What are the biggest points of contention impeding passage of federal privacy legislation (and 3 other security laws)?
Government at any level is infamous for moving at a snail’s pace, as politics, red tape and competing interests often get in the way of progress. Technology, on the other hand, moves at lightning speed.
Unfortunately, this duality can cause problems, particularly when the rate of innovation exceeds the ability of lawmakers to pass to regulation designed to protect individuals from privacy threats posed by businesses’ use of technology and consumer data.
Take, for example, Washington state’s failure to pass a comprehensive data privacy law in 2019. One reason the Washington Privacy Act was scuttled last April was because critics demanded more stringent restrictions on government use of facial recognition. Privacy advocates worry the technology is intrusive and easy to abuse, while makers of the tech want to ensure they can continue to innovate and grow their businesses.
It’s a balancing act to be sure – one that is repeated every time a new privacy legislation is proposed. “As a recovering computer science major, I recognize that advancements in technology have improved lives. However, we can’t ignore the pressing need to improve data security,” says Rep. Ted Lieu (D-Calif.), who serves on the House Judiciary Subcommittee on Courts, Intellectual Property, and the Internet. “We must put legal limits in place to prevent companies from using personal data while leaving consumers in the dark.”
There has no doubt been some progress: As of Jan. 1, 2020, the landmark California Consumer Privacy Act (CCPA) officially took effect, setting the bar for 49 other states looking to follow suit. Still, efforts to create a federal consumer privacy law covering all 50 states remain a work in progress.
SC Media asked a series of security and privacy experts to opine on what they believe are some of the biggest points of contention preventing passage of federal privacy legislation – not to mention additional U.S. legislation that would create standards for data breach notification, secure Internet of Things devices and protect election technology from hackers. Here’s what they had to say:
Consumer privacy legislation
The arduous process it took for CCPA to get passed in 2018 offers a window into some of the same challenges currently encountered by federal versions of this law, such as the Consumer Online Privacy Rights Act, sponsored by Sen. Maria Cantwell (D-Wash.) and the recently proposed United States Consumer Data Privacy Act of 2019, sponsored by Sen. Roger Wicker (R-Miss.).
Art Ehuan, vice president of cybersecurity firm Crypsis Group, says that as these potential laws are debated within the chambers of Congress, “Objections can be anticipated based on greatly increased cost, lowered productivity, more paperwork (in the form of consents, etc.) for consumers and business, and federal intervention in state processes.”
Looking at these types of legislation at a macro level, experts indicate that the biggest sticking points can largely boil down to two key areas: federal preemption and private right of action.
The issue of preemption centers around whether a universal federal law effectively supplants all individual state legislation or if states still have the power enforce their own standards, especially if they are more stringent than a compromise law passed by Congress.
The former point of view is a more business-friendly, uniform approach that allows companies to follow one set of rules, while the latter is more appealing to privacy rights advocates and civil liberties organizations such as the Electronic Frontier Foundation (EFF).
“We have long sounded the alarm against federal legislation that would wipe the slate clean of stronger state privacy laws in exchange for one, weaker federal one. Avoiding such preemption of state laws is our top priority when reviewing federal privacy bills,” wrote Gennie Gebhart, associate director of research at the EFF, in an article posted on the organization’s website last year. “State legislatures have long been known as ‘laboratories of democracy’ and they are serving that role now for data privacy protections. In addition to passing strong laws, state legislation also allows for a more dynamic dialogue as technology and social norms continue to change.”
But Daniel Castro, vice president the Information Technology and Innovation Foundation, a think tank supporting the advancement of technology, says that privacy advocates fighting for states rights are “pushing for heavy-handed rules rather than seeking compromise.” Castro calls preemption the “best option, and the only practical one for most businesses.”
Kiersten Todt, president and managing partner of risk management firm Liberty Group Ventures, and managing director of The Cyber Readiness Institute, believes that before federal legislators settle on a U.S.-wide privacy policy, more work should first be done on a state level, as privacy expectations and definitions can vary from region to region.
(In fact, Todt thinks when U.S. citizens demand digital privacy, they’re by and large really asking for “control of their data,” so they have the power to withhold or share their personal information to whichever parties they choose, at their own discretion. But that’s not necessarily the definition of privacy that hard-core advocacy groups are pushing, which only further complicates legislative efforts, she says.)
“Where we’re challenged at a federal level is all the different ways that we, as citizens, look at privacy. And so I do think this is something that needs to be addressed at the state level,” says Todt, who was once a cybersecurity adviser to former President Barack Obama. “We’ve got to have each state look at privacy in their own way and then be able to learn from one another and learn from the different approaches to be able to potentially look at a federal legislation.”
“Perhaps the solution is the creation of a strong security advisory panel with state representation and industry expert participation,” suggests Ehuan, “where guidelines can be drafted and opened for public review and commentary – allowing states to maintain freedom to create legislation, but leading to greater uniformity across regions.”
Ultimately, federal legislators must reach a consensus on not only which privacy standards to codify, but also how to punish non-compliant offenders. Should U.S. agencies and regulatory bodies be wholly responsible for instituting financial penalties? Or should consumers have a private right of action so they can sue for damages, even if there is no showing of harm?
“Without a private right of action, the Federal Trade Commission and, possibly, state attorneys general would bear the sole responsibility for enforcement. This would require that they significantly increase their personnel. And even with such an increase, enforcement likely would be minimal,” says Francoise Gilbert, CEO and founder of DataMinding. Case in point: the California AG’s Office has indicated that it expects to prosecute only a handful of cases per year under CCPA.
