In the last several months, a series of tech company
executives have sat before Senate and House panels, peppered with questions,
smart ones at that, about how their companies protect data. Imagine that,
Congress asking prescient questions about a tech-related subject. The hearings
held on Capitol Hill marked a turning point of sorts – lawmakers motivated to
act on privacy…and au courant to boot. Well, sort of.Fueled by a spate of state privacy bills, including the
hard-nosed California Consumer Privacy Act and some eye-popping,
difficult-to-ignore privacy violations, it seems Congress is finally motivated
and engaged. And that puts a national law, on par with Europe’s GDPR, within
spittin’ distance, as they say down South.“The tectonic plates
are coming together,” says J. Trevor Hughes, president of the International
Association of Privacy Professionals (IAPP). “Whether that creates an
earthquake or a volcano remains to be seen.”At the heart of all
privacy initiatives is a four-letter word – data. “We all know that data is
money, and for this reason, businesses have been on a data gathering binge
enabled largely by the internet. All that is about to change,” says Chris
Olson, CEO of The Media Trust. “Landmark privacy laws like the California Consumer
Privacy Act are tipping the scales in favor of consumers, who are demanding
more transparency and control over what of their information is gathered, how
it’s used, and to whom it’s sold.”As well they should. Imagine being a survivor of a
disaster then having the Federal Emergency Management Agency (FEMA) share your
personal data – including banking information - with a third-party contractor.FEMA overshared the personal information on survivors of
three hurricanes - Maria, Harvey and Irma - and the 2017 California wildfires
who used its Transitional Sheltering Assistance program.The incident, which exposed information on more than two
million Americans, underscores the need for a national privacy law, says Ping
Identity CCIO Richard Bird.As does Facebook’s most
recent privacy transgression, in which the company discovered that it had
stored some user passwords in a readable format within its internal data
storage systems, according to a March 21 blog post.“This caught our
attention because our login systems are designed to mask passwords using
techniques that make them unreadable,” writes Facebook Vice President of Engineering, Security and Privacy Pedro
Canahuati. “We have fixed these issues and as a precaution we will be notifying
everyone whose passwords we have found were stored in this way.”Canahuati explains in
the post that the passwords were never visible to anyone outside the company
and there is no evidence that they were internally abused or improperly
accessed at the moment.And the threat to privacy from outside the country’s
borders continues to grow. Leveraging PII is just one of the corrosive
cyberthreats the U.S. faces from nation-states, Gen. Paul Nakasone, commander
of the United States Cyber Command and NSA director, said recently at RSA.In lieu of a federal
law, the way that privacy violations – notifications, penalties and the like –
are handled vary from state to state. But no matter how closely stitched the
patchwork of state laws, they leave gaps. “The piecemeal approach happening
state by state will create no safety net for our citizens,” says Bird.It also leaves organizations hanging without consistent
guidance on how to handle privacy breaches – or even what constitutes protected
information, which is why the private sector is clamoring for overarching
federal legislation.Just last fall Apple
CEO Tim Cook called for a national law. Addressing attendees at the
International Conference of Data Protection and Privacy Commissioners, Cook
said his company is “in full support of a comprehensive federal privacy law in
the United States.”He dismissed the argument made by some tech companies that
they could “never achieve technology’s true potential” if they are “constrained
by privacy regulation” as not only “just wrong,” but also destructive.“We will never achieve technology’s true potential without
the full faith and confidence of the people who use it,” he said, noting that
legislation should be based on users having the right to access to the data
companies collect and to security. “Security is foundational to trust and all
other privacy rights.”Apple, of course, is
not alone in its call for a law at the federal level. At a privacy law
discussion at RSA in March, Julie Brill, vice president and deputy general
counsel, at Microsoft, said, “We want some laws on the books,” calling for
strong policy that applies to all major companies.Noting that a federal bill has gained “more momentum than
we have ever had,” Google Public Policy Manager Sarah Holland says the
conversation around privacy “is much different from where it was five years
ago.”Holland, whose company is appealing a stiff fine from
European regulators for an alleged GDPR violation, says she “didn’t think two
years ago, the Chamber of Commerce would release privacy regulations.”This time it will be differentThis
isn’t the first time a federal law has been discussed in earnest – over the
years, lawmakers have tried to tackle privacy but with limited success. Unlike
many legislative efforts on Capitol Hill, those efforts haven’t been so much
constrained by partisanship – privacy is by and large a bipartisan pursuit and
members of both parties have advocated for legislation.“Look at the political spectrum – I don’t think we’ve ever
seen those on right and left calling for the same thing,” Holland says.Strong advocates in Congress like Sen. Ron Wyden, D-Ore.,
and Rep. Will Hurd, R-Texas, have been hammering on privacy and compelling
their colleagues to finally take action.The tech companies,
too, are adding their weight and expertise to the initiative. “Part of our job
to show up and actively engage and say what we think impact of law will be,”
says Holland. “We know how these systems work and we want to provide this
information as long as the conversations are transparent.While the “odds are greater than ever there will be a
federal privacy bill, still [there’s] only a 30 percent” chance of passage,
says Brill. “We’re seeing more conversation, so why?”Privacy legislation,
even with widespread support, is difficult. Defining what constitutes both
personal data and adequate privacy protections can challenge the most
tech-savvy experts, so it often seems insurmountable in the hands of a
Congress, whose members are sometimes woefully ill-prepared to tackle even the most
clearcut of technical issues.But lawmakers – or
their staffs – seem to be doing their homework. The questions during hearings
are smarter and more incisive. And privacy legislation has taken on a certain
urgency – they’re facing increased pressure to pass a bill before the CCPA goes
into effect in January.“The industry is looking for pre-emption, they want a
single law,” says Hughes, “which would require legislation by the end of this
year.”As challenging as crafting privacy legislation might be,
U.S. legislators don’t have to conjure a bill completely from scratch but
rather might borrow from what already exists legislatively at the state level
and overseas – a little GDPR, a little California with a dash of other state
efforts thrown in.The EU has done much of the legwork with GDPR,
successfully tackling the definition of personal data, adding teeth to
legislation in the form of hefty fines and granting regulators the authority to
pursue violations.The European Union
spent a lot of time putting together, debating, reviewing and finalizing GDPR.
