Congress Needs to Start Caring About Our Privacy as Much as China Does


Tatyana Bolton
Former Policy Director, Cybersecurity and Emerging Threats
Matt Gimovsky
Former Senior Principal Subcontracts Specialist, Raytheon Technologies
Harry Krejsa
Assistant National Cyber Director for Strategy & Research, Office of the National Cyber Director, The White House
Cory Simpson
Former Managing Director, Cybersecurity and Privacy, Ankura

Key Points

America’s adversaries are eager to steal and exploit our data.

If Congress wants to protect American’s data, it needs to pass a federal data security and data privacy law.

Previous bills have set the groundwork for future legislation. Settling issues around preemption, private right of action and agency enforcement will be difficult, but it is achievable.

Press Release

Congress Needs to Care More About Our Cybersecurity

Executive Summary

As much as 90 percent of the world’s data was created in the last two years alone. Since then, developments like cheap data storage, rapidly-maturing artificial intelligence and machine learning have accelerated humankind’s ability to derive value from this vast new data pool. As a result, our ability to generate, collect, analyze and monetize data is surpassing our ability to consider the consequences such advances hold for our economy, privacy or even national security. The policy implications regarding these changes are profound.

Domestic life is now overwhelmingly conducted online and the data generated by virtue of this activity is a source of great innovation, as the COVID-19 pandemic has laid bare. We are simultaneously blessed with, reliant on and increasingly vulnerable to the complex variables of digital interconnection. Even before the pandemic, it was clear that the expansive digital connectivity we enjoy comes with increasing risks— particularly that of the loss of data security and privacy.

The consequences of data loss now reach far beyond web page defacement. Increasingly, stolen data is becoming a means of harming U.S. national interests via the theft of intellectual property, interference with our elections and financial and reputational loss. In the face of these clear and dynamic threats, the United States must act on data security and privacy legislation. Americans are broadly concerned about securing their data but believe themselves powerless to do anything. Because consumer data now connects national security and consumer protection so decisively, Congress must act to fulfill its constitutional responsibility not only to regulate interstate commerce, but also to provide for the common defense.

Our adversaries have repeatedly demonstrated a willingness to steal our data and commit resources or incur risks to push their visions of a less-secure, less-private, more malleable and more controllable internet onto the world. Congress must demonstrate a similar pragmatism, but one rooted in American values. If the internet is to remain open and interoperable—if it is to be used as a medium over which information freely flows uncensored by government—then Congress must act to ensure the digital realization of our American values.

The 117th Congress’s predecessors have fortunately already poured the foundation for strong data security and privacy. The last questions standing in the way of consensus are significant, but imminently surmountable. Lawmakers should keep in mind that their task is not to agree on and then create a utopian ideal for data handling, but rather to establish a strong federal floor for data security and privacy. This robust federal floor will not only protect everyday Americans from data theft and exposure, but will also bring coherence to interstate commerce, improve the global digital interoperability of American businesses, shore up our defenses against cyber espionage and attack, and, critically, demonstrate to our allies and our adversaries alike that American values are not 20th century anachronisms, but are here to stay. Such a law sounds like a tall order—but consensus is closer than it appears.

Featured Publications