Trust is the foundation of the modern internet. Without confidence in the security measures companies employ to protect personal, location, or financial information, people wouldn’t share it.
IA Member Efforts To Secure Data
IA members work tirelessly to protect users online from unauthorized access to information that they collect and process, including preventing the alteration, disclosure, and/or destruction of personal information. They employ a wide range of measures to protect users’ information, including:
- Using industry standards and best practices in data protection such as firewalls, data encryption, two-factor authentication, maintaining robust physical security at data centers, and pseudonymizing data to guard against unauthorized access to personal information.
- Undergoing third party and internal security assessments and certifications.
- Conducting privacy risk assessments and taking steps to mitigate identified risks.
- Using automated technologies and human review to detect malware, phishing, spam, and other scams targeting users.
- Maintaining protections on personal information when it is shared with authorized third parties and partners.
- Employing bug bounty programs to encourage disclosure of vulnerabilities.
- Using strong encryption for privacy and security, and pushing back against government demands for backdoors.
Data Breach
Criminal and state-sponsored hackers present a dynamic, and continuously evolving threat to all entities, regardless of whether they are large or small, public or private. Successful network intrusions have many serious ramifications, including the risk of identity theft and/or financial harm.
Policy Position
Internet companies support a unified, national data breach notification standard. Today, each of the 50 U.S. states and four U.S. territories have adopted data breach notification laws to protect Americans from the risk of identity theft and other harms following a data breach involving personal information. All 54 of the breach notification laws vary by some degree, and some are in direct conflict with one another. As a result, conservative breach victims may err on the side of “over-notification,” which may result in inundating consumers with notices to the point they create a “boy who cried wolf” scenario in which consumers ignore notices because they are unable to effectively discern those that merit vigilance from those which can be safely ignored. Without a uniform national standard for data security and breach notification, the current patchwork is likely to grow even more complex and increase consumer confusion, further complicating compliance challenges for businesses, while failing to advance consumer notification or data protection.
IA members support a national standard that protects individuals and their personal information through clear notifications, defines a harm-based trigger for notification to avoid notice fatigue, and allows companies flexibility in how they notify individuals of unauthorized access to their personal information.