The rules replaced the EU’s previous data protection laws dating from 1995 when
the internet was just emerging. It gives citizens more control over their own
private information and it’s intended to give businesses clarity and legal
certainty. Fines can be up to four percent of global turnover and the law
requires speedy breach notifications (where feasible, within 72 hours).Congress also is likely to find guidance in the CCPA,
which could serve as a blueprint of sorts on the national state. While the upcoming law isn’t a carbon copy of
GDPR, Kalinda Raina, senior director and head of global privacy and LinkedIn,
recently told an RSA audience that it is part of a greater trend she referred
to as a “GDPRization of laws across the world,” including new privacy
legislations recently proposed by countries like Brazil and India and also by
individual U.S. states.The CCPA is built
around a set of goals to allow users to understand the data that is being
collected about them, how it’s shared and used as well as let them access the
data and forbid companies from selling it. Companies that have been breached
can be compelled by the courts to pay $100 to $750 for each California resident
affected.State legislators defined personal information, recently
expanding it to include medical, healthcare and a variety of other personal
identifiers.Even with GDPR and CCPA to serve as guidelines and
deadlines looming, that’s not to say legislation is imminent – Congress still
has a long way to go to craft a bill that can pass muster.“The devil is in the details – you have to watch the deals
that are being made” to bring a law to bear, says Hughes.“At least two bills
have been introduced with an eye to avoiding the confusion and chaos that a
patchwork of state laws might trigger,” says Olson. “It will likely take more
than a year for a data privacy bill to get through the committee hearings
process and then signed into law.”In the mean time, companies shouldn’t sit back and assume
compliance with GDPR will meet any new legislation’s privacy bar. “This is not
the time to take a wait-and-see approach,” said Ruby Zefo, chief privacy
officer at Uber, in an RSA conference keynote session, discussing the
California law. “It’s here, it’s not going to change very much in my opinion,
unless it’s to get more onerous for businesses, so you really should start
prepping now.”And Raina noted, “if you’re not already started, now is the
time.” Privacy LegislationWhat makes a good privacy law?U.S. lawmakers are likely to draw from both the GDPR and the
California Consumer Privacy Act (CCPA), as well as other strong state
legislation to craft a robust privacy law that includes at least the following
elements: Concept of notice.
Organizations’ policies on information gathering and use vary. “A person should
know why information is collected and what will be done with it,” says Peter
Blenkinsop, co-chair of the Drinker Biddle information security, privacy and
governance practice,.Notification. Requirements
for notification in the aftermath of a breach or violation also vary. GDPR says
that organizations are required to notify regulators within 72 hours after it’s
discovered. A U.S. law should do the same.Choice. Once consumers
provide information to an organization, they often have no idea where it goes
from there. “Individuals should be able to choose with whom they share
information and how information is shared with third parties,” says Blenkinsop.Ability to amend. There’s
a lot of information out there, some of it inaccurate, outdated and stored much
longer than necessary, leaving users vulnerable. “Do individuals have the right
to understand what information is collected about them and to what extent
information can be amended?” Blenkinsop asks. That’s something a new law should
address.Definition of personal information.
“GDPR is a good template” for determining what organizations need to protect,
says Baffle CEO Ameesh Divatia, because it “clearly defines what is sensitive data,
even down to IP addresses.”DPO requirement. GDPR calls for data protection officers (DPOs) to oversee and maintain compliance for organizations or groups of organizations that they represent. The DPO sits on the non-asset side to make sure data is collected, stored and processed in accordance with the law, says Divatia.Enforcement authority. In
Europe, the Information Commissioner’s Office is the enforcement authority for
GDPR. In the U.S. that task will likely fall to the Federal Trade Commission (FTC),
already the primary enforcer of federal law and regulations surrounding
consumer privacy. “Right now, they have to rely on the FTC Act,” says
Blenkinsop. “Legislation would then most likely give FTC specific authority to
regulate privacy and enforce requirements,” says Blenkinsop.Under a bill reintroduced in March by Rep. Suzan DelBene,
D-Wash., the FTC “will have the authority to hold companies accountable,” the
lawmaker said in a release.The bill, says Daniel Castro, vice president of the Information
Technology and Innovation Foundation, would “significantly strengthen the FTC’s
enforcement capabilities” and “establish uniform national rules.”Stiff fines. Of course,
no enforcement is effective unless it has teeth. This is the section that made
organizations around the world stand up and take notice of GDPR. It also marked
a departure from assessing fines based on damages incurred. “Regulators said
[fines are]
going to be based on how much revenue they make – that got their
attention,” says Divatia.
