The way processing systems function means personal data online is part of regular life, as are the dangers that come with it. What exactly are the dangers of unprotected data? What are the roles of citizens, businesses, and the government when it comes to technology and data? How can these stakeholders work together to promote safe cybersecurity practices and frameworks that protect data without infringing on individual rights and freedoms?
Do you ever feel like your smart phone is listening to you? You’re not alone: 72% of Americans believe most of their online actions on their phones and computers are tracked by advertisers and tech firms; 69% believe companies are tracking most of their offline behavior as well, such as where they are; and 80% do not believe they have control over data collected about them. The rest of the world is concerned and confused about data privacy and tracking as well. A global report on data privacy by Ipsos and the World Economic Forum found only one-third of respondents “have a good idea of how much personal data companies hold about them…or what they do with it.”
Why it Matters
At the heart of the issue of data privacy and data protection is individual freedom. America is built on the principle that no one individual or group has the right to control another individual. Today’s computing power enables companies (and governments) to intercept, layer, and analyze seemingly disparate data to draw conclusions about individuals. All digital users should understand what data privacy and protection mean and know how much data is worth; being informed allows individuals to be in control of what is shared or not shared. Individual responsibility, control, and competition amongst platforms would ensure both privacy and protection.
Putting it in Context
Terms to Know
- Personal data – “any information that relates to an individual who can be directly or indirectly identified.” includes names, email addresses, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions
- Data processing – “any action performed on data,” which includes but is not limited to collection, recording, organizing, and storing
- Data subject – whose data it is
- Data controller – who decides why and how data will be processed (usually a company)
- Data processor – (usually) 3rd party cloud servers or service providers that process personal data on behalf of data controller
- Data protection: keeping data safe from unauthorized access
- Data privacy: empowering citizens to make their own decisions about who can process their data and for what purpose
Data Privacy vs. Data Protection
Although they are sometimes used interchangeably, data privacy and protection are not the same thing, nor do they ensure each other. Data privacy refers to who has authorized access to data and “is about what people who have collected your data lawfully can and should do with it and what control you have over that retention and use of data.” Data protection, on the other hand, refers to the unauthorized access to and use of data, such as by hackers.
The U.S. Constitution protects individual privacy from government intrusion, but does little to protect that privacy from actors outside the government. This applies to data as well. Data laws provide “individuals with rights over their data, imposing rules on the way in which companies and governments use data, and establishing regulators to enforce the laws.” The first data laws were established in the 1960s, when experts started predicting computing and databases that had recently been made available to the public would facilitate invasion of privacy.
As the Internet expanded, digital market opportunities grew, but crossed a threshold in the 1990s when a product called Lotus MarketPlace: Households made headlines. Advertisements claimed it contained “names, income ranges, addresses, and other information about more than 120 million Americans.” Although it was canceled before release, the world realized how common the trade of personal information had become.
Not long after, online advertisements that targeted people based on data became a normal occurrence, although the data could not be connected to specific people. In 1999, the digital ad company DoubleClick tried to de-anonymize ads, which would connect specific users and their data, resulting in an uproar. The FTC agreed with concerned citizens this would amount to unlawful tracking, and the outcry also prompted the creation of the Network Advertising Initiative, a “self-regulatory association dedicated to responsible data collection and its use for digital advertising.” Still, data brokers today can sell data they collect from sources like public records and credit applications. Businesses running background checks and even law enforcement can turn to this data online.
Businesses and services rely on analytics coming from data sharing, data tracking, and even artificial intelligence. The devices we carry with us and install in our homes all generate data. These new ways of using technology require new ways of thinking about and protecting data. A lack of data privacy and protection opens the door for dangerous actors to take advantage of digital vulnerabilities.
Data Dangers: Breaches
What is at Risk?
Ransomware attacks and data breaches are proof that data and personal information are worth a lot. Data compromised in big breaches – such as those that affected 117 million LinkedIn accounts in 2012, 3 billion Yahoo accounts in 2013, and 500 million Marriott accounts in 2018 – can end up on the black market.
Hackers use personal information from data to create and sell fake documents such as IDs and passports. Criminals can also assemble “comprehensive victim files” called “FULLZ,” which can include date of birth, Social Security number, telephone number, driver’s license number, and banking information.
