Data Security


There has been a proliferation in the availability and use of data. The need to protect this information against unauthorized access has become increasingly important. Policymakers and the private sector play important roles in establishing the guardrails that allow data uses that bring lasting consumer benefits. At the same time, data security protections aligned with AARP’s data privacy and security principles should be provided. 

Some types of data are sensitive and need heighted protections. For example, according to the Federal Trade Commission, the unauthorized disclosure of health, financial, and precise location personal information is especially harmful. Social Security Numbers (SSNs) likewise need heightened security protections. Because government agencies and private businesses often use SSNs for a wide range of purposes unrelated to Social Security, the SSN has become the de facto national identifier. For this reason, SSNs are particularly valuable to identity thieves. They can be used to assume the identity of another individual and commit fraud. Agencies and businesses are routinely replacing SSNs with specialized ID numbers to better protect customers’ identities. For example, in 2018, new Medicare cards began using a Medicare-specific number on them in place of an SSN. 

Internet-connected devices are increasingly becoming part of everyday life. These devices are able to communicate and interact with other devices and external networks to share data. Many distinct devices are now connected, including smartphones, smartwatches, appliances, fitness trackers, thermostats, and cars. However, the rapid spread and growth of connected devices have outpaced the development of security safeguards necessary to protect consumers. Studies have found security vulnerabilities to be common in all types of connected devices. 

One concern is that hackers will compromise connected devices to gain access to consumers’ sensitive personal information. Another is that hackers can exploit security weaknesses to gain control of the device itself. Once in control, the hackers can cause the device to function incorrectly or use it in unexpected ways. In addition, hackers are using compromised devices to carry out large-scale cyberattacks aimed at disrupting large websites. 

Experts recommend that product developers build strong security protections into connected devices from the earliest stages of product development. Devices should be “secure by design.” This means that the device has been designed from the ground up to ensure security. It is also important that devices are “secure by default” so that security protections are automatically active the moment the device is first used. Consumers should not have to take additional steps to configure the device for greater security. 



Security by design

Policymakers and the private sector should ensure that organizations effectively protect against unauthorized access to or misuse of personal information. This includes synthetic personal information, which is created from other data. 

Security controls should be embedded into products and services. Required security protections should be proportionate to the risks posed by the disclosure of personal information. 

Organizations should appropriately secure personal information by default. This includes: 

  • only collecting personal information that is necessary to make the product or service work, 
  • retaining data only as long as is necessary, and 
  • securely disposing of personal information immediately after its intended use. 

Organizations should document steps taken to protect consumers against the risks of reidentification of data that have been deidentified or otherwise masked. 

Other security measures that should be embedded into products and services include: 

  • testing security throughout the development of the product or service as well as after the device is released to consumers; 
  • automatically downloading security patches, updates, and fixes for products and services where possible, while allowing consumers to manage security settings if they want to do so; and 
  • using strong information encryption solutions when transmitting or storing PII. 

Protections should be updated to keep pace with changing technology and privacy standards. They should be developed with ample input from consumer stakeholders. 

Transparency and accountability

Organizations must effectively inform consumers about how their personal information is secured and what actions will be taken in the event of a security breach. 

Policymakers should address organizational requirements in the event of a security breach involving personal information. This includes establishing swift deadlines for providing consumers with notice of the breach, protecting consumers from identity theft and other harms, and remedying security risks identified in the breach. 

Consumers whose personal information is put at risk because of a security breach should receive free long-term identity monitoring services and other forms of assistance. Companies that have been breached should provide information about additional ways people can protect themselves from identity theft at no cost to themselves. This includes putting in place a credit freeze. Identity monitoring service providers should refrain from marketing add-on services to those who receive free monitoring. 

Security laws and regulations should include robust enforcement mechanisms to ensure compliance. These mechanisms include strong enforcement authority, fines/penalties, and swift compliance deadlines. 

Social Security numbers (SSNs)

Companies, government agencies, and individuals should protect the unauthorized use, display, collection, and sale of SSNs. Criminal and civil penalties for SSN misuse should be increased. 

Companies should not be allowed to post or publicly display SSNs. They also should not print them on cards, transmit them over the internet or by facsimile, or send them by mail without safety measures. 

In order to prevent fraud, the sale and purchase of SSNs in the private sector should be prohibited. 

Policymakers should restrict unnecessary or inappropriate collection of SSNs when consumers purchase goods or services. Alternatives to SSNs should be used where practical.