Data privacy violations need tougher punishments

(AP) The mishandling and misuse of consumer data has become one of the defining issues of the digital age. And so recent actions against the credit bureau Equifax and the social media giant Facebook were seen as a significant opportunity to set a course toward more meaningful accountability, security and privacy.

But the resulting settlements in both cases did little to ensure that consumers' most sensitive information is not imperiled again.

Equifax was hacked in May 2017, exposing the personal and financial information of more than 147 million U.S. consumers. Exposed were Social Security numbers, home addresses and credit card numbers. In the aftermath, Equifax offered inadequate services to those affected by the breach, even deploying forced arbitration and trying to sell its identity protection services to customers. In response, a coalition comprised of 50 U.S. states and territories, the Federal Trade Commission and the Consumer Financial Protection Bureau pursued legal action. Pennsylvania Attorney General Josh Shapiro, who spearheaded the coalition, confirmed that a number of consumers had their identities stolen or Social Security numbers posted online.

For its indiscretion, Equifax agreed to pay $700 million (roughly $4.75 per person affected) and strengthen its cybersecurity defenses. But for the 147 million people affected by this breach, does a $4.75 settlement and reactive policy changes make up for the value of the information that was revealed?

Facebook, meanwhile, has become notorious for its unethical privacy and security practices. Chief among these has been its collection and sharing of users' data, offering sensitive information to third parties without people's consent. These activities led to an FTC inquiry, resolved with a judgment earlier this month.

At first blush, the FTC seemed to slap Facebook pretty hard for its bad behavior — the company agreed to an unprecedented $5 billion fine and regular privacy reviews of new services and products. CEO Mark Zuckerberg, as well as other compliance officers, must certify Facebook is abiding by the terms of the agreement.

But the settlement quickly drew widespread condemnation. Sen. Josh Hawley, R-Mo., claimed the deal “utterly fails to penalize Facebook in any effective way." Sen. Ron Wyden, D-Ore., called the agreement a “sweetheart deal" that all but ensures “Americans will see our privacy violated again and again." The Electronic Frontier Foundation, a nonprofit digital rights group, wrote that the deal is “grossly inadequate to the task of protecting the privacy of technology users."

The EFF noted that the settlement does not address Facebook's practice of collecting, using and sharing user data, nor does it offer any mechanism for public transparency on how the company engages in this activity. Rather than force Facebook to change its business model, which runs entirely on exploiting users' data, the FTC opted to hand down an impressive sounding but largely inconsequential fine (Facebook has assets nearing $100 billion) and require weak systemic change.

It is apparent that regulators do not currently possess the wherewithal to adequately address the abuses of user data by major corporations. The settlements with Equifax and Facebook are not painful enough to force either company to significantly change its ways.

There are several avenues for more meaningful recourse. The Justice Department has reportedly opened an antitrust probe against Facebook, while Congress is considering federal data privacy legislation akin to Europe's General Data Protection Regulation.

But moving forward, data violations such as those found in the Equifax and Facebook cases must be met with more consequential punishments. For too long, companies have felt comfortable abusing users' data, knowing that the punishment would pale in comparison to the potential gain. That attitude must change and, if necessary, regulators must make it.

Pittsburgh Post-Gazette