Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

INSIGHT: Capital One Breach Shows GDPR Framework Could Modernize Anti-Hacker Law

Aug. 22, 2019, 8:01 AM

The recent Capital One breach provided yet another indication that corporate enterprises and financial institutions are not immune from these types of attacks.

Shocking to consumers and customers across the world, everyone is now in the hot seat, responsible for taking a more active role in monitoring and protecting their own information—because you know what? The companies charged with such duties aren’t doing it.

Capital One fell victim to a massive data breach because of alleged hacker, Paige Thompson, a former employee of Amazon’s cloud-computing division. According to the federal complaint, Thompson exploited a vulnerability in Capital One’s cloud system to gain unauthorized access to sensitive information belonging to approximately 106 million customers in the U.S. and Canada.

While Capital One stated the hack occurred in March, it didn’t discover the intrusion until four months later, just days after Equifax agreed to pay $700 million to settle its claims from the 2017 data breach, impacting more than 150 million Americans.

Why So Little Enforcement Action?

While I recognize we may never be able to fully prevent a data breach, what I do propose can only help to significantly reduce the chances of our most treasured commodity—our identity—being unlawfully acquired, distributed, and utilized in cyberspace.

If there’s anything we’ve learned from the Equifax and Facebook data breaches, it’s that there has been very little fallout with respect to “discovery” and penalty—up and until the settlement agreement. If I had to take a guess, it’s because lawmakers don’t yet fully comprehend how to approach massive incidents such as these.

And with at least three major federal lawsuits on its plate, Capital One has many questions to answer:

  • Why did it take almost two years for the FTC to come down on Equifax, with little action taken during that time?
  • Why did it take almost a year for the FTC (and Congress) to speak to Mark Zuckerberg and Facebook’s role in our digital age?

Yet, the burden also shifts to federal regulators and lawmakers to make an example of the institution.

I believe that current federal legislation, the Computer Fraud and Abuse Act (CFAA), codified under Title 18, Section 1030 of the U.S. Criminal Code, should be playing a much bigger role with respect to corporate data breaches (and incidents). I think how legislators approach the recent Capital One breach is the perfect time to implement this proposal.

What Is the CFAA?

In simple-terms, the CFAA is an anti-hacker federal statute that identifies two types of access crimes—unauthorized access and exceeding authorized access. Under the CFAA, a person is prohibited from the unauthorized access, or the exceeding of authorized access, of computers connected to interstate commerce. Violators of the statute are subject to both criminal and civil liability.

In its current form, the CFAA just isn’t comprehensible—from beginning to end, there’s no structure in how it sets out computer crime. Consequently, lawmakers and attorneys are prevented from really using this strong piece of legislation to address massive breaches such as Capital One, Facebook, and Equifax. I’m a law professor at the University of Dayton School of Law in Dayton, Ohio, and it’s still difficult to teach, because the statute is all over the place.

Imagine how hard it is to teach an intro to the CFAA based off this alone.

Europe’s GDPR Model Provides the Backbone We Need

I propose that the CFAA be amended, but there’s no need to reinvent the wheel. Europe has done it for us and with the recent FTC settlement agreement with Facebook, all we need to do now is combine both structures and re-arrange the CFAA. Boom, welcome to the U.S. version of the Global Data Protection Regulation (GDPR) and data privacy regulation (see my outline here).

First, I propose looking to Europe’s GDPR. Consisting of 99 articles, the GDPR is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states.

Now, I’m not saying we need to turn the CFAA into 99 different sections, but it would be a great start turning it into an encyclopedia-like reference guide of how to comply.

Second, I propose incorporating some of the FTC’s provisions as outlined in the recent Facebook settlement order. Specifically, with sworn statements by an officer(s) that the company and/or institution is complying with the CFAA.

My hope, ultimately, is that the CFAA, amended or not, plays a much bigger role with respect to corporate data breaches and that there is enforcement action regarding the Capital One breach before the settlement is released.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Andrew Rossow is an internet and technology attorney, an adjunct cybersecurity law professor at the University of Dayton in Ohio, and a media consultant for ABC, FOX, and NBC in Ohio. He provides a unique perspective on new, emerging technologies, social media crimes, privacy implications, and digital currencies.