure that we are responding with proper speed and coordination.

Langevin represents Rhode Island’s 2nd District and is co-chair of the Congressional Cybersecurity Caucus.