Maciej Zawadziński: A recent Pew Research survey confirms that US citizens are getting more concerned about the security of their personal data online. What is the cause of this? What has contributed to the growing distrust towards using online services and products?
Max Ossé: I think it’s a confluence of a few factors. The first factor is the fear of increasingly frequent and large data breaches. There have been at least five major breaches reported in just the first four months of 2021, putting at least 51 million people’s data at risk in the first quarter alone. Most recently, a ransomware attack forced the temporary closure of the US Colonial Pipeline, threatening to disrupt the supply of petrol to millions of people.
The second factor is an increased understanding of the personal risks when data is breached, including untangling the mess of a stolen identity, overcoming financial loss and in some cases even concerns for physical safety. Third, national and world events have shown the amount of power concentrated in the hands of companies with a treasure trove of peoples’ data. Leaders of US tech giants have had to testify in front of Congress to explain their business models and how they’re monetizing citizens’ data.
Lastly, knowledge of some of the regulations that have been put in place to protect citizens’ data has reached the public.
There have been at least five major breaches reported in just the first four months of 2021, putting at least 51 million people’s data at risk in the first quarter alone.
– Max Osse
I think it’s safe to say that ten years ago the average American was not aware of HIPAA. Whereas today, “HIPAA” is cited by doctors and other medical professionals often enough that while people may not know the specifics of the Health Insurance Portability and Accountability Act, they know that their personal health information needs to be protected. This general understanding extends to all other types of personal data. It’s accompanied by the growing number of companies that sell directly to consumers services geared towards security and privacy, such as monitoring for unauthorized use of personal information or private VPNs that promise to hide web activity from “prying eyes”.
Additionally, since the launch of GDPR and CCPA, it’s rare that a website doesn’t have cookie notifications and privacy settings. Through them, visitors have to explicitly (in some cases, tacitly) acknowledge that some of their data is being collected and choose to opt in or out. All of these factors build a picture in peoples’ minds that their data needs to be kept safe and there’s hesitancy to trust data collectors.
Maciej Zawadziński: With California’s introduction of CCPA and similar legislation brewing in other states, it looks like citizens’ online privacy will be secured on the state level. Why are states spearheading this and not the federal government? Is there any pro-privacy legislation planned on the federal level?
Max Ossé: I think California is the premiere innovative state in the country, and as a result, it’s a bit of a legislative bellwether. Virginia’s governor signed the Virginia Consumer Data Protection Act (VCDPA) into law on March 2 this year. Here in New York, we’re awaiting the passage of the New York Privacy Act later this year.
It is similar to CCPA in many ways, with a few measures that go beyond California’s and mirror the EU’s GDPR, such as no minimum revenue requirements, no exemptions for non-profits or individuals and consent that requires a checkbox for each data processing activity, including third-party access. New York State residents will also have the right to access, correct, delete and restrict access to their personal data. It’s also worth noting that there are about a dozen other states including Massachusetts and Nevada that have data privacy bills in varying stages of maturity.
Why states are leading data privacy efforts, versus the federal government, has probably more to do with states operating with relative autonomy with the exception of federal laws that supersede them. Without going into too much of a civics/history lesson, the federal government operates from a perspective of federalism. This ironically means that the federal government stays out of states’ business except when there’s a need for legal uniformity across all 50 states and territories. American states’ legislative agenda is driven by their political and jurisdictional priorities. So while there may be lawmakers in each state who may want to pass some form of data privacy reform, there may not be enough lawmakers in agreement for bills to actually become state law.
As for the federal government’s involvement in data privacy and security, I think it’s just a matter of time until we see data privacy regulations that cover the United States as a whole. There’s a bill called the Information Transparency & Personal Data Control Act that didn’t get passed into law in 2019. It’s been recently reintroduced by Representative Suzan DelBene (D-WA). If it gets passed into law, it would create a GDPR-like data privacy and security blanket over US citizens. It would introduce data collection opt-ins, require companies’ privacy policies to be “plain English” and create a national standard that would supplant states’ laws.
