What does the newest U.S. privacy bill mean for cybersecurity?
On Tuesday, June 14, the U.S. House Committee on Energy and Commerce held a hearing on the American Data Privacy and Protection Act discussion draft — a leading contender for a comprehensive federal privacy framework. The famed sticking points of individual redress mechanisms, preemption of state laws and the role of the U.S. Federal Trade Commission — the law’s likely federal enforcer — were among the slew of debated aspects. However, the cybersecurity provisions and data security requirements necessary to create a bill that not only guarantees a right to privacy but also creates a safer place for all Americans were not discussed extensively.
While these issues were not discussed at length, the bill addresses how to handle data security and cybersecurity directly and indirectly.
Laying a security foundation
Data privacy cannot exist without a robust cybersecurity foundation. This draft would be the first comprehensive federal bill to require data security and the protection of covered data for most entities, including data security policies and reasonable administrative, technical, and physical practices and procedures with at least six specific requirements. The FTC would be responsible for providing compliance guidance, which must consider the entity size, sensitivity of data and the cost of tools because not all entities are the same. The bill would also establish corporate accountability for lost or stolen data with specific obligations for large data holders.
Increasing competitiveness and international security
The bill improves cybersecurity through stronger and more secure ties to our international allies and partners. The United States is one of the only industrialized countries that lacks a single national privacy law, which affects our global competitiveness and creates barriers to common business practices like data transfers. This leaves the U.S. behind while other countries take steps to improve data security. As the Cyberspace Solarium Commission noted, the status quo “threaten[s] to splinter the digital economy, confuse[s] efforts to secure users’ personal data, and imperil[s] the ability of American companies to compete globally.” The draft bill would help resolve these deep international disconnects and put America back in a leadership position.
Protecting Americans from adversaries
Notwithstanding broader connections to our allies, the bill also strengthens protections for American citizens against the collection of their personal information by our adversaries. The bill requires covered entities to inform individuals if their data is transferred, processed or made available to select countries like China or Russia. These countries work to gather our data and weaponize it against us, but our laws and policies should not tolerate — let alone be accustomed to — such behavior. The draft bill starts to take action to ensure the United States maintains its competitive advantage through the security of our data.
Accounting for security needs
Situations will likely arise where exceptions need to be made to protect individuals or data, especially where cybersecurity and national security are concerned. This bill allows data to be used for limited purposes, if it is necessary and limited, such as detecting or responding to a security incident or protecting against fraudulent or illegal activity. This flexibility is important to ensure security incidents and illegal activity are appropriately addressed.
Some have suggested that “the ADPPA as drafted could create substantial headwinds for routine, enterprise-focused cybersecurity activity.” For example, some claim that the definition of sensitive covered data pertaining to online activities is too broad. They argue the breadth of the definition may limit the ability of companies to use unique identifiers for security functions. Conversely, others claim that the vague definition of covered data is necessary to account for the wide range of types of data. The exceptions in the bill for security incidents, protecting against illegal activity and comporting with warranties are sufficient to provide for the security needs of organizations while maintaining privacy requirements.
Laying a cybersecurity foundation, increasing competitiveness and international security, protecting Americans from adversaries, and accounting for data security and cybersecurity needs are among the most important aspects of the draft bill. There are parts of the discussion draft that could be improved, but in the aggregate, the bill is a substantial step forward. Our economy, consumer safety, and perhaps most importantly, national security hang in the balance of passing data security and privacy legislation. After all, there can be no privacy without security.