The chart from The Wall Street Journal breaks down the prices for a single record or piece of information on the black market.
The healthcare industry suffered more cybersecurity breaches than any other industry in 2018 and 2019. There were 510 healthcare data breaches of 500 or more records in 2019; in total, it is estimated that healthcare records of over 12% of the U.S. population were breached. In the first six months of 2020, there were 224 healthcare data breaches of 500 or more records. Then, over 9 million records were exposed in September 2020 alone as a result of a May 2020 ransomware attack on cloud software company Blackbaud that affected at least 80 healthcare organizations.
These breaches come with a big price tag, beyond the black market. When breaches expose sensitive healthcare information, “HIPAA privacy rules are violated – and health systems have to pay up.” In total, the Department of Health and Human Services’ Office for Civil Rights issued over $28 million in HIPAA penalties in 2018, a new record. In 2019, there were 10 financial penalties resulting in over $12 million in penalties, and in 2020 the Office for Civil Rights settled 19 HIPAA violation cases and issued over $13.5 million in penalties.
See all reported breaches being investigated by the U.S. Department of Health and Human Services Office for Civil Rights here.
Financial sector breaches include attacks on financial institutions such as banks, credit unions, credit card companies, investment firms, and pension funds, all of which have seen increases in cyberattacks in recent years. Despite having spent an average of 10% of their annual IT budgets on cybersecurity in 2019, financial service companies are the second-most affected sector, behind healthcare.
From January to August of 2018, 103 financial sector breaches were reported (amounting to almost $17 billion), compared to 37 breaches in 2016. The Capital One data breach in July 2019 exposed the data of over 100 million people in the United States and Canada, including 140,000 social security numbers, 1 million social insurance numbers (the Canadian equivalent of social security) and 80,000 bank account numbers.
One of the most common types of attacks is a Distributed Denial of Service (DDoS), in which a financial service server or network is attacked, resulting in a crash or shut down of the system that denies service to users. Between lost revenue and costs to get systems running again, these attacks can cost a financial institution an average of $1.8 million. Hackers often blackmail financial institutions, forcing them to pay high ransoms to avoid having their servers attacked.
Government institutions are no exception to cyberattacks. The U.S. Office of Personnel Management was hacked multiple times in 2014, and cyberattacks on cities are making headlines. These are mostly DDoS attacks, “waged by criminals who deploy ransomware and lock people out of systems and data used for public services.” The Homeland Security Cybersecurity and Infrastructure Security Agency addresses cybersecurity concerns.
In March 2018, Atlanta’s computer networks were attacked and affected the Department of Public Safety, the state and local court systems, a major hospital, the county government, and a police department. In May 2019, hackers targeting Baltimore left the city with over $18 million in lost revenue and expenditures to get the network up and running again. In August 2019, hackers infiltrated computer systems and encrypted the data of 22 cities in Texas (NY Times).
In December 2020, a massive data breach linked to the Texas-based software company SolarWinds was reported. Hackers – believed to be Russia’s foreign intelligence service – attached malware to a SolarWinds software update, which affected 18,000 of SolarWinds’ customers in the government and private sector worldwide between March and June 2020. Hackers spent months inside U.S. government networks; affected federal agencies included the Commerce Department, the Department of Homeland Security, the Pentagon, the Treasury Department, the U.S. Postal Service, and the National Institutes of Health. The task force formed in response, the Cyber Unified Coordination Group (UCG), is still investigating.
For an understanding of scope, see this list of significant cyber incidents compiled by the Center for Strategic and International Studies.
The Role of the Private Sector and Government
The Private Sector: Big Tech
With the increase in cyberattacks affecting citizens’ personal information, some states have enacted laws to address data security measures of private sector entities. As of May 2019, the National Conference of State Legislatures reports at least 25 states have enacted laws requiring businesses to implement and maintain “‘reasonable security procedures and practices’,” putting responsibility in the hands of companies that hold subjects’ data. As of early 2021, states from Washington to Oklahoma to Florida are pushing ahead with further data protection legislation. These laws target all businesses for the safety of states’ residents, but big tech companies such as Amazon, Apple, Facebook, Google, and Microsoft (which together make up half of the top 10 most valuable companies on the American stock market) are central to issues of data privacy due to their size and scope.
