Editor’s note: This commentary is by Steve May, of Richmond, a clinical social worker, who lives in Richmond and is on the Selectboard there. As a social worker, he is responsible for maintaining the records and personal health information of patients, past and present, in his care.
[I]f they had only been hacked, it would have been enough … and …
If they had been hacked and they noticed the damages in a timely fashion, it would have been enough … and …
If they had been hacked and they noticed the damages, noticed the damages and reported it properly, it would have been enough … and …
If they had been hacked, noticed the damages and reported it to the proper authorities in a timely manner, it would have been enough… and …
If they’d been hacked, noticed the damages, reported it to the proper authorities in a timely fashion and not sold millions of dollars worth of stock in the company ahead the loss disclosure it would have been enough … and …
If they’d been hacked, notified the damages, disclosed to the authorities in a timely fashion, not taken profits ahead of a loss disclosure, and acted with anything but scorn for their customers, it would have been enough … and …
If they’d been hacked, notified the damages, disclosed to the authorities in a timely fashion, not taken profits ahead of a loss disclosure, not acted with scorn for their customers, and made their customers pay to protect themselves from services made necessary after the data loss, which they were responsible for losing; it would have been enough …
But in 2017 this is all is too much to ask. Permitting a private for-profit organization to act as custodian for this much data under the best of circumstances could only have been considered problematic. The fact that multiple credit agencies are responsible for storing and safeguarding this much financial information increases the potential for exposure without providing consumers with meaningful protections against breach. Equifax, as one of the largest providers and compilers in the world of personal information and financial data, was compromised through a data breach that left as many as one in three Vermonters vulnerable and one-third of all Americans affected.
In our modern society personal information is a form of currency. Having it reliably safeguarded is critical to the functioning of a 21st century economy.
It is bad enough that there was a hack. What makes it worse is that Equifax is acting as a bad corporate citizen, attempting to profit from errors they themselves have made in the course of safeguarding our personal information. For example, having been hacked, Equifax is selling credit monitoring services to clients already adversely affected through their negligence.
These interests are attempting to trade and profit on the personal information of Vermonters. No one should be able to treat anyone’s personal information or financial profile like it’s a baseball card. This information is much more than a random set of numbers on a spreadsheet somewhere. This data represents real people’s access to financial markets. It will determine whether they qualify for their next mortgage or car loan or student financial aid. Manipulating, selling or transferring financial information or personal data without proper authorizations can and does cause real harms and hurts real people.
Today, privacy is an implied right. There is no single place one can point to an expressed right to privacy. Privacy protections come from constitutional amendments that prohibit unlawful search and seizure or a prohibition against quartering soldiers. These provisions have come to form the skeleton of privacy protections, but they leave enormous gaps. In their wake, we find a legal universe that creates silos of privacy where a grant of privacy is made relative to a single area of law. HIPAA, the health privacy act is limited to only questions of health information. FERPA, the Family Education Privacy Act, only addresses student privacy in a school setting. Miranda rights only are triggered when an arrest is made. These specific examples demonstrate just how constricted our privacy laws are.
Vermonters need real and meaningful protection. It is essential that Vermont create the most stringent protections for consumers. Vermont can and should be a national leader when it comes to privacy rights.
Any legislature and administration that enacts rules to provide meaningful privacy protections will inevitably be attractive to commercial interests who deal in sensitive data or confidential information. “Secured in Vermont” has the potential to be every bit as valuable as a value-added brand as our ski industry or Vermont milk. Vermont and secure data could give birth to the privacy equivalent of Volvo, a company whose commercial success is largely predicated on its success as a safe car manufacturer. Maybe it’s possible that it births, not just one, but the next several highly secure data companies.
A single privacy act which polices the privacy rights of individuals in dealing with government and commercial stakeholders would go a long way towards cementing a new privacy regime for every Vermonter. As both a personal and professional matter the creation of a comprehensive privacy act is highly desirable. In this age of big data, it has never been more important to act. Given the current environment where data breaches have become just part of the price of doing business in the digital age, we can and should demand better. Our fractured privacy system today provides little protection in the event of a data breach. Simply said, we all deserve better.
