Lack of federal data privacy law seen hurting IT security
Data privacy and data security are closely connected when it comes to ensuring U.S. business and consumer safety online.
That’s according to experts speaking during an online panel discussion hosted by the nonprofit policy think tank R Street Institute this week. Federal agencies such as the Cybersecurity and Infrastructure Security Agency support business efforts to improve data security. But Brandon Pugh, R Street Institute’s director of cybersecurity and emerging threats, said data privacy is equally as important and currently lacks federal protection.
Pugh argued in support of a federal data privacy law. Several federal data privacy bills, including the American Data Privacy and Protection Act (ADPPA), have been introduced in Congress over the years but failed to become law. The ADPPA, for example, would’ve established personal data handling requirements for businesses and required consumer opt-in for targeted advertising.
“We think there’s a strong nexus between privacy and security,” Pugh said during the panel discussion. “It’s hard to separate them.”
Companies collect vast amounts of data on consumers — a growing concern that often gets overshadowed by more pressing data security concerns, said Jessica Dawson, information warfare research lead at the U.S. Military Academy at West Point Army Cyber Institute.
Dawson said the challenge will be overcoming two significant misconceptions about data collection.
“The two big myths in this space are, ‘They already have everything, so why bother?’ and, ‘If you have nothing to hide, what are you worried about?'” she said. “Those are two very deliberately structured myths to enable this sense of complacency about all of this data collection.”
Data collection occurs in multiple facets of consumer life, whether that’s through online shopping, social media, travel or even online searches. Dawson said companies bring those data points together to create a 360-degree view of a consumer.
She asserted that if consumers fully grasped the extent of companies’ data collection, they might not consent willingly. In the absence of protections like a federal data privacy law, companies largely adhere to industry standards for personal data collection, often leaving consumers with limited choices about the data gathered.
“All of this data collection — here’s the church you go to, here’s the alcohol you like, here’s the guilty pleasure you like to read that nobody knows about. Now all of that can be merged together and can create a very different picture about your life in a way that people are probably not going to be very comfortable with,” she said.
Some data privacy protections exist, including the General Data Protection Regulation in the European Union and U.S. state laws, such as the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act. The laws establish restrictions around the collection of sensitive data.
However, the state laws fall short of touching the other vast amounts of personal data companies can collect, said Sam Kaplan, director and assistant general counsel for government affairs and public policy at Palo Alto Networks.
“There’s vast stores of data [that are] readily and publicly available,” he said.
Kaplan said that’s one of the reasons data privacy protection ties to data security. The more consumer information bad actors have access to, the more they can use to cause harm to consumers and organizations.
“Likes, interests, when and where you browse — that is the type of information that threat actors can use,” he said.
Pugh said several recent security breaches also have “massive privacy implications.” Popular genetics testing company 23andMe notified its customers this month that a cyber hacker stole millions of pieces of data from 23andMe, which was then advertised on an online platform.
Data minimization, which limits the amount of data a company can collect, is one method of protecting data privacy, Pugh said. Implementing legal data protection requirements for data companies collect is another.
Data privacy protection is something Congress needs to act on, he said. “Now is the time to do something.”
Dawson agreed with the importance of protection methods like data minimization. “Everyone is collecting everything they possibly can and not thinking through how [this can] be misused,” she said.