When credit-reporting agency Equifax first revealed the theft of personal and financial data from more than 145 million of its customers last fall, some cybersecurity experts believed the time was finally ripe for Congress to craft data-security and breach-notification rules for all aspects of the U.S. economy.
Months later, most now admit their expectation of congressional action was misplaced. While the steady drumbeat of data breaches continues and lawmakers still give lip service to the notion of federal standards beyond the health care and financial sectors, the broader political gridlock gripping Washington seems to have stymied Capitol Hill.
“I don’t suspect that there’ll be [federal legislation] right now,” said Jocelyn Aqua, a privacy and cybersecurity expert at consulting firm PwC. “I would’ve thought with Equifax, that would’ve been the closest.”
But the absence of wide-ranging federal rules governing corporate cybersecurity doesn’t mean Americans are stuck in limbo when it comes to data privacy. In fact, most experts believe that over the next several years, consumers will experience a significant increase in the level of protection and notification they receive when their corporate-held data is stolen or comes under threat.
The catalyst of this expected shift is a set of sweeping new data-privacy rules that regulators in the European Union will start enforcing in May. Dubbed the General Data Protection Regulation, these rules dramatically expand the types of consumer data protected under EU law, increase the ability of European consumers to exert control over their data, and give companies a slim 72-hour window to disclose breaches to consumers and regulators.
Any American company that does business with Europeans—even those with no physical presence on EU soil—will have to comply. And regulators are expected to dish out up to $6.4 billion in fines per year to recalcitrant companies, making it imperative for U.S. firms to change their privacy practices accordingly.
“The threat of 2 to 4 percent of global revenue in fines for violations is real, especially since the EU has demonstrated it has no qualms throwing large fines at U.S. tech companies,” said David O’Brien, a senior researcher at Harvard University’s Berkman Klein Center for Internet & Society.
Though the new law applies only to European consumers, it’s expected to also have a powerful impact on the protections afforded to Americans.
Because it’s difficult and expensive for companies to navigate a patchwork of varying data-protection standards, many U.S. firms will likely harmonize their global data-privacy and breach-notification practices with Europe’s strict new model.
“We’re looking at this completely holistically for the protection and privacy of our customers,” said Grant Bourzikas, the chief information security officer at cybersecurity firm McAfee.
Bourzikas made clear that the majority of protections granted to European consumers will be passed on to McAfee’s customers in the U.S. “We’re embedding it in how we operate as an organization,” he said.
Tom Pendergast, the chief security and privacy strategist at consulting firm MediaPro, believes major U.S. firms such as Microsoft, Boeing, General Motors, and Chevron will follow suit. “No company wants to manage multiple data-protection practices,” he said. “So they tend to skew toward the highest standard.”
That standard may also extend to companies that don’t have any European customers but supply larger firms that do. “These big global companies are pushing those requirements down through their supply chain,” said Pendergast, who expects the GDPR to initiate “a ripple effect throughout the U.S. economy.”
For many Americans, one of the most infuriating aspects of data-privacy standards is the lag time between when companies discover a breach and when they report it to their customers—a gap that can sometimes extend for months or even years.
But because the GDPR gives companies just three days to sound the alarm once a breach of European data is discovered, that lag time could be significantly reduced for Americans affected by the same breach.
“You’ll have a significant population of individuals receiving notification for types of personal-data compromises,” said Kimberly Peretti, a cochair of the cybersecurity wing of the law firm Alston & Bird. “That may trigger individuals in other locations—when they hear about the press related to it, or employees talk about it—that could certainly create the question to the company, ‘Am I impacted?’”
And many firms will be hard-pressed to explain to American consumers why the new protections and notification requirements for Europeans aren’t necessary on their side of the pond. “There will have to be some consideration of how that looks,” Aqua said.
Until recently, one of the largest hurdles to greater consumer control over their corporate-held data was a technical one. Before the advent of the GDPR, few companies had the tools and processes in place to go into consumer databases and alter, extract, or delete data.
Now that the EU has required companies to build and develop those tools, many firms are expected to deploy them to the United States as well as Europe. “This kind of forces a revolution in data-handling practices,” said Pendergast.
Still, there will inevitably be differences in how European and American data is handled by companies. Some experts believe the new 72-hour breach-notification window is far too narrow, and that Americans will receive less information and have to wait longer after a data breach than people across the pond. It’s also not clear whether companies with business models built on amassing mounds of consumer data will be comfortable giving Americans the ability to remove or significantly alter that data.
“We generally don’t follow the EU’s footsteps in privacy law and policy,” said O’Brien. “Although we share certain values and principles in practice, the U.S. has historically taken a very hands-off approach to commercial privacy.”
But as data breaches continue to make headlines, other experts believe the blasé corporate culture surrounding data privacy in the U.S. is changing rapidly.
“For big American companies, it’s not just being in compliance that matters,” said Pendergast. “Being trustworthy is really critical.”