Data security expert calls for stronger cybersecurity laws

If we don’t adopt stronger data security laws, said Northeastern professor Woodrow Hartzog, we might be left with a digital landscape that could be marred by chaos and deregulation. Photo by Matthew Modoono/Northeastern University

As we become an increasingly digitally connected world, the loss of privacy and security are almost inevitable. But if we don’t adopt stronger data security laws, said Northeastern professor Woodrow Hartzog, we might be left with a digital landscape that could be marred by chaos and deregulation.

The extent of the risk came blaring through with Marriott’s disclosure last month that hackers had exposed the personal information of up to 500 million customers. No sooner had Americans had time to digest that bit of bad news than Quora announced that 100 million of its user accounts were compromised.

Hartzog, who teaches law and computer science at Northeastern, paints a bleak picture of a dystopia that could debilitate our entire data ecosystem if measures to address data security that would safeguard Americans aren’t taken soon.

“If people lose the ability to trust those who are collecting our data then ultimately we’ll all lose, because we’ll lose the promise of the data ecosystem; we’ll lose out on the potential of artificial intelligence and other benefits to be gained from these information technologies,” Hartzog said.

That’s a world no one wants to live in, but it’s one we are headed toward, Hartzog said, pointing to the reactive rather than proactive role that the Federal Trade Commission has historically played in policing bad actors such as companies and third-party vendors.

Hartzog, who specializes in privacy, data protection, robotics, and automated technologies, will argue these points Wednesday at the Federal Trade Commission’s two-day hearing on competition and consumer protection. The agency is in the midst of reassessing its entire approach in the digital era.

By far, collectively, the most important thing that we can all do is make data security a political issue. We can ask candidates that are running for office what their plan is to help create better data security rules.

Woodrow Hartzog, Professor of Law and Computer Science

“There is right now a dispute among those in the data security law and policy community as to how the U.S. should regulate data security, which in this instance largely falls to the FTC because they’re the nation’s de-facto enforcer of data security policy and there are two paths that the FTC could take,” he said.

The first would maintain status quo, which until now has meant filing individual complaints against companies the FTC finds in failure of upholding “reasonable data security practices.” This is in itself a vague concept that has become the default statutory and common law standard.  

The second, and more arduous alternative would compel the FTC to create a streamlined system of rules to include requirements such as regular audits, strong password protocols, and two-factor authentication.

“There are a number of trade-offs that are going to need to be made,” Hartzog said. “One of them is this strong tension between companies wanting to know exactly what they need to do under the law to provide adequate data security and the flexibility within the law to actually incentivize good data security, and not just form a checklist compliance without meaningfully actually protecting information.”

Hartzog’s role is to help the commission understand the complexities of data security in order to chart an appropriate course of action. And he thinks we should all be tuning in and holding our lawmakers accountable before the next major breach occurs.

“By far, collectively, the most important thing that we can all do is make data security a political issue,” he said. “We can ask candidates that are running for office what their plan is to help create better data security rules. We should care because as a matter of civic participation, our data security depends upon our civic participation in the system.”

Hartzog will speak on a panel titled “FTC Data Security Enforcement.” The hearing takes place Wednesday from 2:45 p.m. to 4:15 p.m. and will be moderated by Jim Trilling and Laura Riposo VanDruff, both members of the FTC’s division of privacy and identity protection.

For media inquiries, please contact media@northeastern.edu.