Background
The proliferation in the availability and use of data has made the need to protect this information against unauthorized access increasingly important. Policymakers and the private sector play important roles in establishing the guardrails that will allow data uses that bring lasting consumer benefits, while providing data security protections aligned with AARP’s data privacy and security principles.
There are an estimated nearly 500 million active Social Security numbers (SSNs). Because government agencies and private businesses often use SSNs for a wide range of purposes unrelated to Social Security, the SSN has become the de facto national identifier. For this reason, SSNs are particularly valuable to identity thieves. They are used to assume the identity of another individual and commit fraud. They therefore require heightened protective measures. Agencies and businesses have begun replacing SSNs with specialized ID numbers to better protect customers’ identities. For example, starting in 2018, new Medicare cards have a Medicare-specific number on them in place of an SSN (see also Medicare).
Internet-connected devices are increasingly becoming part of everyday life. These devices are able to communicate and interact with other devices and external networks to share data. Many different types of devices are now connected, including smartphones, smartwatches, appliances, fitness trackers, thermostats, and cars. However, the rapid spread and growth of connected devices have outpaced the development of security safeguards necessary to protect consumers. Studies have found security vulnerabilities to be common in all types of connected devices.
One concern is that hackers will compromise connected devices to gain access to consumers’ sensitive personal information. Another is that hackers can exploit security weaknesses to gain control of the device itself. Once in control, the hackers can cause the device to function incorrectly or use it in unexpected ways. In addition, hackers are using compromised devices to carry out large-scale cyber-attacks aimed at disrupting large websites.
Experts recommend that product developers build strong security protections into connected devices from the earliest stages of product development. Devices should be “secure by design.” This means that the device has been designed from the ground up to ensure security. It is also important that devices are “secure by default” so that security protections are automatically active the moment the device is first used. Consumers should not have to take additional steps to configure the device for greater security.
DATA SECURITY: Policy
DATA SECURITY: Policy
Security by design
Policymakers and the private sector should ensure that organizations effectively protect against unauthorized access to or misuse of consumers’ personally identifiable information (PII). This includes synthetic PII, which is created from other data.
Security controls should be embedded into products and services. Required security protections should be proportionate to the risks posed by the disclosure of PII.
Organizations should appropriately secure PII by default. This includes:
- only collecting PII that is necessary to make the product or service work;
- retaining data only as long as is necessary; and
- securely disposing of PII immediately after its intended use.
Organizations should document steps taken to protect consumers against the risks of reidentification of data that have been deidentified or otherwise masked.
Other security measures that should be embedded into products and services include:
- testing security throughout the development of the product or service as well as after the device is released to consumers;
- automatically downloading security patches, updates, and fixes for products and services where possible, while allowing consumers to manage security settings if they want to do so; and
- using strong information encryption solutions when transmitting or storing PII.
Protections should be updated to keep pace with changing technology and privacy standards. They should be developed with ample input from consumer stakeholders.
Transparency and accountability
Organizations must effectively inform consumers about how their PII is secured and what actions will be taken in the event of a security breach.
Policymakers should address organizational requirements in the event of a security breach involving PII. This includes establishing swift deadlines for providing consumers with notice of the breach, protecting consumers from identity theft and other harms, and remedying security risks identified in the breach.
Consumers whose personal information is put at risk because of a security breach should receive free long-term identity monitoring services and other forms of assistance. Companies that have been breached should provide information about additional ways people can protect themselves from identity theft at no cost to themselves. This includes putting in place a credit freeze. Identity monitoring service providers should refrain from marketing add-on services to those who receive free monitoring.
Security laws and regulations should include robust enforcement mechanisms to ensure compliance. These mechanisms including strong enforcement authority, fines/penalties, and swift compliance deadlines.
Social Security numbers (SSNs)
Companies, government agencies, and individuals should protect the unauthorized use, display, collection, and sale of SSNs. Criminal and civil penalties for SSN misuse should be increased.
Companies should not be allowed to post or publicly display SSNs. They also should not print them on cards, transmit them over the internet or by facsimile, or send them by mail without safety measures.
In order to prevent fraud, the sale and purchase of SSNs in the private sector should be prohibited.
Policymakers should restrict unnecessary or inappropriate collection of SSNs when consumers purchase goods or services. Alternatives to SSNs should be used where practical.