This week, I received a letter from an employer of mine from when I was in high school, a local car wash.
It turns out there was a “data breach” that resulted in “unauthorized access” to my social security number.
Millions of Americans receive letters like this each year. Usually, the company will offer free access to a credit monitoring service, allowing individuals to see if any new credit cards, loans, or other activity has happened in their name.
What should be the individual remedy in this situation?
As a society, we haven’t yet standardized encryption of sensitive employee data, and it’s obviously a problem.
Employers are required to collect SS data to verify work status and to issue pay. But shouldn’t this be a one-time verification, and not stored on an insecure database forever?
Leaked SS numbers are some of the main avenues for identity theft. Should the company be liable? Or the state and federal laws that require storage of this data without safeguards? Added to that, should I be able to practice right of action and sue if I can prove I’ve been harmed?
If my SS number leaks onto the dark web, criminal actors buy in bulk and will attempt all kinds of fraud. What current penalties exist for these fraudsters? Is it enough? Is the Federal Trade Commission fulfilling its mandate here, or is it too concentrated on trying to break up tech companies?
A national privacy law could enforce tools we need to protect sensitive data like this. But previous attempts at a national privacy law haven’t meaningfully addressed this, and have focused more on deputizing lawyers and trying to outlaw targeted advertising than empowering consumers who’ve been harmed.
Ideally, we would have a law that would protecting and standardize encryption while championing innovation and giving wronged consumers an avenue to be heard. But what else would be necessary?
The status quo of hacks, leaks, and data breaches happening without consequence is leading to hundreds of millions of people being harmed. Many existing rules enforced by states and the federal government require unnecessary collection of data that further puts us at risk.
Can we look to innovation to solve these issues? Zero-knowledge proofs, decentralization identify solutions, encryption, and more?
We’d love to see other ideas.
For now, we wrote up recommendations for data and consumer privacy at and we will expand this as we formulate more policy ideas. You can check them out here.
