One of the largest credit-rating bureaus in the United States suffered a data breach in May 2017 (link). This breach, not discovered until the following July, was made public only in September. According to Equifax, the exposed data includes names, birth dates, credit-card numbers, and Social-Security numbers (an important ID number for U.S. citizens and residents), among other things (link).
About half of the adults in the U.S. were exposed (link), along with some 44 million UK consumers (link). Although most of the victims are U.S. residents who will not be protected by the GDPR, there is probably a large number of affected persons across the EU who are U.S. or U.K. citizens, and for whom GDPR protections will apply as of next May. For someone trying to gauge the impact of the GDPR on data-controllers and processors (as I assume you are if you are reading this), the Equifax case poses a number of questions.
How would this play out under GDPR?
The first question that comes to my mind is how such a massive breach would be treated by the EU. For one thing, there’s the question of which national data-protection authority would take the lead if the data controller or processor (DCoP) suffering the breach has not designated a GDPR representative in the EU (GDPR 1 (80)).
A second question arises as to how the DCoP would be fined or otherwise sanctioned, in the event that it refused to pay fines or co-operate with the lead data-protection authority. Could the EU block access to that company’s web site? In a case like Equifax’s, could it prohibit European businesses from using data furnished by the data controller? We will likely not know until actual cases have arisen and gone through the courts.
Equifax is a U.S. company with relatively little business in the non-UK E.U. That said, several similar U.S. credit-reporting agencies have considerable E.U. business (https://en.wikipedia.org/wiki/Credit_bureau). These companies collect personal data automatically, for sale to anyone interested in someone’s credit rating. Unlike, say, social media, you cannot maintain your privacy by refusing to sign up for the service. Credit agencies have become a kind of infrastructure, a necessity of life in the U.S.
Even major social media platforms have become a kind of infrastructure. People tell me that it’s hard to get a job if you’re not on social media; not only do you miss opportunities, but you’re considered to be an oddball if you can’t be looked up. Most large social-media companies are based in the U.S.
Is this our future?
Recent headlines lead me to believe that there will be no shortage of data cases for the courts to chew on. The problem is so severe in the U.S. that one major magazine, The Atlantic, has suggested that the public has simply become accustomed to the loss of privacy (link).
People have started to experience data loss and theft in a new way. Breaches have settled into a kind of modern malaise, akin to traffic or errands. They are so frequent and so massive that the whole process has become a routine.
Online data, like usernames and passwords, have been leaked and hacked with such frequency and in such great quantities (a hacker stole more than a billion Yahoo! email accounts in 2013), that savvy people treat their credentials as violated in advance. Breaches of more sensitive data, like bank, social-security, address, and health or employment records, have also become common. Home Depot, Target, Sony, Anthem, the U.S. Office of Personnel Management, and other recent violations felt shocking and violating at first, but over time that sensation has waned. […]
Most organizations affected by hacks and leaks have treated the matter with great seriousness and care, understanding that their reputations were on the line. But whether intentionally or not, Equifax appears to have leaned into the new malaise, treating this massive breach with the bureaucratic apathy one might expect from a big, faceless credit-reporting agency — a company everyone must use, but no one chooses to. [emphasis added]
Yes, yes, I realize that this is what the GDPR is meant to stop, but how do you put a stop to bad practices at organizations that are officially or effectively part of the infrastructure, the kind of service that “everyone must use”? Is the E.U. really going to levy a huge fine against a government entity, a public utility, or a company that employs tens of thousands of E.U. citizens? After spending hundreds of billions to rescue European banks, will they be put out of action by a 4% fine? I think we all know the answer to that.
So what can the GDPR do?
For one thing, we can try to make software better. The Atlantic article goes on to say:
There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare. [emphasis added]
Here we find several reasons why breaches have become so common:
- More data is collected than ever
- There are ever-more web sites
- Corporate security is poor (link, link)
- Software has become easy, in part because any thought of engineering-like attention to quality or design has largely been abandoned (link)
There is truth in all of these assertions. The GDPR, if it is able to adhere to its stated goals, can rein in some of these tendencies, such as:
- If justification for processing is required, perhaps less personal data will be collected
- If web sites have to follow higher privacy standards, perhaps there will be fewer of them
- Corporations may up their game on security
- Software development may clean up its act; as I have said in another post (link), privacy by design implies that one must have a design in the first place
Can the EU really protect its citizens from the World Wide Web?
Suppose that you are a business and have to make a decision about someone. It might concern whether to hire her as an employee, extend credit to her, or rent her an apartment. Suppose further that key information about this person, such as whether she is highly indebted or has previous criminal arrests, would be helpful to you in minimizing the risks of your decision. You find that such information is not available from European sources due to privacy restrictions.
What is to stop you from looking at sources outside of the EU? In fact, even if most countries sign on to a GDPR-compatible legal scheme, what is to stop the appearance of ‘data havens’ that offer this kind of information? (link)
Is the GDPR the equivalent of raising the dykes in an attempt to hold back a rising sea level?
[Update 12 September: The U.S. state of Massachusetts has announced a lawsuit against Equifax for negligent handling of its citizens’ personal data (link). Many private parties have sued as well. I don’t know enough about European law to know if individual countries, such as the U.K., can sue Equifax, or if that must go through a European body.]