People walk past a branch of the Capital One Bank on April 17, 2019 in New York City.
Johannes Eisele/AFP/Getty Images
People walk past a branch of the Capital One Bank on April 17, 2019 in New York City.

Editor’s Note: Marc Rotenberg is president of the Electronic Privacy Information Center, a non-partisan research center in Washington, DC. The opinions expressed in this commentary are his own.

Just as members of Congress head off for the August recess, Capital One customers are receiving news that a criminal hacker gained access to their credit card application data, including Social Security numbers, bank account numbers, names, home addresses, credit scores, credit limits and balances. The breach impacted 106 million Capital One customers. This is one of the largest breaches of personal data held by a financial institution in US history. And this data breach makes identity theft and financial fraud possible.

According to the Federal Trade Commission, data security problems are getting worse. The FTC received nearly three million complaints from consumers in 2018. Consumer fraud was up 38% from the year before, costing consumers $1.48 billion in the past year. Identity theft consistently ranks among the top consumer complaints made to the FTC. There was a 24% increase last year in identity theft reports that involved credit card fraud on new accounts.

When the first wave of data breaches hit US financial institutions in 2011, we warned Congress that a lot more needs to be done to safeguard personal data held by US companies or else these problems will get worse. I told the Senate, “financial privacy protections need to be strengthened in the United States.”

Over the last several years, we have witnessed foreign adversaries, in addition to criminal hackers, target financial records, health records, Social Security numbers, and other personal details collected by US companies. When we learned of a breach at the Office of Personnel Management in June 2015 that compromised 22.5 million records, including sensitive background information and the digitized fingerprints of more than 5 million federal employees, it became clear that data protection is today a matter of national security.

We urged Congress to update federal privacy laws and to establish a data protection agency to address growing consumer concern about the misuse of their personal data. But Congress ignored our warnings. Meanwhile, the European Union established the European General Data Protection Regulation in 2018, which established a comprehensive approach to privacy protection. There are clear limits on the collection and use of personal data, strong security obligations and requirements for prompt notification of a data breach. The Europeans also have agencies with specific expertise and authority for data protection, not like in the United States where agencies, such as the FTC, treat privacy oversight as one of several responsibilities. Financial fraud and identity theft remain a concern in Europe, but the risks are much less severe.

US firms that collect financial data on US consumers should also ensure that credit monitoring services are available to all their customers at no cost. It is unreasonable to expect consumers to bear the cost of lax security practices. Next, credit reporting agencies should change the default on access to credit reports by third parties. Instead of the current setting, which allows virtually anyone to pull someone’s credit report, credit reporting agencies should establish a credit freeze for all disclosures. Consumers would still retain the ability to disclose their report when they choose to do so.

We also need new privacy enhancing techniques that minimize the dependence on personal information, such as Social Security numbers and dates of birth, that open the door to data breach and identity theft. Techniques that separate one’s identity from authentication, that minimize the use of their personal data and that anticipate the risk of breach reduce costs for companies and consumers.

But little of this will happen until Congress steps up and passes privacy legislation to safeguard consumers. Congress needs to update federal privacy laws, to establish meaningful oversight and to encourage business practices that are more resilient when breaches occur.

Many states recognize the problem. Just last week New York Governor Andrew Cuomo signed the SHIELD Act to update the state’s data breach law. And the California Consumer Privacy Act, which goes into force next year, establishes important standards for privacy protection.

Congress should enact a federal baseline law that will raise data protection standards across the country and also allow states to continue to develop stronger protections if they choose. Congress also needs to create a data protection agency to take on the challenges ahead. The failure to update privacy law will burden US consumers and businesses.

Congress has a lot of work to do. This is not the time to go to the beach.