In April 2021, Apple released a software update feature called App Tracking Transparency, which will ask users via a pop-up if they want an app tracking their data. If users opt out, some say this means “companies that use targeted advertising will lose a major source of data, and, therefore, revenue.”
Facebook claims these new rules will hurt small businesses by restricting advertising, but whether it weighs heavily on the market value of these larger companies remains to be seen: The market for global data protection and cybersecurity as a service accounted for almost $10 billion in 2018, and is anticipated to reach $103.8 billion by 2027. The market for big data, data analytics, and cloud services in general is expected to reach $11 billion by 2022 and continue growing to $51.9 billion by 2025.
Digitizing patient data has created a market for tech giants, whose technologies can store and analyze data. In 2018, Google partnered with the second-largest health system in the country, St. Louis-based Ascension, to improve patient care and create a faster, more manageable system of electronic record keeping. Through the partnership, called Project Nightingale, Google received access to data of over 50 million patients. In November 2019, however, Ascension and Google faced pushback when patients and doctors learned about the data sharing, of which they had not been aware.
Despite this, big tech’s footprint in the healthcare marketplace has only grown, particularly in the face of the coronavirus pandemic. Google and Mayo Clinic launched an artificial intelligence initiative in October 2020 to store the hospital system’s genetic, medical, and financial records. Google also launched another AI tool that would help healthcare providers search through medical documents. Microsoft and Amazon have all also been granted access to detailed, identifiable patient information in deals to develop apps and algorithms that assist with hospital operations. The Microsoft Cloud for Healthcare “allows providers to connect with patients via telehealth, optimize insights and collaborate with other healthcare organizations.” Amazon Web Services made its COVID-19 data available to support hospital systems, researchers, and public health officials.
Hospitals are playing a crucial role “as brokers to technology companies racing into the $3 trillion health-care sector.” The technology companies in the healthcare sector can offer innovations and benefits to hospitals and medical professionals. Hospitals generate massive amounts of data, and there is currently no single place where physicians can go to find patient data – most hospitals still fax paperwork! Technology companies can facilitate interoperability, or the ability for “health information systems to work together within and across organizational boundaries,” which would allow healthcare providers to coordinate patient care regardless of geographic location. The WSJ explains more reasons why big tech wants to access your medical records:
National Security and Defense
Data privacy concerns apply not only to individuals and businesses, but also to the government. For example, a significant challenge for the U.S. armed forces is “how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk,” according to one WSJ report. What does national security mean in the digital age for federal agencies like the National Security Agency (NSA) and the Department of Defense (DOD) that oversee the protection of our country? Admiral Mike Rogers, former director of the NSA and former commander of the U.S. Cyber Command, discusses the role of these agencies and data privacy in terms of individual, private sector, and government control with Cyndi Gula of Tenable Network Security at The Policy Circle 2019 Summit.
When the DOD wanted to implement a plan for its Joint Enterprise Defense Infrastructure (JEDI), the Pentagon’s effort to modernize its systems, the only two potential bidders were Amazon (which previously built cloud services for the CIA) and Microsoft because “the U.S. military’s unique demands required companies of unique scale.” Microsoft received the $10 billion, 10 year contract to transform the military’s cloud computing system, which involves businesses renting space “on technology companies’ server computers, giving them cheap and fast access to storage and processing” on which to keep their data. Amazon owns about a third of this market, and Microsoft owns just under 20%.
Intelligence and Law Enforcement
Given their market share of data storage and management, another debate regarding big tech companies is their ability to track users across the internet. This is an argument as to why tech companies have too much power, but it also puts them in a unique position to assist intelligence agencies with identifying potential threats – if they choose to do so.
In October 2019, Facebook announced end-to-end encrypted messaging in Whatsapp and Messenger, meaning only the sender and recipient can read the messages. This denies access to hackers and criminals, but also government and law enforcement. The heads of Whatsapp and Messenger explained that “any ‘backdoor’ access into Facebook’s products created for law enforcement could be used by bad actors,” meaning data in even private messages could be vulnerable. The Justice Department immediately took issue with the privacy announcement, arguing, “Companies should not deliberately design their systems to preclude any form of access to content even for preventing or investigating the most serious crimes.”
