Rarely does a week go by without the announcement of another major data breach that has put thousands, or even millions of consumers at risk of fraud. From malicious use of compromised credit and debit cards, to increased identity theft risk to drained bank accounts, the threats are real and impact millions of consumers. . A key challenge for the incoming 114th Congress will be to implement long-needed reforms that will protect American consumers personal data from malicious use by criminal hackers.
National Consumers League's 2015 Cybersecurity Policy Agenda
1. 2015 CONGRESSIONAL DATA SECURITY AGENDA:
A TO-DO LIST FOR THE 114TH CONGRESS
Introduction
Rarely does a week go by without the announcement of another major data breach that has
put thousands, or even millions of consumers at risk of fraud. From malicious use of
compromised credit and debit cards, to increased identity theft risk to drained bank accounts,
the threats are real and impact millions of consumers.
While malicious hacking has been a problem since the dawn of the Internet Age, the
unprecedented interconnectedness of our marketplace combined with an increasingly
organized and skillful cyber criminal underground threatens consumer trust in the
marketplace. A key challenge for the incoming 114th Congress will be to implement long-needed
reforms that will protect American consumers personal data from malicious use by
criminal hackers.
For too long, inertia and fear of unintended consequences has prevented serious legislative
efforts to address data insecurity in all but the most sensitive arenas. However, there is
practically no piece of data that, when compromised, cannot be monetized at the expense of
consumers nationwide. It is for this reason that NCL, is calling on our elected leaders to heed
the call of millions of consumers to adopt the Congressional Data Security Agenda in the next
Congress.
The agenda items below represent ideas that have already been adopted in many states and
should be applied nationally. Additionally, economic incentives that promote the adoption of
strong cybersecurity safeguards by private enterprise are common-sense solutions. Finally,
enforcement should be beefed up, with expert agencies given the tools they need to protect
the growing amount of valuable consumer data coursing through the marketplace today.
2015 Congressional Data Security Agenda
Create a strong national data breach notification standard
When a breach occurs, consumers should be made aware of the threat to their important
personal information. Modeled on strong state notification laws such as California’s, a
national data breach notification standard would ensure that all consumers would benefit
from this protection. It would also put companies on notice that data breaches will not go
unreported.
Require data holders to abide by reasonable data security requirements
Under existing law, companies collecting health and financial data are already required to
institute reasonable data security measures. Ten states have already passed comprehensive
data security standards. Given the multitude of ways that other sensitive data can be misused
by cybercriminals, it is important that all data collected and stored about consumers be
protected.
2. Clarify and strengthen the FTC’s data security authority
The Federal Trade Commission is the primary cop on the beat when it comes to holding
organizations accountable for protecting consumers’ data, bringing more than fifty data
security actions. However, the Commission’s authority in this area has been called in to
question in the courts. In addition, the Commission lacks civil penalty authority. By clarifying
its role and giving its actions real teeth, Congress can give consumers greater confidence in
their data’s security.
Promote robust cyber-insurance underwriting standards
Even with strong cybersecurity defenses, organizations can still be hacked. When breaches
happen, consumers should be made whole for the increased risk of identity theft and other
harm they sustain as a result of the breach. Promoting a rigorous cyber insurance market will
also incentivize the creation of underwriting standards that can adapt to changing cyber
threats more quickly that proscriptive government regulations.
Increase federal civil and criminal penalties for malicious hacking
Cybercriminals can hack in to corporate, government and other organizations networks and
escape with millions of dollars worth of data. Increasing penalties for these criminals would
strengthen the disincentive to engage in the crime and ensure that those convicted would be
severely punished.
Strengthen international anti-cybercrime partnerships
Modern cybercriminals benefit greatly from lax or non-existent enforcement of anti-hacking
laws overseas. Bringing crooks who defraud American consumers to justice should be an
important goal of U.S. foreign policy.
Conclusion
Data security reform is one of the rare issues that has broad bipartisan appeal. More
importantly, consumers nationwide would benefit greatly from Congressional actions to
strengthen data security protections. Given the increasing frequency, magnitude and cost of
data breaches, Congress can no longer sit back and hope the problem takes care of itself.
Through strong leadership, Congress can create a framework where the scales begin to tilt
back in favor of those who would protect consumers’ data rather than misuse it for their own
gain.
Learn more about NCL’s #DataInsecurity Project and find out how you can get
involved at www.nclnet.org.