Consumer group: Capital One breach highlights need for Congressional action on data security legislation

July 30, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242, or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—Just one week after consumers received relief from the massive Equifax breach, yet another massive breach—this time at Capital One bank—is placing consumers at risk, yet again, of identity theft.

In one of the largest financial breaches in history, more than 100 million Capital One accounts and 140,000 Social Security numbers were reportedly compromised. As was the case in previous breaches, the Capital One breach appears to have stemmed from a third-party cloud hosting vendor that stored Capital One’s data.

The National Consumers League (NCL), the nation’s pioneering consumer and worker advocacy organization, is calling on Congress to immediately pass comprehensive privacy legislation and protect highly personal data.

“Consumers are sitting ducks if big banks like Capital One, giant hotel chains like Marriott, and credit scoring companies like Equifax don’t take the necessary steps to protect our data,” said John Breyault, NCL’s vice president of public policy, telecommunications, and fraud. “When companies like Capital One are sloppy in protecting consumers’ data, it allows hackers steal consumer information which ultimately fuels identity theft and other frauds against us.”

“More than five years after hackers compromised the personal information of nearly 110 million Target customers, criminals are still breaking through supposedly strong firewalls and stealing consumers’ personal data from companies. Any data security legislation must require that consumer data be protected with strong fines and criminal penalties for failing to do so,” said NCL Executive Director Sally Greenberg.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Carpenter v. United States: Impacts on privacy legislation – National Consumers League

The U.S. Supreme Court decision last week in Carpenter v. United States will shape the relationship consumers have with their wireless devices and the services they use every day for years to come. In a 5-4 decision, the Court held that by obtaining cell-site records, the U.S. government performed a search. By doing so without a warrant, this search was judged unconstitutional, violating petitioner Timothy Carpenter’s Fourth Amendment rights and reversing two previous decisions.

In the case, the FBI had requested records as part of an investigation into several Detroit-area armed robberies, and those records included details about call dates, times, and approximate locations. Carpenter asked that the cell phone evidence be suppressed because it was obtained in a search without a warrant.   

You’re thinking, “And? I’m not accused of armed robbery,” but it’s bigger than Timothy Carpenter. The Carpenter decision affects all of us, and in essence redefines government searches in a digital age.

Think of your relationship with your cell phone. According to Pew, 95 percent of Americans now own one. The same study found that for one in five of us, our smartphone is our sole source of Internet service. We carry them to work, to school, to our homes, and to meet up with friends. They go with us to our meetings, appointments, and vacations. They are a key vector through which we’re understood. Part of that is an unprecedented ability to locate us. When 95 percent of us are moving and communicating with our phones, and when 20 percent of us are using them as our only personal Internet connection, government access to when and where we use cell phones becomes an inroad to very intimate surveillance.

The FBI obtained records defined by the Court as “personal location information maintained by a third party” under the Stored Communications Act (SCA). SCA compels service providers to hand over records of electronically stored communications to government, without a warrant requirement, provided there is evidence for the information’s relevance to an ongoing investigation. Last week’s decision sets a new standard for expectations of digital privacy at a time when consumers and government are grappling with how to think about our lives online using documents drafted by the nation’s founders.

NCL has previously stated that consumer privacy is an integral part of the data economy, and we advocate for robust consumer protections in this space to encourage safe and secure use of online services. We applaud the Court’s decision and see it as an important step in the fight to safeguard consumers’ data in the United States and beyond.

Rebecca Kielty is spending the summer with John Breyault’s team, working on consumer privacy issues as NCL’s 2018 Google Public Policy Fellow. Rebecca received her B.A. from the University of South Florida Saint Petersburg and her M.A. from Georgetown University.