Information Privacy and Data Security Laws: An Ineffective Regulatory Framework

Ever since advertising firms began capitalizing on private consumer information, the unjustified collection and misuse of sensitive personal data have increasingly become growing national concerns. One of the major areas of contention within the information security sector is the United States’ lack of a comprehensive and standardized federal data security law. The Federal Trade Commission (FTC) has been the chief federal agency that has overseen privacy policy since the 1970s, yet it is only able to protect consumer privacy by declaring that a company has been engaging in deceptive or unfair acts such as the failure to disclose its harmful practices. As a result, although current federal regulations on data security strive to protect consumer privacy, they do not actually tackle the fundamental problem of unjustified, mass data collection itself; instead they debate the issue of nondisclosure, which companies can easily bypass without changing their harmful data collection practices. The responsibility to regulate the collection and use of personal information thus falls on individual states and various independent agencies, which, when not established under a standardized rule, form a patchwork system of incongruent laws that often overlap and contradict one another, thereby leading to a highly inefficient regulatory framework for consumer privacy protection.

A high profile 2017 FTC case involving Lenovo, one of the largest manufacturers of personal computers, and the browser-based advertising company, Superfish, has brought the issue of unjustified data collection and the mass invasion of consumer data privacy to the forefront. In September of 2017, Lenovo came under fire for preinstalling an ad-injecting software on its laptops that not only allowed a third party to collect all private data transmitted online, but also put the users’ personal information at risk of unauthorized access by any unknown party, all without disclosing such invasive practices to consumers.

 From August of 2014 to early 2015, Lenovo began selling laptop models in the US with a preinstalled adware known as VisualDiscovery that was developed by its parent company Superfish.[1] Whenever a user’s cursor hovered over the image of a product on any kind of browser, VisualDiscovery delivered pop-up ads of similar-looking products sold by Superfish’s retail partners, thereby generating revenue. By establishing itself as a local proxy that stood between the users’ browser and all the websites they visited, VisualDiscovery was able to access all of the consumer’s sensitive personal data transmitted online, including Social Security numbers, financial account information, login credentials, medical data, and emails. This ‘man-in-the-middle’ technique not only allowed VisualDiscovery to collect private consumer information at any time to be stored in Superfish servers, but also exposed the users’ private information to other potential cyber-attackers.2

Superfish’s collection of all consumer data transmitted on the Internet regardless of whether the information collected is of use to the company’s purpose or not, and thus regardless of whether the collection of data is justified or not, is an atrocious invasion of privacy that exemplifies most modern consumers’ anxieties regarding data security. However, while consumers may expect there to be data security regulations on a federal level, there is surprisingly no law that governs the unjustified mass collection of private information.  Rather, the Federal Trade Commission’s primary legal authority stems from Section 5 of the FTC Act, which, “prohibits unfair or deceptive practices in the marketplace,” where the terms “unfair” and “deceptive” are loosely interpreted.[2] In the case of Lenovo, the FTC was only able to charge for 3 counts of FTC Act Violations, namely, Lenovo’s deceptive failure to “disclose, or [failure] to disclose adequately, that VisualDiscovery would act as a man-in-the-middle,” the “unfair preinstallation of man-in-the-middle software…without adequate notice or informed consent,” and the “failure to take reasonable measures to assess and address security risks” created by third-parties.2

As evident from the three counts stated in the FTC complaint published on September 5, 2017, the FTC did not address the mass collection of unjustified private information as an unfair practice by itself, but have rather framed all of the charges under “deceptive” and “unfair” practices due to Lenovo’s failure to adequately disclose to consumers it’s third-party ‘man-in-the-middle’ capabilities and the pre-installation of software. The framework of these charges then begs the questions: if Lenovo did adequately disclose to its consumers its data practices, and the consumers did consent, whether intentionally or by accident, would the FTC still have a case against companies like Lenovo to prevent data exposure and invasion? If the FTC loses the basis of its case, what other federal laws then exist to protect information privacy and ensure data security?

