The U.S. House of Representatives Committee on Oversight and Government Reform released a report in December lambasting Equifax, Inc. for its poor cybersecurity leading to a cyberattack on its servers in 2017 that exposed the personal information of 148 million consumers, including nearly half of all American adults.
The report indicated that Equifax did little to patch its network security and kept its information technology and cybersecurity departments siloed from one another. It ended with a few recommendations. They included reviewing the sufficiency of Federal Trade Commission (FTC) oversight and enforcement authorities; reviewing the effectiveness of identity monitoring and protection services offered to breach victims; reducing the use of Social Security numbers as personal identifiers; implementing modernized IT solutions and holding federal contractors accountable for cybersecurity with clear requirements.
But the report said nothing about the need for a federal data privacy law.
While sector-specific cybersecurity bills have been enacted, earlier proposals for comprehensive data privacy and security legislation have failed to get off the ground. As early as 2009, for instance, U.S. Sen. Patrick Leahy, D-Vermont, introduced a bill, the Personal Data Privacy and Security Act. It never received a floor vote.
Lisa Malloy, the head of U.S. government affairs at Intel Corp., says that if ever a time would come when a federal data privacy regulation would be passed, 2019 will be the year. More and more people have become aware of how much of their personal information is on the internet, and they are more aware of the risks of having that information exposed.
A survey given to U.S. consumers by SAS Institute Inc., an analytics company, indicates that 67 percent of U.S. consumers think the government should do more to protect their privacy. And over the past couple of months, legislators, trade organizations and even tech companies have stepped up their efforts to pass data privacy and cybersecurity legislation.
Why now? More companies appear to be growing concerned with the idea of having a jumble of federal and state data privacy and cybersecurity laws, especially with the passage of the California Consumer Privacy Act of 2018 last June. The California law, however, will not fully take effect until 2020. There are also federal laws governing data privacy by sectors, such as the Health Insurance Portability and Accountability Act, administered by the U.S. Department of Health and Human Services, and the Fair Credit Reporting Act, overseen by the Federal Trade Commission.
David Hoffman, associate general counsel and global privacy officer at Intel, says the CCPA complicates the regulatory issue further. “It’s the patchwork issue that people are most worried about,” he says.
James Shreve, a partner and head of the cybersecurity practice at Thompson Coburn in Chicago, says that California is the only state that has a comprehensive law on cybersecurity or that goes beyond data breach reporting, and California tends to be the trendsetter for that kind of legislation. Right now, states have different laws on when companies are supposed to report data breaches.
“There’s more interest among industry in having something passed than we’ve seen in the past several years,” he says.
Miriam Wugmeister, co-chair of Morrison & Foerster’s global privacy and data security group and a leading expert in the field, says she supports the idea of a federal law.
“I absolutely do think there should be a federal privacy law. I think consumers should have the right to have a single set of rules that they know the organizations with which they’re doing business are using. And companies should have the ability to say ‘I have one set of rules I need to follow. I don’t have to do something different in New Jersey than in California.’ It’s not good to have this patchwork,” she says.
In Congress, legislators have introduced several proposals that would create an overarching law governing data privacy and cybersecurity: In July, Rep. Hank Johnson, D-Georgia, announced that he would be reintroducing two bills on cybersecurity and data privacy. One of them, The Application Privacy, Protection and Security Act of 2018 (H.R. 6547), would govern how data is collected and secured on mobile devices. He also introduced the Data Broker Accountability and Transparency Act of 2018 (H.R. 6548), which would require data brokers to establish procedures for accessing and correcting their collected information and allow U.S. citizens to have their data erased from corporate servers. This bill has a companion in the U.S. Senate introduced by Sen. Edward Markey, D-Massachusetts, S.1815.
