By FOCUS, a Leonine Business
In what has become a recurring nightmare for anyone who uses the internet these days, the global hotel chain Marriott recently announced that their online booking system was subject to a major data breach, resulting in the personal information of nearly 500 million guests being compromised. The full details of the hack are as of now not yet known, as Marriott continues to investigate the breach, but the company will be delivering a full response on the breach to the U.S. Senate in mid-December. As a result of the breach, the company could face up to $1 billion in fines.
This leak may seem like small peanuts compared to the Yahoo data breach of 2016, which saw the data of three billion users compromised, or the 2017 Equifax data breach, which saw the credit and financial information of 145 million Americans compromised. This leak, however, comes at a pivotal moment, on the heels of major changes to European and global data privacy laws, and just before the convening of nearly every state legislature in the U.S. at the start of 2019, thus ensuring that data privacy will be fresh on the mind of lawmakers across the country.
Earlier this year, the European Union took a major step to regulate online privacy through the enactment of its General Data Protection Regulation (GDPR). The new rules aim to give consumers control over how businesses collect their data, and what they are allowed to do with that data. This has created some notable discord between European consumers and U.S. businesses, with some online organizations cutting off access to their websites to users located in the European Union, rather than comply with the new requirements.
The GDPR, while controversial, has already begun to serve as a catalyst for state-level legislation in the U.S. At the vanguard of state-level efforts are, as always, California and Vermont. The California Consumer Privacy Act of 2018, scheduled to take effect January 1, 2020, is similar in scope to the GDPR in that it intends to give Californians control over how businesses collect and use their data, similar to the GDPR. Meanwhile, Vermont’s “data broker” legislation, the first of its kind, requires businesses that collect and sell personal information to register with and disclose business practices to the state, and develop comprehensive data security programs.
To date, state legislatures have not necessarily been lazy on the subject of data privacy, nor have they been proactive. It has typically taken major breaches to spur changes in how the online data of Americans is protected and has in recent years become one of the hottest and most heavily lobbied legislative issues. In 2018 alone, at least 22 states enacted legislation aimed at tightening data privacy standards, while at least 35 states considered over 250 such bills. These bills tend to fall into two major areas – requiring companies and organizations to provide notice when they have been the victim of a security breach, and, more notably, requiring companies to tighten their data security practices. In recent years, most states have enacted requirements relating to breach notifications, meaning Americans are learning more quickly and more often about when their data is compromised. States have naturally been more reluctant to place stricter requirements on the data practices of companies, but with data breaches occurring more frequently and more seriously, this is likely to change in the coming months.
In an interview this month, U.S. Commerce Secretary Wilbur Ross issued a broad criticism of American companies, saying that many have been “scrimping on the cyber security budget” to the detriment of their customers. Whether the Trump Administration will begin to push for cyber security reforms remains to be seen, but the secretary’s comments show that the issue is clearly on the federal radar. With the 2019 legislative sessions set to begin shortly, this convergence of factors – high profile breaches, the GDPR and federal support – will undoubtedly lead to an uptick of privacy-related legislation in 2019, most notably aimed at shoring up the data security practices of private businesses.