Long-awaited federal privacy legislation could be a powerful tool in the fight against online fraud, some experts say.
Privacy experts at a House Energy and Commerce Committee hearing on Tuesday praised a provision in the American Data Privacy and Protection Act focused on data minimization, which requires companies to limit the collection and retention beyond what is necessary for their operations. That includes the kind of personal information cybercriminals rely on to commit identity theft and other fraud.
Data minimization, in addition to requirements that companies designate privacy and data security officers, would help consumers from “day one” testified Bertram Lee Jr., senior policy counsel for data, decision-making and artificial intelligence at the Future of Privacy Forum (FPF).
In 2021, the Federal Trade Commission received nearly 1.4 million reports of identity theft. Both FPF’s Lee and David Brody with the Lawyers’ Committee for Civil Rights Under Law noted to lawmakers that identity theft and its financial impact are more likely to affect communities of color, data backed up by Federal Trade Commission and a report last year by Malwarebytes.
James Lee, chief operating officer at the Identity Theft Resource Center (ITRC), a nonprofit that helps identity theft victims, told CyberScoop that he thinks the legislation is a step in the right direction toward protecting victims.
“Today most identity crimes are fueled by data stolen in breaches,” he said. “If you don’t have the data you can’t lose control of it.”
Also relevant to protecting sensitive information is the bill’s focus on “privacy by design,” defined by the bill as companies enacting “reasonable policies, practices, and procedures for collecting, processing, and transferring covered data.”
The legislation doesn’t outline what these practices should look like but the FTC, which has in recent months staked ramped up its privacy enforcement, would issue guidance per the legislation.
“If you have privacy by design, you have better data security already, because then there are more levels of technologies in between, like encryption technologies, that protect users’ data,” said FPF’s Lee.
Extensive data collection can come back to burn companies when a security incident occurs, as numerous data breaches have shown. Guidance on how to rein in data collection could be helpful to businesses, says Bryan Orme, principal and partner at GuidePoint Security.
“A lot of times the data that gets leaked by these threat actors is data that executives didn’t realize they even had,” said Orme.
But data minimization isn’t a panacea, said Jeremy Grant, coordinator of the Better Identity Coalition.
“We’ve had so many catastrophic data breaches over the last ten years that have exposed personal data like [Social Security Numbers], birthdates, addresses, etc. that for most Americans, their data is already out there,” Grant said via email. “If we really want to address identity theft, we should prioritize addressing the inadequacies of a digital identity infrastructure that makes it so easy for someone to steal your identity in the first place.”
Experts both at the hearing and in conversation with CyberScoop also noted areas for improvement in the bill. For instance, it exempts state breach notification laws from being overruled by a federal privacy law, something that IRTC’s Lee hopes to see change. Most state notification laws are based around where a victim lives, not where their data is compromised, creating difficulties for victims, he said.
Tuesday’s debate also highlighted serious clashes between industry, advocates and lawmakers on the legislation’s approach to private right of action, a currently limited authority for individuals to bring civil actions for relief against violations of the legislation.
Sen. Roger Wicker, R-Miss., and Reps. Cathy McMorris Rodgers, R-Wash., and Frank Pallone, D-Mass. released a discussion draft of the American Data Privacy and Protection Act earlier this month.
While the legislation has been described as “monumental” by privacy advocates, the bill isn’t in the clear yet. It does not have the support of Senate Commerce Committee Chairwoman Maria Cantwell, D-Calif., who has been circulating her own version of privacy legislation. It also reportedly contains data security elements.