As we enter an election year, it’s seems quite possible that nothing substantive will be done to address the growing need to protect Americans’ personal information. With an ever-increasing number of gadgets, apps, websites, and service providers collecting and warehousing information about consumers, the fact that there is no national policy framework in place to protect that data and the people sharing it is absolutely gob-smacking.
For many Americans, the notion of data collection seems almost commonplace. From social media apps to home assistants to everyday purchases, there are thousands of entities out there connecting dots to build profiles on us that can either be used to sell us products or sold to inform others who want to sell us products.
And while we as a society have all but resigned ourselves to the realities of contemporary marketing, what happens when that data—and worse, the sensitive data that companies store, like payment accounts, Social Security number and health and wellness records—is accessed by actors beyond the intended aggregator?
To put a finer point on it, what happens when hackers break into Amazon and obtain my credit card info and my shopping history, breach a hometown lending agent and get my Social Security number, and my Facebook account getting my photo? By vacuuming up enough data and matching these records together, malicious actors can build very sophisticated profiles of consumers. These profiles can be used for financial gain through traditional methods of identity theft, like creating false accounts, or they can bundle and sell this data, financing any number of activities that work against the interests of our country.
Just this month, we learned that the Chinese military was linked to the 2017 Equifax breach that affected four in 10 Americans. What they’re doing with that data, and how they’re pairing it with other data they may have collected remains to be seen. But you can bet that if China is finding enough profit in pursing such actions, you can imagine just how worthwhile it would be for even more nefarious state- and non-state actors like North Korea or ISIS to either weaponize such data or sell it to finance activities that place others in harm’s way.
This isn’t meant to be alarmist, but is instead meant to underscore matter that Congress can take quick, broad-reaching steps to address. For data that organizations like Facebook or Home Depot are collecting, shouldn’t that data be held to the same standards that credit unions and hospitals are held to? We need Congress to pass legislation that sets a strong national data security and privacy standard that considers the data collected, not the collector of that data. That is, whether you’re collecting and storing consumer data for a credit union, a school, or a local shop owner, that data must be treated the same, irrespective of the institution’s business model.
But without broad coverage, that sweeping standard won’t be any more effective than what is currently in place. California made headlines when they enacted a law modeled after the European Union’s GDPR. Until Washington sets a nationwide standard, American businesses are faced with a confusing, inconsistent patchwork of data security and privacy laws that not only increases regulatory compliance costs for businesses, but also creates glaring loopholes that bad actors can exploit to steal troves of loosely guarded datasets.
This problem is clearly not going away, but our lawmakers have it in their grasp to take the most definitive step to date to protect all of us. Until they act, let’s continue to call for all data to be held equally through a strong, sweeping data security and privacy bill.
Jim Nussle is the president/CEO of the Credit Union National Association. He served as a member of Congress from Iowa from 1991-2007.