The recent data breach at Target highlights the growing role of states in protecting people's online data and privacy.
Attorneys general in Connecticut, Illinois and New York are leading a multistate investigation into December's cyberattack at Target, in which hackers stole the payment card numbers of at least 70 million shoppers, along with their names, mailing addresses, phone numbers and email addresses.
The state attorneys general pressed Target to offer one year of free credit monitoring to all customers, even those who were not affected by the data breach. “I would strongly encourage all Target customers to take advantage of this offer,” Connecticut Attorney General George Jepsen said earlier this week. Jepsen urged shoppers there to change their PIN numbers and passwords, and to “be vigilant when it comes to unsolicited emails and phone calls seeking personal information.”
Attorneys general also are advising customers to be wary of phony websites urging Target shoppers to give up personal information in exchange for gift cards or other compensation for the breach. Many new websites with “Target” in the name, such as “targetcreditfix.com” and “targetsecuritybreach.com” have been registered recently, according to California Attorney General Kamala Harris.
Most states have their own “security breach laws” requiring companies to notify consumers if their credit card numbers have been stolen. The strength of those laws varies, however. Meanwhile, even though federal authorities have launched their own Target investigation, there is no federal law that requires disclosure of security breaches.
“It's definitely true that there has been a vacuum at the federal level in terms of privacy legislation,” said David Jacobs, an attorney who specializes in consumer protection for the Electronic Privacy Information Center (EPIC) in Washington, D.C.
Little Direction from Washington
As Stateline has reported, debates about threats to privacy, ranging from drones to electronic license plate readers, are expected to loom large in statehouses in 2014. Americans' online activity is increasingly moving from desktops to smartphones and other mobile devices. This shift has created new privacy concerns, but the federal government has provided little direction.
Nearly two years ago, President Barack Obama unveiled a Consumer Privacy Bill of Rights as a “blueprint for privacy in the information age.” The House and Senate have proposed their own measures, but nothing has become law.
Since 2010, the Federal Trade Commission has been considering whether to give consumers a “Do Not Track” option that allows them to opt out of websites collecting information about their online activity, similar to the FTC's Do Not Call Registry, which allows consumers to opt out of most telemarketing calls.
While there isn't a federal data security breach law, the FTC has brought legal action against companies that violate consumers' privacy rights using a provision of the FTC Act, which bars “unfair and deceptive acts and practices in or affecting commerce.”
Last fall, for example, a company that markets video cameras consumers can use to remotely monitor their homes settled FTC charges that its lax security practices exposed the private lives of hundreds of people to public viewing on the Internet.
With action stalled in Washington, states are stepping up their efforts with new legislation, heightened scrutiny from state attorneys general and consumer education campaigns.
California First in the Nation – Again
In 2002, California was the first state to pass an online “breach notification” law. Since then, 46 states and the District of Columbia have followed California's lead by requiring businesses and/or public agencies to notify consumers of security breaches of personal information.
Last year, California laid down new markers that other states are expected to consider this year:
- Password protection: Most states' security breach laws apply to consumers' Social Security numbers, driver's license numbers, medical or financial account information or credit card numbers. California says it is the first state to include passwords, usernames and security questions under legislation (SB 46) that went into effect this past Jan. 1. Hackers last year stole usernames and passwords for nearly 2 million accounts at Facebook, Google, Twitter, Yahoo and other online sites.
- Do Not Track: In the age of smartphones and tablets, it's easy for a person's online activity to be tracked, even by websites they do not visit. Legislation (AB 370) that also took effect Jan. 1 doesn't ban online tracking, but requires companies to disclose whether and how they comply with requests from Internet users who ask not to be tracked.
- The Teen “Eraser” Law: Websites and mobile app operators will have to provide a way for those under 18 to delete a posting or photo, with the intent of saving young people from their “ill-advised pictures or messages.” The measure (SB 568) also prohibits online companies from marketing products to minors that they can't buy in stores, including alcohol, tobacco, handguns, fireworks and lottery tickets. This measure becomes law Jan. 1, 2015.
“It's not uncommon for California to lead in privacy issues,” said John M. Simpson of Consumer Watchdog, a Santa Monica-based nonprofit group. Simpson said his organization is working on a ballot measure that would implement stricter Do Not Track protections.
Maryland is considering its own teen eraser law. That idea is among six recommendations for protecting children's online privacy that Maryland Attorney General Douglas F. Gansler presented late last year to the state legislature.
Gansler also wants Maryland lawmakers to consider prohibiting "cloud" service providers from using for commercial purposes any data they collect in Maryland public schools. Both Massachusetts and New York considered similar legislation last year that did not become law.
A Patchwork of Laws
Businesses and advertisers contend it is difficult to comply with the patchwork of state privacy laws.
The Direct Marketing Association supports a national security breach standard, but thinks “self-regulation” is a better framework for Do Not Track issues since that option allows companies to respond more quickly to changing technologies than laws and regulations.
“The Internet doesn't stop at state lines,” said Rachel Nyswander Thomas, executive director of the Data-Driven Marketing Institute, an advocacy arm of the Direct Marketing Institute. Once “something passes in California … it becomes a de facto national standard” since many companies have customers in that state, she said.
An example of the “self-regulation” pushed by the industry is the Digital Advertising Alliance's global “AdChoice” program, known for its blue, clickable triangle icon that gives users a Do Not Track option. The icon usually appears near online banner ads or on the bottom of Web pages.
States have worked with Google, Facebook and others to make voluntary changes, but they also have turned to the courts:
- Google paid $17 million in a November 2013 settlement with 37 states and the District of Columbia to resolve allegations that the company bypassed security settings on Apple's Safari web browsers in 2011 and 2012 without consumers' knowledge or consent. The company in 2012 paid $22.5 million to settle similar charges from the FTC.
- Google paid 38 states and the District of Columbia $7 million in March 2013 over concerns about Google's Street View cars, which picked up personal data from unsecured networks, including emails, while the car's equipment took photographs for Google's geolocation service between 2008 and March 2010.
Early last year, California Attorney General Harris released online privacy recommendations for mobile app developers. They include icons or pop-up notifications to inform consumers how their personal information is being collected and shared, and follow a 2012 app privacy agreement with Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion.
Meanwhile, Facebook and the National Association of Attorneys General last year released a public service announcement about online safety and stepped up consumer education.