Over the past few years, a number of U.S. companies have suffered serious data breaches. In the most recent data breach, 30 million Facebook accounts were compromised. Facebook estimates that hackers stole the names, phone numbers, email addresses, search history, and device information of 14 million Facebook users. The attack occurred in late September 2018 and the extent of damage is still being assessed. Though the tech giant seems to have maintained control over the situation, this attack is merely a drop in the bucket.
In 2017, hackers stole social security numbers, birth dates, addresses, driver’s license number and credit card data from 143 million Equifax consumers. In 2016, Hackers infiltrated Uber’s systems and stole the names, email addresses, phone numbers, and driver’s license numbers of 600,000 Uber drivers. In that same year, hackers stole 20 years of data from six adult websites consisting of names, email address, and passwords. In 2015, hackers stole the names, addresses, social security numbers, birth dates, and employment histories of 78.8 million Anthem customers. And in 2014 alone, hackers stole a plethora of sensitive information from over 3 billion consumers and employees of Yahoo, Ebay, Target, OPM, Home Depot, Chase Bank, and Adobe.
In an effort to curb these attacks, several states are beginning to enact laws in an effort to protect consumer privacy. In pertinent part, these laws allow consumers to sue for damages they sustain as a result of data breaches. These provisions are fueled in part by a realization that not all companies are forthcoming when they are hacked. For instance, in early 2018, Google was hacked and the personal information of its Google Plus users was stolen. However, due to the bad publicity surrounding the Facebook Cambridge Analytica breach, Google opted to not inform its consumers of the intrusion and details of that breach only recently came to light. Be that as it may, Google is not alone on this island. Many companies deliberately decide to withhold information until a later date while others simply fail to enact the proper protocols to deter and or detect intrusions. Advocates of the state laws argue that the new legislation will combat this problem while ensuring consumer privacy.
NPR reports that several tech companies have begun to advocate for the creation of federal privacy law despite the fact that such companies have traditionally been against such regulation. In light of the problematic state laws, advocates argue that these tech companies are merely changing their tune so to ensure that they are never held liable for data breaches. Advocates point to the fact that these companies want (a) the federal laws to pre-empt all state law (including the current and pending state laws which allow consumers to sue companies for data breaches) and (b) the Federal Trade Commission to have sole enforcement powers over the laws.
Advocates further argue that these companies only want the FTC to have sole enforcement because they know it will do a poor job of enforcing the law. Ariel Fox, policy counsel for Common Sense Media stated, “I don’t know what the FTC can do besides put out guides or try to go after people for violating statements that they’ve made in their privacy policies”. The allegations raised against the FTC seem to be justified. In 2011 the FTC accused Facebook of not living up to its own privacy policies but took no disciplinary action against the company. Similarly, the FTC has taken no action against Facebook in its involvement with the Cambridge Analytica scandal. These allegations raise the question: are companies like Apple, Amazon, AT&T, Twitter and Google supporting federal legislation to ensure consumer privacy or simply to prevent liability?