The United States Congress made some significant progress this session when it comes to data privacy, but cybersecurity remains a blind spot for lawmakers.
Congress currently is considering a national privacy law that mirrors legislation enacted in the European Union. It would allow people to access, correct and request the deletion of the personal information collected from them. Though there are several ideas as to the final form the bill should take, a path became clear during the Senate Commerce Committee’s privacy hearing last month.
Congress also seems willing to address the consequences of new technologies. Last month it passed the National Quantum Initiative Act, which is expected to disperse US$1.275 billion for quantum research over the next four years. Some have argued that this newfound enthusiasm for tech might be used to fix the impeachment process.
When it comes to cybersecurity, though, Congress is still in the dark ages. Efforts to pass a privacy law often are seen as addressing both data privacy and cybersecurity, but in reality, they do not. Companies and consumers have been forced to take matters into their own hands, reflected in the recent announcement that Facebook has banned deepfakes, and the rising use of VPNs among the general population.
Privacy Means Nothing Without Security
This oversight with respect to security could have huge consequences for the efficacy of data privacy legislation. Though data privacy and data security are separate concerns, there is an inherent link between them. Security has been overlooked in the current proposed law, as well as in similar legislation — like Europe’s GDPR and the Australian privacy bill passed two years ago.
To understand how privacy and security are linked, consider an app that collects location data from its users. The types of data privacy law proposed (or already in force) would impose strict requirements on the company behind this app, such as telling its users what it is collecting, and what it does with the data. If the app is not properly secured, however, and the information is stolen or leaked, strong privacy policies will be of little comfort to users.
This oversight is apparent in almost all the legislation on data privacy in the U.S. The Information Transparency & Personal Data Control Act, which was introduced in the House last spring, contains a passage that requires lawmakers and tech companies “to protect consumers from bad actors in the privacy and security space,” but it doesn’t include any further details. The Consumer Online Privacy Rights Act goes a little further, but only two of its 59 pages give vague cybersecurity requirements for private companies.
Even the United States Consumer Data Privacy Act of 2019 provides only the broad instruction that companies should “maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of sensitive covered data.”
A Lack of Leadership
At best, the failure of Congress to tackle cybersecurity has left the data of millions of Americans unprotected. At worst, it represents a lack of leadership that has left responsible companies completely confused as to what their legal, moral and ethical responsibilities are when it comes to protecting user data.
In this context, there has grown a huge and unregulated market for cybersecurity tools and services, each claiming to offer class-leading protection against cybercrime. For companies, website security is now a major component of website maintenance costs. This is because CEOs are acutely aware of the risks of cybercrime, a form of criminality that will cost the global economy $6 trillion a year by 2021, according to Cybersecurity Ventures’ annual report.
Even the National Security Agency has warned that cybercriminals are “becoming more sophisticated and capable every day in their ability to use the Internet for nefarious purposes.” Yet many companies fail to take basic precautions, such as deleting expired accounts.
To be fair to Congress, crafting a data security law that covers every private company is complex. Today, data is unlikely to be held by one company in one place, and assigning responsibility for protecting it has become a difficult issue. Any such law, therefore, would have to take into account the widespread adoption of cloud storage, SaaS business models, and other forms of distributed data storage and processing. In this context, it’s understandable that most state-level laws on data security require companies only to take “reasonable” security practices, without specifying what those are.
On the other hand, there finally does appear to be an appetite in Congress to address these issues. An increasing number of data protection laws cover individual industries, such as healthcare and financial institutions, and the FTC has brought some data breach-related enforcement actions under its relatively weak and vague consumer protection powers.
Looking to the future, these industry-specific laws could form an excellent model for a national data protection law, as could state-level legislation. The state most mentioned in this regard is New York, which arguably has the most comprehensive requirements. Financial services companies in the state must meet more than 10 specific requirements, which include encryption of nonpublic information, penetration testing, vulnerability assessments, and oversight of service providers’ cybersecurity.
New York also offers another lesson for Congress. In order to draft and enact the new law, the state convened an expert panel that brought together lawmakers, cybersecurity professionals, and the CEOs of major companies.
The development of an effective data protection law at a national level is going to require the same level of expertise and consultation. This is why some have suggested that a federal Department of Cybersecurity is the way forward. Such a department could bring together responsibilities that currently are fragmented across a huge number of departments.
Lacking even a basic indication from the government as to what constitutes adequate cybersecurity, many people are taking cybersecurity into their own hands. VPNs — security tools that encrypt user data in transit — are experiencing explosive growth. Just a few years ago, they were regarded as semi-legal tools that enabled consumers to get around Netflix geo-blocks or avoid cryptocurrency bans. Now, they are used by a significant proportion of the populace.
Whatever the outcome of these new legislative initiatives, data protection is no longer an issue that Congress can ignore. Protecting consumer data is important for the economy. At the broadest level, ensuring data security is also critical to the efficacy of data privacy legislation that already has been passed. That is to say nothing of the reputation of Congress, which would be severely damaged if it should fail to take leadership on one of the most important issues facing the U.S. today.