In 2019, the United States held the world record of having the highest average cost per data breach at $8.19m, and healthcare data breaches affected 80% more people than just three years prior in 2017. In today’s data-driven environment, it seems not a day goes by without hearing of a data breach or leak. Data privacy in the US is a growing problem caused primarily by the exponential increase of digital data, the trend of moving data storage to the cloud, and lack of a federal data privacy regulation.
Over the past several years, digital data has been increasing at an unprecedented rate. To put it into perspective, in 2019 the overall global population increased at just over 1% to 7.7 billion, while the number of unique mobile phone users increased by 2% to 5.8 billion. In addition, the number of internet users increased 9% to 4.4 billion, which is 57% of the global population. As global urbanization continues, the sheer number of people utilizing data in their day-to-day lives will continue to grow. All of this data, which moves across continents in seconds, needs to be stored and managed somewhere. This exponential increase in the use of digital data has required an equally aggressive increase in data storage capabilities.
As digital data increases, so does the trend of moving data storage to the cloud. Often misunderstood, the cloud is not some mystical cumulus floating in the sky with ones and zeros suspended in it. Rather, the cloud is nothing more than large data centers that house racks and racks of servers and drives that run 24/7. While larger businesses previously owned their own data centers or used in-house data storage, there has been a rapid shift to cloud service providers over the past five years. From 2017 to 2019, the number of cloud service data centers rose from 7500 to 9100, with 2020 expecting to see that number top 10,000. On the flip side, there were 35,900 data centers owned by non-technology firms in 2018, and that number is expected to significantly decline to 28,500 by the end of 2020. In fact, it is expected that the number of large companies in North America shifting away from using their own data centers to cloud service providers will increase from 10% in 2017 to 80% by 2022. As data increases exponentially and its storage shifts inexorably to the cloud, concerns over data security and privacy escalate in parallel, leading to much-needed data privacy legislation.
In 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) in an effort to protect the privacy of European consumers. While Canada had implemented the similar Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, GDPR proved to be far more aggressive legislation both in terms of reach and monetary penalty. GDPR requires that all organizations that do business with EU citizens adhere to the legislation, meaning that global organizations such as Apple, Facebook, and Google, as well as smaller US companies that sell to Europeans, are required to follow GDPR. Since its inception in May of 2018, GDPR has leveraged hundreds of millions of Euros in fines and is only getting more aggressive with enforcement; however, GDPR only affects organizations that have dealings with EU citizens. Conversely, the United States has fallen behind in data privacy legislation, leaving the onus of maintaining data privacy to individual states. As of March 2020, only the California Consumer Privacy Act (CCPA) requires deletion of personal data if requested in the U.S., similar to GDPR. Unlike their European counterparts, Americans are largely left to their own devices when it comes to data privacy and have little recourse when a breach occurs.
As more and more people embrace technology, the need for data storage increases, increasing the need for larger and faster data centers. The shift from on-premise to cloud storage only exacerbates the problem of data privacy by relying on technology giants to protect organizations’ consumer data. Breaches will only escalate in line with our digital footprint, of that there is no question. Key data security provisions need to be in place in order to stem the tide of leaked data. Some of these include the standardization of regulations for all organizations and industries, a right to be forgotten provision similar to GDPR and CCPA, specific mandates for end-of-life destruction of storage media, and significant monetary fines for noncompliance. Unfortunately, until we adopt a comprehensive federal data privacy law, the privacy of American citizens’ data will continue to be at serious risk.