—Consumers have a right to know how their personal data are being used and to receive a free copy of any such information held by a business.
—There's a right to be forgotten — that is, an individual can require that a business erase his or her data and make no further use of it.
—Any violation of the law can result in a fine of as much as 20 million euros (about $24 million) or 4% of the company's annual global revenue, whichever is greater.
A key provision in light of Health Net's feet-dragging response to the January breach is a requirement that European companies notify authorities of any data loss within 72 hours of discovering the event.
Moreover, businesses must notify customers "without undue delay" if there's "a high risk to the rights and freedoms" of people affected by the breach. That's a fancy way of saying you can't keep stuff like this under your hat.
Could we see something along these lines at the national level any time soon? Probably not, said Georgia Tech's DeMillo.
It's hard to imagine, in the current political climate, Republicans and Democrats agreeing on even the most common-sense measures to protect people from hackers, he told me.
"Conservatives would almost certainly push for language for a weak federal law that preempts stronger state statutes," DeMillo said.
The breaches involving Facebook and Health Net show that this problem isn't going away, and that the existing privacy measures of many large companies (and their partners) are inadequate.
Perhaps it would take a hack attack on Congress to get lawmakers to act.
Then again, in light of the stunning inaction that followed the Jan. 6 riots, even that probably wouldn't get us the help we need.©2021 Los Angeles Times. Visit at latimes.com. Distributed by Tribune Content Agency, LLC.