States Should Revisit Their Data Breach Laws

Do states need to update their regulations after the Cambridge Analytica debacle?

by / June 2018

Data breaches are a serious problem. Last year, there were a record number of data breaches in the U.S., with the total increasing 44 percent over the previous year. Following revelations that Cambridge Analytica, a UK political consultancy, gained illicit access to data on 87 million Facebook users, many were left with a simple question: Was this a data breach?

According to Facebook, it was not. Indeed, the circumstances around how Cambridge Analytica came to acquire the data in question do not fit the profile of a typical security breach.

Most data breaches involve some type of hacking, such as phishing attacks and ransomware, where an attacker successfully exfiltrates data from an adversary’s computer system. In this case, 300,000 Facebook users downloaded an app created by Aleksandr Kogan, a Cambridge University researcher, allowing him to collect data on them and their friends. As Paul Grewal, Facebook’s deputy general counsel, notes, “People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

The distinction matters because companies must report data breaches. Unfortunately, every state has its own data breach notification law, and each state’s law is different in terms of what personal information it covers and what triggers a requirement to notify consumers or regulators of a breach, creating a regulatory headache for most companies.

But even if the Cambridge Analytica incident was not technically a data breach, it certainly involved data misuse. Regardless of whether Kogan acquired the data lawfully, he sold it to Cambridge Analytica, which then used it for commercial purposes — both actions in violation of Facebook’s terms of service. And Cambridge Analytica misled consumers and Facebook about how their data would be used. This raises the question of whether policymakers should update their data breach notification laws to cover misuse.

There is a strong case to be made for doing so. After all, for most consumers, the method by which a third party misused their personal information is likely of less concern than the fact that their information was misused to begin with. But if a data misuse standard is not sensitive enough, it will fail to protect consumers. And if triggered too easily, consumers could become inundated with notifications, rendering them ineffective.

While a federal data breach law would be ideal, if states update their laws to account for data misuse, they should consider three points.

First, data misuse notification laws should only apply to first-party data, i.e., data collected directly by a company. While states have clear jurisdiction over companies doing business in their state, they have limited ability to enforce laws against foreign companies that have no domestic presence. But as the Cambridge Analytica incident has made clear, various third parties, some of which may be located abroad, have access to consumers’ personal data even though they have no direct connection to those individuals. The onus should be on the company with first-party data to notify their customers in the event of data misuse by one of their partners.

Second, data misuse notification laws should include a harm analysis provision. If a company can reasonably determine that the data misuse was incidental and would not likely lead to consumer harm, then it should not be required to notify consumers. Such a provision would incentivize companies to clarify their expectations for how their business partners handle data and their recourse in the event of data misuse.

Finally, companies should disclose what steps, if any, they take to ensure their business partners adhere to their data handling policies, such as conducting audits. Companies can’t report on data misuse by their partners if they are unaware of the problems.

In short, policymakers shouldn’t restrict companies from sharing data with business partners, but they should hold companies accountable for the commitments they make and the business partners they use. Doing so will reward companies that use responsible data handling practices and provide consumers more choice.

Daniel Castro Contributing Writer

Daniel Castro is the vice president of the Information Technology and Innovation Foundation (ITIF) and director of the Center for Data Innovation. Before joining ITIF, he worked at the Government Accountability Office where he audited IT security and management controls.