At this point, it’s hard not to imagine that at least some of your personal information isn’t for sale in some dark corner of the internet. After all, data breaches are happening constantly. Companies suck up customers’ details and then, try as they might — and let’s assume they really try — declare that it’s been leaked or hacked. You know the drill; the subsequent breach announcement goes a little something like this: “Oops!! We were the victims of a cyberattack, and by extension, so were you! It affected ??? people and we think ??? information was involved, but we’re still kind of guessing here at what happened. Hopefully you have some sort of identity theft protection, which maybe we’re offering and maybe not. But regardless, love you! We’re family! Please come back soon!”
The whole situation isn’t great.
High-profile data breaches have been in the headlines for years. In 2013, Target lost the credit card, debit card, and other information of tens of millions of customers. In 2018, Marriott disclosed a data breach that impacted up to 500 million people; in 2020, it got hit again. In 2021, hackers got a bunch of customer information from T-Mobile that the company reportedly tried and failed to get back. The list of breaches goes on and on.
Of course, these companies would surely rather not be dealing with these situations — data breaches cost firms millions of dollars and are often accompanied by reputational damage and sometimes fines. At the same time, that doesn’t mean the constant loss of consumer data is acceptable. Sure, we live in the era of the internet, and some security risks are inevitable. But that shouldn’t mean that you have to throw your hands up and accept your data is safe, basically, nowhere. The Targets and Equifaxes of the world got hit with big fines, but they still get to exist — lucratively. And they’re still constantly sucking up and monetizing consumers’ personal information.
There’s a simple reason companies collect so much of our data — money — but why they get to collect so much, keep it, and monetize it is more complicated. There are some laws around data privacy and security, but they’re scattershot and generally handled state by state, and they could be better. Companies keep screwing up with our data, and there are no good answers on what to do about it.
Companies after a data breach: Sry bae
In September 2017, credit bureau Equifax announced the information of over 100 million people it was holding onto had been compromised, including Social Security numbers, birth dates, and addresses. It took the company weeks to make the breach public, and shortly after that happened, its CEO stepped down. For a while, it continued to hedge about what exactly was compromised in the breach. In 2019, Equifax was fined hundreds of millions of dollars by the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and states over the breach. It was also required to take other measures, including providing consumers with six free credit reports each year and providing up to 10 years of free credit monitoring for people affected. Data breach victims were supposed to be able to claim $125 checks from the company, but because so many people signed up, that amount translated to mere cents.
But afterward, Equifax — which makes money, in part, by selling people’s personal information to third parties — didn’t drastically change its business practices when it comes to collecting and selling data. The basic incentive for the company to scoop up and monetize as much data as possible remains.
In a statement to Vox, Jamil Farshchi, chief information security officer at Equifax, said that the company has invested over $1.5 billion to rebuild its security and technology systems “from the ground up” and hired upwards of 600 cybersecurity professionals to try to better protect consumer data. “Multiple independent ratings show that our security maturity and posture now exceed every major industry average. Few companies have invested more time and resources in the last few years into ensuring that consumers’ information is protected,” he said, pointing to its latest security report.
Still, it’s hard not to wonder whether any of this is really enough. After all, Equifax is still one of the three major credit bureaus in the United States that consumers have to rely on to navigate their financial lives, and its business is still humming along. Equifax, despite its major missteps, is fine. It’s also evidence that there are no easy answers on how to deal with data breaches or punish companies that have broken laws, to the extent that there are applicable laws in the first place.
To start from square one: There is no federal privacy law in the United States. Instead, it’s sort of a mishmash of federal laws covering certain areas (think HIPAA, the federal privacy law pertaining to health) and state laws. Currently, California, Colorado, Virginia, and Utah have what are intended to be more comprehensive consumer privacy laws (some, experts say, are more effective than others).
All 50 states have laws that require businesses and in most cases government entities to issue notifications about data breaches. But they often differ on what happens next in terms of who’s allowed to enforce the laws and go after companies who screw up, explained Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC). “Some states give attorneys general sole authority to enforce data breach laws, but they don’t give them any resources to do it,” she said. Some states allow for a private right of action, which allows private citizens to sue a company directly, but that can be tricky to navigate. Fitzgerald said courts have often made it hard for individuals to sue because it’s hard to quantify harm and show exactly the cost of your data being lost.
At the federal level, it’s largely the FTC that is charged with handling data breaches. It does so under the FTC Act, which allows it to go after practices that are deemed either deceptive or unfair. It has brought about a number of cases on data security, including going after Uber, Equifax, and Facebook over their handling of privacy. But there are limits on what the FTC can do — companies don’t have to say anything about how they secure data, and again, there’s no federal privacy law outlining any rules. Last year, the Supreme Court also limited the FTC’s ability to seek monetary relief, which ties the agency’s hands even further.
There are ideas on Capitol Hill to create a data privacy agency, including from Sen. Kirsten Gillibrand (D-NY) and Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA). Data privacy, theoretically, is a bipartisan issue, but it turns out Congress is largely only interested in looking at online privacy for kids.
In the meantime, companies keep collecting and losing data, and when that happens, the consequences are underwhelming.