On a federal level, the answers to these questions are sadly dismal. In the US, there is no comprehensive standardized law that regulates the collection and use of personal data on a national level.[3] Rather, the regulation of information and data security is carried out by individual states and industry-specific government agencies, or is dependent upon the market’s adherence to industry best practices. The few federal regulations on data security and privacy that do exist apply only to certain industries and entities, such as the Financial Services Modernization Act (GLB Act), which applies to financial institutions, the Health Insurance and Portability and Accountability Act (HIPAA), which covers only health-related entities, the Fair Credit Reporting Act (FCRA), which applies only to consumer reporting agencies, and the Electronic Communications Privacy Act (ECPA), which only regulates the interception of electronic communications and computer tampering.[4]

On the state level, there is a panoply of statewide privacy laws that regulate the collection and use of personal information. Spearheaded by California, 48 states currently have privacy laws on security breach notification and online privacy protection.4 However, it is precisely this dispersive and disorganized nature of different states’ regulations that creates a highly inefficient and undefined system for protecting privacy. There is a clear absence of comprehensive privacy laws with a jurisdictional scope that apply across all industries, states, and entities. The various limited federal acts, guidelines from federal agencies, state laws, and industry best practices form a patchwork system of often contradictory and overlapping laws on data security that becomes ineffectual.

Differences in priorities, jurisdiction, and regulatory vision for privacy and data among governing groups are leaving consumers unprotected and vulnerable to unrestricted data privacy invasion. While FTC rules apply to all companies and individuals doing business in the US, the FTC charges on grounds of “unfair” and “deceptive” practices that not only fail to tackle the underlying key privacy issues themselves, but also address problems only after they have caused serious consequences.4 The nature of current FTC regulations and similar laws is punitive rather than preventative. The current regulatory framework for data protection lacks a legal accountability that provides incentives for companies to take the necessary steps to protect consumer data.

Compared to the US, European nations have a much stricter stance on data and consumer privacy. Fines on privacy breaches in Europe can total up to four percent of the company’s global revenue.5 However, tough European regulations have also created conflicts for EU nations with tech giants such as Google and Facebook, which both collect and mine personal data to support their digital advertising efforts.[5] Advocators for lax privacy laws in the US emphasize how loose data security regulation can lead to more innovation. Using online data for advertising and marketing can give consumers a wider and more targeted access to valuable information.[6] While it may be difficult for data regulation in the US to transform significantly in the next few years, a realistic goal for laws within the US market-based approach to privacy can begin with incentivizing companies to protect consumer data from the start.

[1] Bureau of Consumer Protection, Lenovo Settles FTC Charges it Harmed Consumers With Preinstalled Software on its Laptops that Compromised Online Security (Federal Trade Commission, September 5, 2017), https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled

[2] Bureau of Consumer Protection, Privacy and Data Security Update, (Federal Trade Commission, January 2017),  https://www.ftc.gov/reports/privacy-data-security-update-2016#how

[3]Leuan Jolly, Data Protection in the United States: Overview, (Thomas Reuters Practical Law, July 1, 2017), https://content.next.westlaw.com/Document/I02064fbd1cb611e38578f7ccc38dcbee/View/FullText.html?contextData=(sc.Default)&transitionType=Default&firstPage=true&bhcp=1

[4] California Online Privacy Protection Act (CalOPPA), (Consumer Federation of California, July 29, 2015) https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/

[5] Mark Scott, Europe Approves Tough New Data Protection Rules, (The New York Times, December 15, 2015), https://www.nytimes.com/2015/12/16/technology/eu-data-privacy.html

[6] Joel R. Reidenberg, Thomas H. Davenport, Should the US Adopt European-style Data Privacy Protections?, (Wall Street Journal, March 10, 2013), https://www.wsj.com/articles/SB10001424127887324338604578328393797127094

Cheryl WangComment