According to the Identity Theft Resource Center, there have been about 12,000 known data breaches since 2005. The number of records accessed by hackers runs close to 12 billion, according to the Privacy Rights Clearinghouse.
While the number of reported breaches declined last year from a year before, the total number of records accessed more than doubled, according to a recent report from the consulting firm Risk Based Security.
The Accellion breach that affected Health Net's medical records also exposed the data of other big companies and organizations, including Stanford University, UC Berkeley, Kroger and the law firm Jones Day.
Obviously our existing regulatory framework — or lack thereof — isn't up to the challenge of highly skilled and determined cybercriminals. We need to do better.
"A single national omnibus bill would be a clearer standard than what we have now," said Richard DeMillo, chairman of Georgia Tech's School of Cybersecurity and Privacy.
It's not like members of Congress have to reinvent the wheel. One template they could follow is California's Consumer Privacy Act, the strongest state privacy law in the country. A more robust California Privacy Rights Act takes effect in 2023.
Among other things, the California Consumer Privacy Act mandates that businesses tell customers what information they've gathered about them and to stop selling those data if requested.
More sweeping rules can be found across the Atlantic. Europe's General Data Protection Regulation took effect in 2018 and now serves as the global standard for privacy safeguards.
Among the more noteworthy elements of the European law:
—Companies must obtain consent from customers before using or sharing their personal information. Companies must make it similarly easy for a customer to withdraw consent.