Maciej Zawadziński: With its opt-in consent and huge fines for breaches, GDPR generally favors the privacy of citizens over business needs. On the other hand, CCPA’s opt-out requirement and low fines seems to work in favor of data collectors. Do you have any thoughts on why legislators in the US are taking a different approach?
Max Ossé: The answer to this question could outlast three pints at a pub. I think legislators’ incentives for these kinds of legislation hinge on the relative benefits for two constituencies in this equation: businesses and citizens. Many lawmakers are hesitant to introduce legislation or regulation that could potentially stifle innovation and economic growth. There are also many lawmakers who hold the security and well-being of their citizens as paramount.
My take is that these lawmakers, many of whom hold both constituencies in equal regard, have to find a middle-ground in order for there to be legislative progress. As a result, the compromise is that damages for infractions are more compensatory than punitive. Citizens get restitution and businesses learn a lesson without incurring fines that could potentially bankrupt them.
Practically speaking, however, if an organization meets the revenue and personal data records thresholds ($25 million annually, and 50,000 individuals, respectively) the CCPA has no limits on the number of violations eligible for statutory recompense. With a maximum per-individual fine of $7,500 for each occurrence of an intentional violation, if there are tens or hundreds of thousands of individuals affected, fines could reach into the billions of dollars.
Maciej Zawadziński: Remaining compliant with GDPR can be a challenge for European companies. Are US companies struggling to comply with their state privacy laws as well? And when doing business in the EU, how are they doing with staying in line with the GDPR?
Max Ossé: Many companies have entire departments dedicated to handling CCPA requirements which enable them to stay compliant with the legislation. I know of companies that reacted similarly when GDPR was enacted. Fulcrum Analytics has woven data privacy and security into our company culture. It’s essential that everyone in the organization understands their role in keeping data secure.
I think companies that are able to dedicate resources to data security and take a holistic and proactive approach for data privacy tend to do better at staying in line with regulations. Aiming to be responsible stewards of citizens’ data tends to feel less burdensome than aiming to stay in line with regulations. That’s not to say that there’s no burden on personnel who are ultimately responsible for compliance. But from what I’ve observed, after an organization has gotten over its initial panic of “how are we going to deal with this new, irksome regulation?” and has people, processes and pronouncements in place, there’s less of a sense of struggle and more a resolve to tackle regulatory challenges as they come.
I think companies that are able to dedicate resources to data security and take a holistic and proactive approach for data privacy tend to do better at staying in line with regulations.
– Max Ossé
Maciej Zawadziński: Public perception of Big Tech in the EU has worsened significantly. What is more, Big Tech has a lot of GDPR compliance problems in the EU. How is Big Tech doing now in the US?
Max Ossé: I think Americans’ perception of Big Tech depends on who you ask and when you ask. There’s a rapidly growing US population of people who spend significant amounts of time online and don’t know a world without the Internet and social media.
Younger citizens tend to care less about data security and privacy, make generous use of apps and games that collect personal data on them and widely document their personal lives on social media.
On the other end of the spectrum, there are people who have very strong negative feelings and mistrust the tech giants. They steer clear of social media and don’t use mainstream search engines or web browsers, and they work hard to minimize their digital footprints.
Somewhere between those two groups are Americans whose views on the Big Tech companies depend on variables such as the necessity (or perceived necessity) of the tech product/service, news headlines or brand loyalty. I think most Americans get enough value from these companies that convenience trumps any misgivings they may have, as evidenced by Amazon’s growing market share in every category of product it sells, as well as social media companies reporting year over year revenue growth. This bit of consumer confidence exists despite the fact that leaders of some of the larger social media platforms testifying in front of congress about how their companies generate revenues, which brought fresh scrutiny and occluded answers.
Max Osse is the Senior Vice President of Information Technology at Fulcrum Analytics. A graduate of the University of Florida and Columbia University, he has over a decade of experience in information security and data privacy. When he’s not working on anything technology-related, you’ll find him running, biking or hang gliding. Max can be found on LinkedIn.