Daniel Solove, a law professor at George Washington University and co-author of Breached! Why Data Security Law Fails and How to Improve It, pointed to the example of data breach notifications, which he says have been taking place since about 2005, when companies started being required to say when a breach happened. (Before that, a lot of the time, no one knew). Yes, it’s good that companies have to say when a breach has occurred, but that doesn’t fix the breach, it just sheds light on it. It’s like a doctor telling you that you have cancer, and when you ask about next steps for treatment the doctor saying that’s it, now you know. “Legislators like to pass a breach notification law because it looks like you’re doing something for security, but you’re not,” Solove said.
There are all sorts of ideas out there about what better data privacy and security laws might look like, including taking a look at what information companies collect, what they do with it, how they monetize it, and how they’re required to protect it. “Enforcers need to require changes to business practices,” Fitzgerald said.
Solove argues that the privacy and security components of data need to be less siloed — basically, good privacy leads to better security. He also notes that there’s only so much you can get from companies, punishment-wise, after a data breach happens. The government sometimes fines businesses when they lose data, but it’s hard for those fines to be big enough to make a real dent. When the FTC fined Facebook $5 billion over its privacy mishaps in 2019, for example, its stock price went up after investors found out.
Oftentimes, fines get passed on to shareholders and workers anyway. And even when businesses are nominally required to change business practices, if they don’t, they’re just hit with another fine. And, again, no company wants to suffer a data breach — to a certain extent, in the modern world with hackers and bad actors out there, they’re inevitable. One person gets fooled by a phishing email and boom.
“There’s no silver bullet,” Solove said. “Breaches are never going to go away — there’s going to be breaches.”
Data that’s never collected can’t be breached
We’ve become pretty accustomed to giving over a lot of information about ourselves to participate in the economy and live in the online world. Sometimes, it’s stuff we know we’re handing over — a credit card number and address to make a purchase, an email address to sign up for a website. Other times, it’s a lot less visible, like when companies are tracking our moves and interests online to package and sell that data to advertisers. But like it or not, data is a big part of the way the economy runs. As Louise Matsakis outlined for Wired in 2019, information about people fuels the digital economy; it’s kind of like oil. Much of the time, we don’t even know what data is out there or who has it because companies sell it and swap it among themselves.
When we talk about data breaches, we often start at the end: the moment the information has already been leaked or hacked. But some privacy advocates say we need to start at the beginning.
“There is a common business model, which is to vacuum up as much personal information about people as possible, even if you have no use for that information, and then sell it to data brokers who then do all kinds of things with it, especially to sling advertisements,” said Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation. “With so much information being systematically vacuumed and monetized, it increases the problems from these data breaches. To say the obvious, the best form of securing data from attack is to not collect it in the first place.” Or, once it’s collected, to delete it once it has been used.
To offer an example, let’s say I order a pizza from Domino’s. I’m going to hand over my address because I want the pizza delivered, and my credit card number if I don’t want to pay in cash. I’m also going to tell Domino’s what kind of pizza I want. All of this makes sense for Domino’s to have — in the moment. They don’t need a permanent record of where I live or what my credit card number is or whether I want pepperoni or sausage on my pizza. They also don’t really need me to create an account to order the pizza, which their website nudges me to do.
In a better and perhaps less risky world, companies like Domino’s would undertake an effort at data minimization, Schwartz said, meaning the business only collects from the consumer the specific information they need for the task at hand. Might it make ordering a pizza from Domino’s slightly less frictionless next time around when I have to input my information again? Sure. But maybe it’s worth it — just ask the hundreds of thousands of Domino’s customers in India whose credit card and order information was exposed in 2021.
On the collection front, Schwartz said it would be better if businesses used opt-in consent, which means they would have to get specific permission from users before collecting and using their personal data. It would be better if people were also able to ask what companies have and have that information deleted. In some places, such as California, there are privacy laws that allow for that. The problem is, oftentimes, people don’t even know who has their data, especially after it changes hands. (Europe’s privacy law does some of this, with varying degrees of success.)
Many of these measures aren’t ones companies are going to take on their own. If data equals money, and it often does, there aren’t incentives for them not to collect it.
“The market isn’t going to give us the right amount of security here,” said Solove. “We need to create some kind of an incentive so that companies can have at least a minimum level of security on what they’re creating — they need to be responsible for what they’re doing and what they’ve built and the costs they’re creating.”
We often take it as a given that companies are going to suck up our data. We know Facebook takes our information and monetizes it so we can use the site for free because, as Mark Zuckerberg explained to the Senate in 2018, “Senator, we run ads.” We create an account to buy concert tickets or order clothes online without thinking, seeing it as part of the game. But we often don’t interrogate how much personal information companies actually need from us, or how long they should be allowed to keep it.
“Data breaches are really dangerous to millions and millions of people. It allows them to be subjected to identity theft, financial fraud, stalking, and much more needs to be done to stop this,” Schwartz said. “At a minimum, that’s strong anti-breach laws that allow the victims to sue the negligent data managers, but more than that, it’s necessary to go to the source, which is businesses vacuuming up our information in the first place.”
We live in a world that’s constantly trying to sucker us and trick us, where we’re always surrounded by scams big and small. It can feel impossible to navigate. Every two weeks, join Emily Stewart to look at all the little ways our economic systems control and manipulate the average person. Welcome to The Big Squeeze.
Have ideas for a future column? Email firstname.lastname@example.org.