By: Casey Bessemer

Let’s say that you are online shopping, as millions of Americans do. You go to Amazon.com and pick out a particularly nice doodad and buy it. It gets that sweet, free two-day shipping because you have Amazon Prime and it arrives and it’s the best time. But several weeks later, you learn that Amazon’s database has been hacked into and, to make matters worse, the hackers got away with enough of your personal information to open, and then spend on, several credit cards. How do you solve this problem? Will you sue Amazon for lack of adequate security measures? But where do you bring the suit, the place where Amazon keeps it servers or the place where the cyberattack originated? What if the attack originated from outside the United States, but was routed through several states before attacking Amazon’s servers? Each of these questions would have to be answered in a variety of ways, making the issue even more confusing. 

In 2016, there were approximately 1,093 data breaches that affected more than 3.6 millions files, with attacks predicted to increase as the world uses the internet to store more and more data.[1]These files contain personal data from various sources, everything from healthcare to social media to consumer websites. About half of Americans “feel that their personal information is less secure than it was five years ago”[2]and with Facebook founder’s Mark Zuckerberg’s recent testimony at his Senate hearing, I can’t blame them. Sure, there are methods, such as password encryption software, that consumers could use to better protect their personal data on their own end, but these major breaches are occurring within the major companies themselves, within their databases that are supposedly “secure.” Shouldn’t these corporations have to follow the security measures to protect our data? It was a rhetorical question: the answer is yes. 

            In light of this, the United States has yet to enact any sweeping legislation that would relieve the consumer of the confusion of how to prosecute cyber-criminals. Consequently, “the struggle to regulate consumer data shows how lawmakers have largely been unable to turn rage at Silicon Valley’s practices into concrete action.”[3]The United States does have three key pieces of legislation (the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA)) but these pieces of legislation only cover specific industries, specifically “healthcare organizations, financial institutions, and federal agencies.”[4]They are of little use to the average consumer. Instead, the average consumer needs laws for a global medium that can be implemented across various jurisdictions with consistent rulings and punishments. 

            First, and perhaps the most obvious, is that the internet is not a singular place. Rather the internet is “a global computer network providing a variety of information and communication facilities, consisting of interconnected networks using standardized communication protocols.”[5]And the fact that the internet is a “global” medium means that any information gathered by and then stored on the internet is effectively stored around the globe at a single time. Companies and legislations may argue that the data is on servers and the servers are subject to the laws of the jurisdiction that the servers are located in, but when a malicious third party attacks those servers, they do not go travel to the actual servers – they do attack remotely, from any possible location with an internet connection. Since the nature of these attacks can come from any jurisdiction, it stands to reason that they should be punishable within any jurisdiction, regardless of the location of the attackers or the servers themselves. In absence of some global legislation and taskforce, countries will have to rely on their own individual legislation and taskforces. Unfortunately, the United States has no such national privacy legislation. 


            Currently, “federal level security and privacy legislation are lost in a morass of partisan politics and corporate lobbying delays.”[6]So states have taken the task into their own hands. Currently, “at least 43 states and Puerto Rico [have] introduced or considered close to 300 bills or resolutions that deal significantly with cybersecurity; thirty-one states [have] enacted cybersecurity-related legislation in 2019.”[7]Now that is a lot of coverage, but not complete coverage. States, being independent jurisdictions and personalities, have chosen different methods of defining what a “cyber attack” means and what punishment is available to any offenders. For example, Nevada, Minnesota, and Maine have specific legislation that “prohibits using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to such,” while California has many more regulations, each targeting a specific goal such as consumer privacy or children.[8]But some states have yet to address the issue. It is because of this hodgepodge of legislation in different states that a national privacy law makes even more sense: a national security law would impose consistent basis of prosecution and determinable punishments. 


            Because of the continued reliance and use of the internet as a medium for transactions and storage of personal data, there will eventually come a time where the United States needs to enact a federal statute to completely cover cybercrimes, something akin to the General Data Protection Regulation (GDPR) in Europe. This change must come because the current method of state-by-state regulation creates a mess of legislation that does not completely cover cyber attacks, and because the internet is a global place, the legislation needs to be applicable everywhere. Although lawmakers have said “they wanted a new federal law to protect people’s online privacy,” little to nothing has actually happened.[9]

[1]A Glance at The United States Cyber Security Lawshttps://www.appknox.com/blog/united-states-cyber-security-laws(last viewed Jan. 31, 2020). 

[2]Aaron Smith, Americans and Cybersecurity, PEW RESEARCH CENTER(Jan. 26, 2017), https://www.pewresearch.org/internet/2017/01/26/americans-and-cybersecurity/.

[3]David McCabe, Congress and Trump Agreed They Want a National Privacy Law. It is Nowhere in Sight., N.Y. TIMES(Oct. 1, 2019), https://www.nytimes.com/2019/10/01/technology/national-privacy-law.html.

[4]Supra note 1.

[5]Internet, Oxford Reference(Jan. 10, 2020), https://www.oxfordreference.com/view/10.1093/oi/authority.20110803100008533.

[6]Cynthia Brumfield, 11 new state privacy and security laws explained: Is your business ready?, CSO(Aug. 8, 2019), https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html.

[7]Cybersecurity Legislation 2019, NCSL.COM(Jan. 10, 2020), https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2019.aspx.


[9]Supranote 3.