Is It Time for the U.S. to Implement Stronger Data Protection Regulations—Like the EU’s General Data Protection Regulation?

Written by: Luis Colula

Yahoo, one of the largest email providers, revealed last week that it experienced a cyber attack in late 2014.[1] Yahoo discovered the breach only after it was alerted of a separate, unconfirmed breach, which had prompted the Internet firm to review its security systems.[2] The breach affected some 500 million user accounts.[3] It is believed that hackers acquired account users’ names, birth dates, email, telephone numbers, and, in some cases, encrypted and unencrypted security questions.[4] Nevertheless, Yahoo has assured customers that no passwords, payment card, or bank account information was affected.[5] Notwithstanding the appearance that the attack comprised low-value information, the breach is still thought to be the largest ever in terms of user accounts.[6]

This begs the question of whether U.S. companies and U.S. government agencies are doing enough to improve cyber security.

Unlike its European counterpart, the U.S., for the most part, has taken a hands-off approach by encouraging self-regulation and leaving data subjects “to come up with creative ways to minimize their own risks.”[7] However, it is evident the U.S.’s approach to cyber security has failed: “[t]he majority of breaches (77 percent) occurred in North America, with 59 percent of those being in the [U.S.]”[8] In comparison, “Europe accounted for 12 percent” of cyber attacks.[9]

These staggering statistics should push the U.S. Congress to adopt a regulatory scheme similar to Europe’s General Data Protection Regulation (“GDPR”). The GDPR’s main objective is to give citizens greater control of their personal data and to unify data protection regulation across the EU.[10] For instance, the GDPR applies not only to entities established in the EU, but also to entities offering goods and services to individuals in the EU, and entities monitoring EU citizens’ data.[11] The GDPR also establishes that location data, IP addresses, and online identifiers constitute personal data, because this data could be used to identify individuals.[12] The GDPR also requires breach notifications to data subjects in all industry sectors; creates a one-stop-shop mechanism for companies doing business across multiple EU countries; and expands the rights of individuals.[13]

Adopting a scheme similar to the GDPR in the U.S. would allay the present lack of uniformity in individual states’ privacy laws. Currently, U.S. privacy laws consist of sector-specific federal regulatory schemes, like the Child Online Protection Act (“COPA”) and the Health Insurance Portability and Accountability Act (“HIPAA”), and a variety of state regulations surrounding unfair business practices. Consequently, companies that traverse state borders face the burdensome task of understanding each jurisdiction’s regulations, and complying with all applicable requirements. For instance, companies wishing to do business in states like California (which has famously robust privacy laws) must choose whether to risk fines or jail time for non-compliance with state law, or fork-over significant sums to comply with the heavy regulations. Further, due to the lack of uniformity among states, a company might be held liable in one state or in multiple states. This is time-consuming and costly for the company litigating the case(s) and the judicial system hearing the case(s).

A regulatory scheme similar to the GDPR would also provide U.S. consumers with more protection. Currently, the limited regulatory schemes, both at the federal and state level, only protect personal information (i.e. name, address, telephone numbers, birth dates, social security numbers) and not other online identifiers, which the EU commission found could function like personal information. This allows companies to circumvent current regulations by claiming it is collecting other online identifiers and not personal information. However, the end result is the same—a complete profile of the data subject. Thus, a regulatory scheme similar to the GDPR would addresses key changes in the digital era.

Even if the statistics fail to motivate Congress to act, the financial costs incurred as a result of data breaches should motivate Congress and companies (internally) to act. A 2009 global study found that the U.S. had the most expensive average data breach cost: $6.75 million.[14] Further, data breaches diminish customer confidence and trust, which leads to lost business.[15] Finally, even if the great financial cost fails to motivate Congress or U.S. companies to act, the GDPR itself should. Congress and U.S. companies should adopt a similar regulatory scheme that, like the GDPR, “will apply to all businesses in and outside Europe that deal with personal data of EU individuals.”[16] This means that any U.S. company, which includes a majority of U.S. companies, conducting business in the EU will have to comply with the GDPR.