This week MyFitnessPal announced that it had suffered a massive security breach which exposed or compromised 150 million MyFitnessPal accounts. Data that is affected included usernames, email addresses and hashed passwords. Luckily for those affected, the company claims that the affected data did not include government-issued identifiers or payment card data.
In some good news for MyFitnessPal users, the stolen passwords were encrypted. However, Under Armour continues to be vague about which percentage of the stolen data was protected by bcrypt, a secure algorithm employing key stretching, and what used SHA-1, a legacy hashing algorithm no longer considered to be “any good”.
That such data breaches occur should no longer be a surprise to anyone particularly given other high-profiles breaches involving companies such as Equifax, Yahoo and Target. However, what is surprising in this case is that cybersecurity experts are beginning to commend Under Amour for their “prompt response to the data breach after its discovery and their public announcement alerting users to the danger”.
Such praise for simply engaging in what most consumers would consider obvious moral behavior may shock many Americans. After all, isn’t it intuitive and legally responsible of companies that suffer data breaches to engage in proactive disclosure?
But common sense and morality have long ceased to play a central role in many companies’ behavior, with market capitalization being king of all considerations in modern business. As noted by Tony Bradley in Forbes, the truth is that in such situations, “[i]t is not uncommon for companies to delay the inevitable by weeks or months”.
In fact, with the hodgepodge mess of data privacy and security breach notification laws in America, the strongest legal regime which mandates such disclosures is now a European one, the much-feared General Data Protection Regulation (GDPR) which goes into effect in May. That the strongest compelling force for American companies to disclose security breaches will emanate from Europe, through a law that is only relevant when users and data pass through that continent, is a damning indictment of the entire American data privacy and security regime.
In October, I noted to the U.S. Department of Health and Human Services that the federal landscape of data privacy and security is “a mess”. Currently, there is no clear controlling legislation in this domain, a patchwork of agencies fighting for regulatory relevancy and a system which dumps the onus of legislation and enforcement onto states which are ill-equipped to take on such a burden.
For instance, Section 1798.82 of the California Civil Code (where MyFitnessPal is headquartered) does require a person or business that conducts business in California or owns, licenses or maintains computerized personal information to notify the owner of the information, any relevant third parties and potentially the California Attorney General of a security breach. However, the duty to disclose and remedies for failure is naturally limited to California residents given the limited jurisdiction of the state.
Luckily for consumers, every state has security breach notification laws. However, due to the difference in legislative wording and interpretation, there is no consistency across the US with regard to key elements such as who must comply, definition of what constitutes “personal information” and even requirements for notice.
Looking federally, no answers are immediately apparent on the horizon even as proposed legislative action heats up. In the Senate, Democrat Bill Nelson is spearheading the proposed Data Security and Breach Notification Act and, in the House, Republican Representatives Leutkemeyer and Maloney have introduced the Data Acquisition and Technology Accountability and Security Act. But problems plague both bills.
The Republican bill will face a stiff test from states’ Attorneys-General who take issue with the bill’s preemption of all state data breach and security laws, particularly as it allows entities suffering breaches to determine whether to notify consumers of a breach based on their own judgment of whether there is “a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer”.
For its part, the Democratic Senate bill currently looks unlikely to pass given the current composition of Congress as well as the fact that Nelson’s bill has already failed to pass once, in 2015.
Less than a month ago, I wrote about the need for a National Health Data Strategy. Incidents such as MyFitnessPal underscore that need even further today. The current framework for how we handle data – and increasingly commingle health data with other data – should highlight the need for a new regulatory and enforcement regime to create and maintain consistent standards and expectations for those collecting, storing, analyzing and trading in our data.
With Americans’ personal data being now a lucrative product, the way that we handle such a valuable product needs to be standardized and harmonized. Otherwise, we may continue living in a dystopia where we congratulate companies for doing the bare minimum in handling our data.
Jason Chung is the Law & Technology Editor at The Health Care Blog. He also writes on the intersection of health, technology and sports as the senior researcher and attorney at NYU Sports and Society, a think tank dedicated to the study of sports and social issues. He tweets @ChungSports.