Policymakers speculated that 2019 would be the year Congress passed a comprehensive federal privacy law. Although 2020 brings the California Consumer Privacy Act (CCPA), there is still no federal privacy law. Nevertheless, it was encouraging to see senators on both sides of the aisle make a run towards that goal before Congress adjourned last year — and it’s particularly good to see security provisions included. Any privacy bill that is seriously considered must have language requiring that entities collecting and processing personal data also have strong security, as strong privacy simply cannot exist without strong security.
Previously, privacy and security legislation rarely intertwined. Now, policymakers are making progress in recognizing the essential link between the two. Because the two topics were once antithetical to each other, at least in some academic and policymaking circles, this in and of itself is a major accomplishment.
As we know, privacy rights require that individuals decide what data about them is collected, processed and shared. But without strong security to safeguard that data, even individuals who do not consent to the sharing of their data may find themselves the victim of a breach. Recently drafted privacy legislation has begun to acknowledge that security plays an important role in the data lifecycle and supports data privacy, but some critical issues still need to be addressed in a comprehensive bill, including:
- Preempting state privacy laws so that organizations are spending time and resources to comply with a single set of practice requirements — not multiple, often conflicting rules that confuse consumers and make compliance difficult for small and medium-size organizations.
- Including sufficiently strong, risk-based cybersecurity provisions requiring the protection of personal data, similar to those in the GDPR, and thoughtful state breach notification laws. These requirements encourage and empower organizations to design cybersecurity strategies and programs that fit their unique security risk profiles, based on their business, the associated risks to the individuals whose data they handle, and the types of data they handle.
- Making use of a liability incentive — a rebuttable presumption or a safe harbor, as opposed to overly specific regulations — to incentivize organizations to implement appropriately strong security.
The draft from Sen. Roger Wicker, R-Miss., the United States Consumer Data Privacy Act, and the Consumer Online Privacy Rights Act from Sen. Maria Cantwell, D-Wash., both recognize the importance of a risk-based approach to security by requiring accountability to the Federal Trade Commission. Additionally, these Senate proposals would require the FTC to develop regulations in collaboration with the National Institute of Standards and Technology.
NIST has a track record of giving organizations flexible tools and useful processes needed to implement strong cybersecurity and privacy initiatives, and an NIST-FTC partnership to ensure Americans’ privacy is a strong step in the right direction. Indeed, NIST must be applauded for recently publishing version 1.0 of a privacy framework to help organizations think through the process of securing personal data. Given the success of NIST’s Cybersecurity Framework, a model that has been broadly adopted by the private sector, I have high hopes for similar success on privacy with the newly released NIST Privacy Framework. One cautionary note: legislators should be sure there is no provision in their bills that would prevent states from adopting a standard such as either of the NIST frameworks.
These privacy bills and the handful of others in different stages of discussion are important steps forward, and in the upcoming months, members of Congress need to work together to prioritize the passage of a comprehensive federal data privacy bill that recognizes the importance of modern information security in the protection of our personal data. As policymakers consider privacy legislation, they must ensure that all states have the ability to adopt sensible standards.
2020 is the year to pass federal privacy legislation and finalize the NIST Privacy Framework. The private sector should align and work with Congress, the FTC and NIST to incorporate security language into upcoming legislation and help establish a robust, pragmatic privacy framework that can be used by all industries and adjusted to any size entity. We look forward to supporting the successful roll-out of both initiatives.
Tom Gann is the chief public policy officer at McAfee. Prior to joining McAfee, Gann managed cybersecurity policy, government relations, alliances, product marketing and sales functions at Intel, Sun Microsystems, Siebel Systems and Digimarc. He started his career on Capitol Hill, working as a legislative director and chief of staff to Congressman Tom Campbell. Gann has an MS in Management from the London Business School and a BA, with distinction, from Stanford University.