Understanding Data Breaches as National Security Threats

For decades the theft of private individuals’ data has been treated as an annoyance. Activist state attorneys general and the Federal Trade Commission have pursued cases, but U.S. laws fail to treat theft of personal data as a serious crime in itself. The indictment detailing Russian activity during the 2016 presidential campaign shows the inadequacy of that approach. The first step of the “conspiracy to defraud the United States by impairing, defrauding, and defeating the lawful functions of the government through fraud and deceit” relied on stolen identities. Of course, not every theft of private citizens’ personal data will result in a national security threat, and few will approach the magnitude of that Russian scheme. But the indictment of Russian operatives shows how damaging the theft of personal information can be to U.S. security.

Sometimes protecting personal information about an individual is a matter of privacy; for instance, it is no one else’s business if a family member is ill, if a child is failing in school or if a relative is having an affair. But sometimes protecting private information from disclosure is important for reasons that lie well beyond an individual’s right to privacy. And in this increasingly interconnected world, threats to privacy and data security will grow. Yet U.S. privacy protections are far from strong.

Remember the Equifax data breach that resulted in the theft of personal records of 145 million Americans? The Justice Department opened a criminal investigation into whether company executives had sold shares in the days after they knew about the breach but the news was not yet public; it later dropped the case. The Consumer Financial Protection Bureau began an inquiry into the breach but later backed off from a full-scale investigation. It has been up to the Federal Trade Commission and individual states to follow up on such instances and discover what went wrong.

The FTC has racked up some impressive victories in recent years, going after companies that fail to live up to the law or their stated privacy policies. Kenneth Bamberger and Deirdre Mulligan have observed that this strategy can lead to important improvements in privacy protections. And Danielle Citron has described how even before breach laws—now on the books in 48 states—state attorneys general were “laboratories of privacy enforcement” establishing a variety of protections.

Despite these successes, however, U.S. legal protections for privacy are limited. Privacy protection in the United States is piecemeal—financial privacy here, genetic protection there, a dash of video privacy, a set of safeguards for children online, some heavy-duty health-care protections. But there are no general protections. And the tools available to the FTC and state attorneys general are limited. The commission can assess civil penalties for violations of certain privacy statutes and regulations, and it can issue fines. But the former are limited and the latter low because the fines must reflect calculable losses suffered by consumers. State prosecutors are similarly hampered by having to prove that breaches led to actual harm. These legal constraints limit prosecution in cases where there are real losses but not of high monetary value.

Consider this lack of general privacy protections in light of Russian efforts to influence the 2016 presidential election. The Russian influence campaign had real and substantial effects—and the data of private individuals was critical to conducting the con.

Russian operatives purchased stolen U.S. identities, which they used to open U.S. bank and PayPal accounts and to buy access on U.S.-based servers; they then purchased Facebook ads and “buttons, flags, and banners” for political rallies. Employing VPNs to disguise that they were connecting to these U.S.-based servers from Russia, the agents posed as Americans on social media accounts. Consider U.S. privacy protections in light of this statement from the indictment: “Defendants also used the stolen identities of real U.S. persons to post on [Internet Research Agency]-controlled social media accounts. Over time, these social media accounts became Defendants' means to reach significant numbers of Americans for purposes of interfering with the U.S. political system, including the presidential election of 2016.”

Think about that for a moment: Information about private citizens was stolen, bought by Russian agents and then directed against the U.S. In the digital age, personal information about private individuals can be deployed as a weapon against the state.

Russia has highly skilled hackers; if Russian agents needed U.S. identities to conduct activities during the 2016 campaign, they could have bought them cheap—as they did—or stolen the identities themselves. Weak U.S. privacy protections make it easy for anyone to do the same—a status quo that is both dangerous and dumb.

It is well past time for Congress to treat citizens' privacy seriously (a step in the right direction is this bill, which is, however, sectorally focused). Data breaches can constitute not merely a privacy threat but also a national security risk. The consequences of failing to protect citizens' data must be commensurate with the risks that individuals and the state would suffer from the theft of personal data.