There is a notion that proper cybersecurity—that awful, misused buzzword—is based on technology, policy, or user training. But none of them address the fundamental cybersecurity issues: Organizations that collect consumer data are not held accountable when breached, and U.S. laws just aren’t up to the task of protecting consumers.   

There’s an old saying, “Laws keep an honest person honest,” but the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Health Insurance Portability and Accountability Act—the pre-eminent consumer cybersecurity regulations in the United States—are woefully inadequate.

How do these laws apply to hackers in Russia, China, North Korea, or countries? Will they simply not commit an illegal act against U.S. businesses because it is illegal in the United States?


How to strike a balance between security and privacy (Q&A)
So you’re caught in a data breach. Now what?
Europe’s GDPR could change how tech handles privacy
ACLU’s Gillmor on privacy: ‘We pay for what we value’ (Q&A)
Inside school-issued tech: The privacy problem

The FBI’s most wanted hacker, Evgeniy Bogachev, has had a $3 million bounty on his head since 2015. Authorities have a high level of confidence that he is in Russia, and that the Russian government knows where he is. But why would Russia turn him over, if he has helped the country hack adversaries such as the United States?

Organizations that enforce best security practices covering topics like data storage, transactions, software patches, and passwords suffer the least from hacks. Unfortunately, such organizations are few and far between, as implementation of best practices is often a major hurdle. And the biggest reason it’s a hurdle isn’t technical in nature; it’s legal and financial.

Look no further than the Equifax breach last year to see what happens to an organization after the revelation that a major breach of personal consumer data occurred on its watch. The personal data, including Social Security numbers, of 147.9 million Americans is now irrevocably exposed to hackers. But Equifax’s then-CEO, Richard Smith, was allowed to take $90 million with him into retirement instead of getting fired.

Usually, the punishment for allowing a breach is a light slap on the wrist. More often than not, there is none. And in the case of Equifax and other credit-reporting agencies, the standard punishment can even turn into profit.

After a breach involving financially tied personal data, the standard corporate response, forced or unforced, is usually free credit monitoring for a year. But at the end of that year, a person’s Social Security number, which agencies use for reasons far beyond its original purpose, does not expire alongside the monitoring.

We will never have true data security until we start holding companies—and their executives—legally and financially accountable for the security of any kind of consumer data they possess.

Many consumers’ likely response to this expiration is to either subscribe to a credit-monitoring service, or pay each credit agency to freeze their credit (the best option, in our opinion, even though freezing credit can stop consumers from making major purchases or signing up for new services). Either way, they end up paying for the failure of an organization to protect their data—data most consumers likely never even knew they had, and never gave direct permission for them to have.

Consumers affected by the Equifax breach, among others, now have to watch out for fake tax returns being filed on their behalf, or for their name being used on fraudulent identity cards, along with a slew of other nefarious things bad actors can do when they have such information.

We will never have true data security until we start holding companies—and their executives—legally and financially accountable for the security of any kind of consumer data they possess. We cannot let them retain it without our express permission, and we need to ensure that they face severe consequences, if they mishandle it. Those who gamble with our personal information should be held accountable.

It is time to look for guidance from the European Union and its General Data Protection Regulation, which comes into effect this May and is truly about protecting citizens’ data before a breach occurs.

Under GDPR, companies that store or process European citizens’ data, regardless of where they are located, need to notify consumers about a suspected data compromise within 72 hours—not within the status quo of six months. They must also let European Union consumers know how they might use and share their data, and give them the option to have it permanently deleted it from their servers.

A U.S. law that follows the GDPR’s lead would not stop every data breach, but it would make significant strides toward offering consumers real protection. Until such legislation is passed, the personal information of U.S. consumers held by organizations operating exclusively outside Europe remains vulnerable and will be at the mercy of bad actors all over the globe.