More than 500 million people recently learned that the highly sensitive information they provided Yahoo was hacked and stolen. The stolen data included usernames, masked passwords, email addresses, telephone numbers, dates of birth, and security questions and answers. This treasure trove of information has the potential to allow criminals to hack into other accounts of these same consumers, including online bank accounts or social media profiles, by decrypting the passwords or using their security questions. As a result, anyone with a Yahoo account faces a serious risk of identity theft and financial fraud. Making a bad situation worse, it appears that Yahoo took more than two years to notify its customers of the breach. Americans deserve better than this.
Today, corporations collect more information about their customers than at any other time in American history. They have our names, address, phone numbers, credit card information, and emails. But they also can now track our personal preferences, they know what we read, what we buy, and in some cases have access to our family photos. They can put together a picture of our lives by tracking our online purchases, credit card use, and store loyalty cards. Retail stores track the groceries we purchase and what we buy for our kids; online companies store our bank account information; smart watches and fitness trackers store personal health information; and mapping applications on our phones know where we go each day. This technology can be a convenience to consumers, but it has also become a liability. That is why corporations, who are profiting from the personal information we share with them, should take steps to protect that information.
{mosads}Many Americans assume federal law already protects this type of information, but the reality is that it does not. That is why last year I introduced the Consumer Privacy Protection Act to close this security gap. In addition to requiring companies to quickly notify their consumers of a data breach, my bill requires corporations to meet certain privacy and data security standards to keep personal and sensitive information from being hacked in the first place. It also establishes civil penalties when they fail to do so. Finally, the bill creates a baseline of protections—not a ceiling—so that states with especially strong consumer protection privacy laws can keep their laws in place, while other states will have to catch up to a new national standard. These are common sense steps. They simply require corporations to be good stewards of the information we entrust to them.
While Yahoo was the latest company to suffer a data breach, it will certainly not be the last. In 2013, hackers breached Target’s computer system, exposing 70 million customers’ debit and credit cards to fraud in the midst of the holiday shopping season. In 2014, hackers stole credit card information and email addresses for more than 50 million customers from Home Depot. In 2015, hackers broke into health insurance company Anthem’s records, stealing names, social security numbers, and other sensitive information for more than 80 million customers. And just this year, hackers stole information for more than 167 million LinkedIn users. We cannot let another year go by with another massive hack and no national standard to try to prevent them in the first place.
Not every breach can be prevented. Cyber criminals are determined and always looking for ways to pierce even the most sophisticated systems. But just as we expect a bank to put a lock on the front door and an alarm on the vault to protect its customers’ money, we expect corporations to take reasonable measures to protect the personal information they collect from us. Today, unfortunately, too many corporations have inadequate measures to secure consumers’ information. American consumers deserve better than mere notification of the next breach.
Sen. Leahy is ranking member of the Judiciary Committee.
The views expressed by authors are their own and not the views of The Hill.