These tech companies are making their presences known in the healthcare, national security, and intelligence sectors, but in order to get ahead of one another, they must keep innovating. This means new technologies and advancements that can make our lives easier and safer, but it can also mean looking into how deeply the roots of each company run – that is, how many acquisitions these tech leaders have made to become as big as they currently are. Innovation requires data, but smaller businesses have trouble keeping up with these larger companies, which often simply acquire startups with market potential. And even if they don’t buy out smaller companies, the tech giants tend to set the ceiling of expansion by creating platforms startups have to use. For example, any new app needs to be available on either Google or Apple app store, which means Google or Apple takes a share of the app’s profit. Even Netflix operates on Amazon’s cloud-storage services.
Federal government agencies including the Department of Defense (which houses the National Security Agency), the Department of Homeland Security (which houses the Transportation Security Administration), Central Intelligence Agency, and the Federal Bureau of Investigation are actively engaged in cybersecurity measures. The following chart breaks down allotments for cybersecurity spending. For the fiscal year 2020, $17.4 billion was allocated for cybersecurity, an increase of 5% ($790 million) from 2019. Over $18 billion was requested for FY2021.
This increased attention at the federal level has not been emulated at the state level, despite mounting numbers of cyberattacks over the past few years. According to the 2020 National Survey of Local Government Cybersecurity Programs from the Public Technology Institute, fewer than one-quarter of IT executive say their elected officials are actively engaged in their government’s cyber efforts, and two-thirds say they do not believe their cybersecurity budget is adequate. While 87% of local governments provide cybersecurity training for employees, only 56% of those provide ongoing training and 33% provide training only once a year.
In May 2020, a group of government-focused organizations including the National Governors Association, the National League of Cities, and the National Conference of State Legislatures sent a letter to Congress asking it to authorize and fund a cybersecurity program to meet the need of state and local governments. Legislation that would do so has yet to pass; the State Cyber Resiliency Act, introduced in April 2019, received no vote, and the State and Local Cybersecurity Improvement Act was passed by the House in September 2020 but failed in the Senate.
Congressional committees responsible for cybersecurity and data privacy include:
- The Senate Committee on Commerce, Science, and Transportation
- The House Committee on Energy and Commerce
- The Senate Select Committee on Intelligence
- The House Permanent Select Committee on Intelligence
There is no single law that regulates consumer protection in data collection. For the time being, the U.S. government approaches “privacy and security by regulating only certain sectors and types of sensitive information…creating overlapping and contradictory protections.” Currently, the most all-encompassing privacy and security law protecting data in the U.S. is HIPAA, but it is specific to the healthcare industry, applies only to certain entities, and “leaves most Americans with no grasp of when their health info is protected and when it is not.”
The Federal Trade Commission (FTC) considers itself the top enforcer of data security, given its power to prohibit “unfair and deceptive trade practices” under Section 5 of the FTC Act. However, the FTC has limited jurisdiction when it comes to nonprofit entities and financial institutions. Other companies also frequently push back against the FTC’s legal authority to police data security, making a central watchdog difficult to maintain. The chart breaks down which agencies are in charge of investigating which crimes.
Case Study on Patchwork Legislation: Biometrics
Among the states, different privacy laws dictate proper security requirements and protocols. Laws concerning biometrics provide a closer look at what these differences entail. Biometrics “measure and analyze people’s unique physical and behavioral characteristics,” including “DNA, fingerprints, eyeballs/irises/retinas, voiceprints, handprints, and facial geometry,” among others. Airports, hospitals, banks, and stores are turning to biometrics for security purposes, but biometrics also make workforce management, tax calculations, and reporting easier. According to one 2018 survey, over 60% of companies already were using biometric authentication for verification and access.
Critics of these technologies focus on the potential abuse of information. States including Illinois, Texas, and Washington already have laws governing storage and use of biometrics, and San Francisco banned facial recognition technology altogether in May 2019. Oregon, Massachusetts, and Maine authorized their own bans in 2020. Businesses need to understand the laws in their states and “make sure they have policies for how consent is gathered, how data is stored, and when it is destroyed.” Some businesses are facing lawsuits over biometrics in the workplace, which has prompted law firms to specialize in biometric privacy litigation. Innovators in the biometric technology fields are likely to skip states that have broad regulations, which will no doubt have economic implications. Projections show the biometrics system market growing from about $17 billion in 2018 to almost $42 billion in 2023.
