147 Million Social Security Numbers for Sale: Developing Data Protection Legislation After Mass Cybersecurity Breaches

Author:McKenzie L. Kuhn
Position:J.D. Candidate, The University of Iowa College of Law, 2019; B.A., Denison University, 2016
Pages:417-445
SUMMARY

The 2017 Equifax breach, which endangered the personal financial information of 147 million Americans, was one of the worst data breaches in U.S. history. In light of this catastrophe and the growing number of mass data breaches, many privacy advocates and U.S. consumers have begun to advocate for federal data protection legislation. However, companies that thrive off big data, such as Facebook,... (see full summary)

 
FREE EXCERPT
417
147 Million Social Security
Numbers for Sale:
Developing Data Protection Legislation
After Mass Cybersecurity Breaches
McKenzie L. Kuhn*
ABSTRACT: The 2017 Equifax breach , which endangered the personal
financial information of 147 millio n Americans, was one of the worst data
breaches in U.S. history. In ligh t of this catastrophe and the growing number
of mass data breaches, many privacy a dvocates and U.S. consumers have
begun to advocate for federal data p rotection legislation. However, companies
that thrive off big data, such as Faceb ook, Amazon, Google, and Equifax,
have spent millions lobbying ag ainst data protection laws. As a res ult, the
United States has no universal, federal data protection la w. Many states and
specific sectors of the economy, s uch as healthcare and finance, have tried to
bridge this gap in legislation with their own da ta protection laws. However,
businesses continue to collect, store, and sell th e personal information of
consumers with few consumer protection s. In comparison, the EU recently
passed the General Data Protection Regul ation (GDPR), which guarantees
EU citizens the fundamental righ t to data protection and forces companies to
implement data protection regulatio ns and baseline security measures when
collecting personal information. Beca use of the growing risks to consumers
due to recent mass-data breaches and th e growth of “big-data” companies, this
Note asserts that Congress should enac t a federal data protection law, similar
to the GDPR, that will adequately protect consumers from future mass
breaches like the 2017 Equifax.
I. INTRODUCTION ........................................................................... 418
II. BACKGROUND OF PRIVACY LAWS IN THE UNITED STATES
AND EUROPEAN UNION ............................................................... 421
A. U.S. DATA PROTECTION FRAMEWORK ..................................... 421
1. Development of the Right to Privacy Under
U.S. Law ....................................................................... 422
* J.D. Candidate, The University of Iowa College of Law, 2019; B.A., Deniso n University, 2016.
418 IOWA LAW REVIEW [Vol. 104:417
2. Examples of Sector-Specific Federal Laws .................. 423
3. State Data Protection Laws .......................................... 425
B. EU DATA PROTECTION LAWS ................................................. 426
C. GENERAL DATA PROTECTION REGULATION ("GDPR") ............. 429
1. Strengthening Privacy Rights of EU Citizens:
Affirmative Consent and Guaranteed Rights .............. 431
2. Requirements for Data Processors and
Controllers ................................................................... 434
III. ADDITIONAL PRIVACY REGULATIONS WOULD PROTECT
CONSUMERS FROM FUTURE DATA BREACHES .............................. 436
IV. RECOMMENDED LEGISLATION: HEIGHTENED
REQUIREMENTS FOR DATA PROTECTION ..................................... 439
A. DATA MINIMIZATION ............................................................. 440
B. DATA BREACH NOTICE REQUIREMENTS ................................... 442
C. ENCRYPTION ......................................................................... 442
D. AFFIRMATIVE CONSENT .......................................................... 444
V. CONCLUSION .............................................................................. 445
I. INTRODUCTION
Have you ever searched your name on Google and immediately found
your phone number and home address on the very first page? Have you
noticed that as you scroll on Facebook, the ads you see are tailored to your
favorite stores and items? Have you ever wondered why certain apps on your
phone track your GPS location, even when the app is not in use? Have you
questioned whom your email address will be shared with when you sign up for
a coupon on a store’s website? Consumers are beginning to ask these
questions in light of recent mass data breaches, like UnderArmour’s
“MyFitnessPal” in 2018, Equifax in 2017, LinkedIn and Yahoo in 2016, and
eBay in 2014, which affected hundreds of millions of Americans. 1
Technology has enabled phones, smart watches, and computers to
recognize an individual’s face and voice, to track a person’s average heart rate
and hours of sleep, or even to collect internet search history, financial
information, and sensitive medical history.2 Additionally, 70% of smartphone
1. Nick Turner, Under Armour Says 150 Million MyFitnessPal Accounts Hacked, BLOOMBERG
(Mar. 29, 2018, 5:09 PM), https://www.bloomberg.com/news/articles/2018-03-29/under-armour-
says-150-million-myfitnesspal-accounts-were-hacked; Elizabeth Weise, Equifax Breach: Is It the
Biggest Data Breach?, USA TODAY (Sept. 7, 2017, 7:54 PM), https://www.usatoday.com/story/
tech/2017/09/07/nations-biggest-hacks-and-data-breaches-millions/644311001.
2. Big Data: Why Do Companies Collect and Store Personal Data, LE VPN (May 26, 2017), https://
www.le-vpn.com/why-companies-collect-big-data. Technology has made it so that [e]very time you

To continue reading

FREE SIGN UP