In September, the Financial Services Committee in the U.S. House of Representatives passed the Consumer Information Notification Requirement Act H.R. 6743, sponsored by Rep. Blaine Luetkemeyer, R-Missouri. That bill would allow the Federal Reserve and Comptroller of Currency to establish standards to prevent a data breach, but would leave it up to state insurance regulators to enforce the federal standards on licensed insurance companies, according to an advisory by Crowell & Moring attorneys John Sarchio and Richard Liskov. It would allow, except in some circumstances, federal pre-emption of state laws, such as the model act for the cybersecurity of insurance data enacted by the National Association for Insurance Commissioners. The NAIC act was patterned after the New York Department of Financial Services’ comprehensive financial services cybersecurity regulations enacted in 2017.
In November, Sen. Ron Wyden, D-Oregon, introduced draft legislation on data protection bill that would amend the Federal Trade Commission Act to allow the commission to enforce data privacy and security standards and allow executives to be jailed for 10 to 20 years if they were found to be in violation of the standards.
Even more recently, in December, Sen. Brian Schatz, D-Hawaii, introduced the Data Care Act of 2018. The bill includes fines, but unlike Wyden’s bill does not include jail time for top executives. This legislation would require companies to use reasonable care when collecting data and places restrictions on how data can be shared. The law would be enforced by the FTC, however, state attorneys general may bring a civil action against an online service provider if they believe an online provider is violating the law and it is impacting residents of that particular state. When introduced, 15 other U.S. Senators had signed on in support of the stand-alone bill.
Tech Companies Weigh In
Tech companies also have released their own opinions and model federal legislation for data privacy and security in response not only to the California Privacy Act but also to the European Union’s earlier General Data Protection Regulation of 2016.
Intel released its draft proposal in early November with the hopes of fostering discussion on data privacy. Intel is accepting feedback on its draft legislation and will publish a second draft of the bill in 2019.
Alphabet Inc., the parent company of Google, which declined comment for this story, referred to its opinions on federal privacy legislation to a September blog post authored by the company’s chief privacy officer Keith Enright. In that post, Enright wrote that the organizations that misuse consumer data should be held responsible and that consumers should be able to easily find out who has their personal information and for what purpose it is being used.
The prevailing thought among the tech companies and the legislators is that the Federal Trade Commission would be the body that governs whatever kind of comprehensive law is passed. The FTC already oversees different privacy-related regulations for sectors of industry including the Gramm-Leach-Bliley Act for financial services and the Children’s Online Privacy Act.
Prospects for Legislation
Thompson Coburn's Shreve says that companies want a federal law to pre-empt any state laws on data privacy. He says that he believes as long as a bill would pre-empt state laws, it would get support from industry.
While many companies have spent years preparing for the European Union’s GDPR, Hoffman says he hopes that whatever bill would govern cybersecurity in the U.S. is different from the European law by making it less restrictive, which would allow for businesses to experiment.
“We don’t need a version of the GDPR,” Hoffman says. “We need a law for the U.S. with our unique culture and ethos of innovation and entrepreneurship.”
Some companies still have serious reservations about a federal law regulating privacy, however. Shreve, who spent 20 years working in Washington, D.C., as a cybersecurity and data privacy attorney, says he’s seen many attempts fail at federal legislation in the realm of data privacy and cybersecurity. He says that many times those failures are caused by partisanship, but he thinks that partisanship will not be an issue for a federal data privacy bill.
“I think, on the privacy side, you can end up with people who have very different views coming together and seeing things very similarly,” Shreve says.
Malloy says the challenge is that it is still difficult to get people to see eye-to- eye on issues such as pre-emption. In opposition to pre-emption, 32 states’ attorneys general signed a letter to the Committee on Financial Services in March of this year. The letter, which was written by Illinois Attorney General Lisa Madigan, says that states are better equipped to handle data breaches and enforce cybersecurity standards than the federal government is.
Says Malloy: “There has to be some coming together and compromise.”
An American GDPR? Companies’ Privacy Gurus Discuss Future Federal Data Law in DC
Legislating Cybersecurity: 2018 Adds Patches to the Quilt of Data Privacy Law Across the US
FTC Plan for Privacy and Data Security Enforcement Is Good News for GCs: Tech Attorney