Other State Level Legislation
The main reason for an excess of state legislation in the realm of data privacy is that it passes more easily. This also means States’ Attorneys General are more able to enforce consumer protection laws when it comes to data privacy. The most influential privacy law overseeing data-collection is California’s Consumer Privacy Act. The law, passed in June 2018 and in effect as of January 1, 2020, is expected to heavily impact California’s digital economy; consumers’ rights to delete their data will affect companies that earn revenue through targeted advertising or by collecting and selling data to third parties. Such companies that operate nationally but have customers in California may need to change their business paradigm or develop a “patchwork data regime” to comply with the California law.
On the other hand, voters in California approved a follow-up measure in November 2020. The California Privacy Rights Act, set to go into effect on January 1, 2023, will create a consumer privacy agency to take responsibility for privacy law violations. Nevada and Maine have followed suit, passing their own personal data protection laws, and states from Washington to Oklahoma to Florida are pushing ahead with data protection legislation as of early 2021. and A number of states including New York, New Jersey, Maryland, Oregon, and Texas have also passed data breach notification laws. As more states look to pass legislation, it may provide more protections for consumers but also raise additional questions for businesses.
Framework for a Single National Law
Many believe these state endeavors, particularly California’s law, could be the turning point that spurs lawmakers into action to create a national law for data privacy and security, similar to the European Union’s General Data Protection Regulation. What would such a law look like in the U.S.? Many believe it should focus on protecting the personal data of everyday citizens; providing consumers with transparency and control; and ensuring proper governance and enforcement of safety measures. In doing so, it would:
- Champion consumer privacy and promote accountability to enhance customer trust;
- Foster innovation and competitiveness to demonstrate U.S. leadership in the realm of privacy for the purpose of innovation and economic competitiveness;
- Harmonize regulations to eliminate the existing patchwork system;
- Achieve global interoperability to cooperate with the international economy and e-commerce transfers of personal data.
Other countries from Argentina to Singapore have legislation protecting data. Some laws require businesses and companies to have privacy policies, others require that users are informed of the purposes of data collection, and some even require users to consent to data collection and use before companies have access. See a full list of countries with national privacy policies here.
Meanwhile, in other countries like China, data privacy is almost non-existent. On the one hand, a lack of data privacy paves the way for practically limitless innovation; in the U.S. and Europe, data privacy regulations can often stifle creativity. On the other hand, these types of laws also protect citizens from government control, and in China many are afraid of “the endless demands of the state power for personal information of citizens, and the use of this information to combat and control all acts of resistance.” In the last few years, uproar from Chinese consumers has prompted the Cyberspace Administration of China to issue data protection guidelines, but how these will be enforced remains to be seen. For more on China’s surveillance methods and its role in building infrastructure around the world as part of its Belt and Road initiative, see The Policy Circle’s Digital Landscape Brief or Foreign Policy: Asia Pacific Brief.
There is strong bipartisan support for an act to address national data security, although no particular legislation has gained momentum in Congress.
Healthcare. Banking. Government. Today’s digital world is inundated with data across almost all sectors. The U.S. needs to keep pace with technological advances to be at the forefront of global digital innovations and protect national security. At the same time, citizens cannot sit idly by and let the government or the private sector run the show. The combination of educated citizens and proper oversight mechanisms in line with democratic values will protect the rights of individuals from excessive government or private sector control and empower individuals to take responsibility for their data.
Ways to Get Involved/What You Can Do
The purpose of this brief is to prompt you to think about your own data. How much do you value your privacy? How do you define privacy? It is a national issue, a state issue and a local issue because your schools and your cities are all targets for cyberattacks.
- Find out what your local and state government institutions are doing to protect your data.
- Find how your health data is protected and shared.
- Consider your data protection and practices at home and at work. Take a look at this Data Detox Kit for ideas.
- Review the list of legislation presented above and invite your representatives in Congress to discuss their position on the topic with your Policy Circle. By voicing your interest, you draw their attention to the topic.
This is a topic that could be presented in the context of a community forum. Data security poses a threat to our well-being, and data privacy laws can also clamp down on innovation. Additionally, it’s important to keep in mind that in other countries, data privacy is handled very differently by the government and the private sector.