uber
In this photo illustration, the app 'Uber' is launched in a smart phone. David Ramos/Getty Images

During the past six months, we have witnessed an unparalleled level of questionable business practices resulting from data breaches. As trusted brands, Uber, Equifax and others that have been entrusted with significant amounts of personal data have failed the American public. The breach missteps and follies only continue. Each time, many within the security and privacy communities have rolled our eyes in disbelief.

It is important that we do not victimize the targets of these breaches and acknowledge that there is no perfect defense. At the same time, it is equally important for organizations to be prepared for an incident and be transparent in how they respond. Every organization has an implied and legal responsibility to apply best practices to help prevent incidents, detect events and be prepared to respond and remediate the impact.

Judging by these past incidents, the concept of data stewardship and accountability has fallen by the wayside. All too often, these organizations are caught flat-footed or attempt to hide the incident — as was the case with the recent Uber hack — for a range of what appears to be self-serving reasons. Perhaps they have recognized that the current regulatory landscape has little meaningful ramifications or that they will not be held personally accountable. Self-regulation appears to be failing and the existing regulatory construct does not appear to be a deterrent for executives and their boards. In the case of Yahoo and Equifax, the CEOs walk away with millions of dollars while the impacted consumers are left on their own.

With each major breach event, I have hoped it would be a watershed moment that would become a catalyst for change. U.S. companies today are faced with a complex mosaic of 48 state data breach laws, plus several sectoral regulations. While nearly everyone complains about the challenge of navigating this maze of regulations, no progress to develop a national breach regulation has occurred.

Ironically, there is generally a rough consensus on several key requirements defining the following: reasonable baseline security; personal or covered information; notification triggers and requirements; and remedies. Having personally worked on over a dozen such draft bills, I have been disappointed in how partisan efforts and trade groups have driven these efforts off the road and have ignored the impact on consumers.

I am hopeful that this time will be different. The allegations against Equifax and Uber have ratcheted the issue to new heights. On May 26, 2018, the E.U. Data Protection Directive (GDPR) will be enforceable. While many companies will be prepared, the vast majority will be neither ready nor able to recognize the risks. Technically, they only need a single resident of the E.U. for regulations to kick in. The GDPR requires regulators to be notified within 72 hours of learning of an incident, while U.S. companies have in some cases taken 6 to 12 months. The U.S. is by and large sadly behind the rest of the world in recognizing privacy rights and data breach reporting requirements.

Last week, the Senate Commerce Committee ranking chair Senator Bill Johnson (Fla.-D), proposed legislation that makes it a criminal act to not disclose such data breaches. This has the potential to wake up the C-suite. As we look forward to new legislation, I propose legislation be modeled after the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003. While primary enforcement would be left to the Federal Trade Commission, state attorney generals could join in actions or file on their own.

Similarly, there needs to be a penalty that doesn’t require harm or damages be proven. We need to take the best from leading states such as California, New York, Massachusetts and others. As a benefit to the industry, such legislation should also provide a safe harbor from federal and state laws as well as the threat of class-action suits to companies who have employed reasonable security and are in full regulatory compliance.

At the end of the day, both consumers and business will benefit from federal breach legislation. Having a consistent set of rules and regulations will raise the bar of breach prevention and readiness, save tens if not hundreds of thousands of dollars in legal costs and will most importantly enhance consumer protection and expedite timely notifications.

Who knows? Perhaps, in the long run, we might be able to “thank” Uber for driving us to this destination.

Craig Spiezle is the managing director of Agelight Advisory Group as well as the chairman emeritus of Online Trust Alliance.