There’s endless troves of consumer data online, posing a potential cybersecurity risk due to its availability via breaches and the vast commercial data broker market.
Even as laws in other regions like the European Union have grown more strict, however, the US lacks a federal privacy law—and one doesn’t seem to be coming anytime soon, nor is relief necessarily in sight from regulators.
In December, the Consumer Financial Protection Bureau (CFPB) officially proposed rules that would impose limits on the sale of certain financial data and other personal identifiers like Social Security numbers. The rule may never go into effect under the inbound Trump administration, however, which has struck a generally hostile stance towards the CFPB and other regulators and reportedly is looking into ways to change the agency’s mission.
The data landscape
The consumer data market is the Wild West outside of certain protected categories like health records or very sensitive financial information, the CEOs of two data removal firms told IT Brew. Data collection is more or less omnipresent on the commercial web, and even those consumers who actively try to protect their data are mostly limited to privacy tools and takedown requests directed to the brokers that most visibly market on search engines like Google.
“Utilization of our data is far, far more vast than I think anybody realizes, even if people think they know,” Lawrence Gentilello, founder and CEO of Optery, told IT Brew. “It’s probably 100 times more—just the proliferation of different players involved, the different types of companies that purchase and use data.”
Rob Shavell, co-founder and CEO of DeleteMe, explained firms like his use a variety of methods ranging from robotic process automation to a team of privacy experts to navigate the mazes of red tape behind which data brokers hide removal requests. DeleteMe escalates to other methods like citing state law or contacting data brokers’ legal teams when that doesn’t work.
Unfortunately, the dearth of consumer data protection laws in the US means there are limits to a data removal firm’s leverage.
“The more successful we get, the less the data brokers appreciate what we’re doing, and so many of them have turned to what I would call adversarial behaviors,” Shavell said.
Cybercriminals will use whatever data sources are “economically efficient,” including brokers in some circumstances, according to Shavell. Both he and Gentilello—a former data broker himself—agreed the industry is virtually devoid of ethical safeguards and will sell to anyone.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
While worlds of data brokerage and the black market for stolen data on the dark web are fortunately largely separate, those seeking to have it scrubbed from the dark web are SOL.
Not only are the main actors on the dark web criminals, but, “Lots of copies are out there, and it makes it difficult to impossible,” Shavell said.
The level of compliance with legal boundaries even by legitimate brokers is suspect, according to Gentilello. He said one reason the CFPB has proposed tighter rules may be a surge in firms that “are trafficking in financial information, but at the same time claiming they’re not required to adhere to the FCRA [Federal Credit Reporting Act].”
The government may also be alarmed that pretty much anyone willing to pay for it can access personal data on categories of people like military and government officials, he added.
Federal prospects?
Michael Bahar, legal partner and co-lead of global cybersecurity and congressional investigations at Eversheds Sutherland, told IT Brew he thinks the political winds are actually ideal for Congress to pass a privacy law, as it would give legislators the opportunity to settle the difference between competing state standards.
Such a law would likely delegate enforcement to state officials and include concessions like exemptions for already regulated industries like finance, Bashar said. He also ruled out any law that would cover employee data, or that didn’t limit corporate liability, as unlikely to meet muster with legislators.
“There’s no way I can see a federal privacy law passed in the next year or two with a private right of action,” Bashar added, referring to the distinction in any given law as to which parties have grounds to initiate a lawsuit.
Without a private right of action, the only parties that could seek to enforce the law in court would be state or federal officials (excluding, for example, consumer class actions).
Gentilello said he’s heard it all before—“Every year or two, people get really excited” about a federal privacy law’s prospects—while Shavell was skeptical that the status quo wouldn’t just prevail yet again.
“The administration will likely end up siding on the side of big business, which is what we’ve seen time and time again,” Shavell said. “This is why things don’t change in this country, because ultimately the lobbyists get in there, [and] they’re funded 100 to one versus the privacy companies.”