147 Million Social Security Numbers for Sale: Developing Data Protection Legislation After Mass Cybersecurity Breaches

• Author: McKenzie L. Kuhn
• Position: J.D. Candidate, The University of Iowa College of Law, 2019; B.A., Denison University, 2016
• Pages: 417-445

417

147 Million Social Security

Numbers for Sale:

Developing Data Protection Legislation

After Mass Cybersecurity Breaches

McKenzie L. Kuhn*

ABSTRACT: The 2017 Equifax breach , which endangered the personal

financial information of 147 millio n Americans, was one of the worst data

breaches in U.S. history. In ligh t of this catastrophe and the growing number

of mass data breaches, many privacy a dvocates and U.S. consumers have

begun to advocate for federal data p rotection legislation. However, companies

that thrive off big data, such as Faceb ook, Amazon, Google, and Equifax,

have spent millions lobbying ag ainst data protection laws. As a res ult, the

United States has no universal, federal data protection la w. Many states and

specific sectors of the economy, s uch as healthcare and finance, have tried to

bridge this gap in legislation with their own da ta protection laws. However,

businesses continue to collect, store, and sell th e personal information of

consumers with few consumer protection s. In comparison, the EU recently

passed the General Data Protection Regul ation (“GDPR”), which guarantees

EU citizens the fundamental righ t to data protection and forces companies to

implement data protection regulatio ns and baseline security measures when

collecting personal information. Beca use of the growing risks to consumers

due to recent mass-data breaches and th e growth of “big-data” companies, this

Note asserts that Congress should enac t a federal data protection law, similar

to the GDPR, that will adequately protect consumers from future mass

breaches like the 2017 Equifax.

I. INTRODUCTION ........................................................................... 418

II. BACKGROUND OF PRIVACY LAWS IN THE UNITED STATES

AND EUROPEAN UNION ............................................................... 421

A. U.S. DATA PROTECTION FRAMEWORK ..................................... 421

1. Development of the Right to Privacy Under

U.S. Law ....................................................................... 422

* J.D. Candidate, The University of Iowa College of Law, 2019; B.A., Deniso n University, 2016.

418 IOWA LAW REVIEW [Vol. 104:417

2. Examples of Sector-Specific Federal Laws .................. 423

3. State Data Protection Laws .......................................... 425

B. EU DATA PROTECTION LAWS ................................................. 426

C. GENERAL DATA PROTECTION REGULATION ("GDPR") ............. 429

1. Strengthening Privacy Rights of EU Citizens:

Affirmative Consent and Guaranteed Rights .............. 431

2. Requirements for Data Processors and

Controllers ................................................................... 434

III. ADDITIONAL PRIVACY REGULATIONS WOULD PROTECT

CONSUMERS FROM FUTURE DATA BREACHES .............................. 436

IV. RECOMMENDED LEGISLATION: HEIGHTENED

REQUIREMENTS FOR DATA PROTECTION ..................................... 439

A. DATA MINIMIZATION ............................................................. 440

B. DATA BREACH NOTICE REQUIREMENTS ................................... 442

C. ENCRYPTION ......................................................................... 442

D. AFFIRMATIVE CONSENT .......................................................... 444

V. CONCLUSION .............................................................................. 445

I. INTRODUCTION

Have you ever searched your name on Google and immediately found

your phone number and home address on the very first page? Have you

noticed that as you scroll on Facebook, the ads you see are tailored to your

favorite stores and items? Have you ever wondered why certain apps on your

phone track your GPS location, even when the app is not in use? Have you

questioned whom your email address will be shared with when you sign up for

a coupon on a store’s website? Consumers are beginning to ask these

questions in light of recent mass data breaches, like UnderArmour’s

“MyFitnessPal” in 2018, Equifax in 2017, LinkedIn and Yahoo in 2016, and

eBay in 2014, which affected hundreds of millions of Americans. 1

Technology has enabled phones, smart watches, and computers to

recognize an individual’s face and voice, to track a person’s average heart rate

and hours of sleep, or even to collect internet search history, financial

information, and sensitive medical history.2 Additionally, 70% of smartphone

1. Nick Turner, Under Armour Says 150 Million MyFitnessPal Accounts Hacked, BLOOMBERG

(Mar. 29, 2018, 5:09 PM), https://www.bloomberg.com/news/articles/2018-03-29/under-armour-

says-150-million-myfitnesspal-accounts-were-hacked; Elizabeth Weise, Equifax Breach: Is It the

Biggest Data Breach?, USA TODAY (Sept. 7, 2017, 7:54 PM), https://www.usatoday.com/story/

tech/2017/09/07/nations-biggest-hacks-and-data-breaches-millions/644311001.

2. Big Data: Why Do Companies Collect and Store Personal Data, LE VPN (May 26, 2017), https://

www.le-vpn.com/why-companies-collect-big-data. Technology has made it so that “[e]very time you