“A private right of action would increase consumers’ ability to [punish] violators,” Gilbert continues. However, “usually these cases generally end up in the form of class actions, where ultimately consumers obtain little compensation for the injury they suffered while a significant portion of the damages paid by the defendants are allocated to the payment of legal cost.”
Joseph Jerome, policy counsel on the Center for Democracy and Technology’s Privacy & Data Project, wrote in an October 2019 op-ed published by the International Association of Privacy Professionals (IAPP) that a private right of action would “shift regulatory costs away from under-resourced agencies and mitigate the potential for agencies to be captured by the industries they regulate.” But the same time, he cautioned lawmakers not to “ignore legitimate evidence that private litigation leads to over-enforcement or ruinous liability.”
Indeed, those opposing a right of action argue that it could lead to a cascade of lawsuits. “The trial attorneys and privacy advocacy groups really want this,” says Castro. “It would be a gold mine for them, but companies are rightfully worried about the costs.”
“Regulators exercise prosecutorial discretion, enforcing against the most egregious violators. [But] plaintiffs’ lawyers would hammer every company, regardless of good faith efforts to comply,” says Lisa Sotto, partner at law firm Hunton Andrews Kurth, and chair of its global privacy and cybersecurity practice. “One solution might be to give the FTC more enforcement authority and a bigger hammer. That way, there would be less need for plaintiffs’ actions as a way to encourage compliance.”
In his op-ed, Jerome said another solution may be for Congress to consider instituting a right of action in a more nuanced fashion, establishing certain conditions for when private lawsuits are appropriate, and setting the scope of such litigation. Perhaps it could simply “augment the Federal Trade Commission and protect individuals where lawmakers have specific concerns…” he suggested.
Time will tell what legislators will decide, but at least some experts see a light at the end of the tunnel. Omer Tene, chief knowledge officer at the IAPP, says the U.S. “has never come closer” to passing a federal consumer privacy law, adding that there actually “isn’t much daylight” between the various versions Congress is considering.
“In our opinion, there is definitely a zone for agreement between both sides,” says Tene. On preemption, the law will likely seek to harmonize the national landscape and prevent a quilt-work of conflicting legislation, but at the same time preserve space for states to innovate on specific issues such as AI, IoT or facial recognition. On a private right of action, the law will likely place great powers with institutional enforcers such as the FTC and state AGs, but also allow individuals to pursue claims in areas such as employment, housing or credit discrimination.”
Of course, it’s not just data privacy legislation that has stalled on Capitol Hill. So has federal legislation covering data breaches, IoT security and election tech security. Below are a few opinions on what’s holding these bills up as well.
Data breach legislation
Examples of Proposed Bills: “Data Breach Prevention and Compensation Act of 2019” and “Data Accountability and Trust Act.”
Art Ehuan, vice president, Crypsis Group: “Over the years, numerous federal laws have been proposed in Congress and ultimately shot down because they did not provide a sufficient level of protection and flexibility for users. The proposed laws have established standards that would lower the threshold for notification and security requirements, rather than strengthen them, and have not provided provisions for states to enact further legislation on top of the federal laws to strengthen data security within their state. Legislators have also pushed back on proposed legislation that would impact small-to-medium size businesses that would need to invest a significant amount of money to revamp their security policies to account for these changes in legislation.”
Lisa Sotto, partner and chair of global privacy and cybersecurity law practice, Hunton Andrews Kurth: “There are 54 breach notification laws in the U.S… Although it would make all the sense in the world to pass federal legislation that would pre-empt these 54 laws, there is little clamoring by businesses or privacy advocates to do so.” Sotto also says federal lawmakers are struggling over the issues of preemption and right of action.
Iot security legislation
Examples of Proposed Bills: “Internet of Things Cybersecurity Improvement Act of 2019” and “Cyber Shield Act of 2019.”
John Moor, managing director of the IoT Security Foundation: “Regulation needs to arrive as soon as possible – yesterday if possible! Unfortunately, this is not a simple exercise and it is far easier to get regulation wrong than right for many reasons. A key concern with industry is the cost of compliance. ‘Fit-for-purpose’ (optimal) security is highly context-dependent and, as IoT covers virtually all areas of the economy, this means that a universal set of requirements is an unrealistic expectation. For some applications, universal requirements could be too onerous, for others they could be found lacking. Consider what would be appropriate for a consumer device against what would be sensible for a medical device or even a connected car – the context and implications vary widely.”
“We need to make sure the expectation is reasonable – perfect security is asymptotic; hence, we need to make our best-tested attempt as soon as possible and accept regulation will evolve, successively, over time. To do this effectively, we need to ensure all stakeholders are given the chance to contribute through a well-managed process… It is also vital that attempts at regulation are harmonized internationally as matters of IoT cybersecurity do not stop at borders and having conflicting requirements between regions may create as many problems than they solve.”
Sounil Yu, board of advisors member at Strategic Cyber Ventures: “One point of contention on IoT security legislation is on the requirement to provide a Software Bill of Materials (SBoM)… Unfortunately, even if an IoT device is secure today, it doesn’t necessarily mean that it’ll be secure tomorrow as new vulnerabilities are discovered. These vulnerabilities are not necessarily introduced by the manufacturer, but rather as a part of [its] use of various software components in the software supply chain. Resistance has come from some manufacturers that are either unable or unwilling to provide an SBoM. But a manufacturer’s inability suggests poor hygiene and outdated practices since modern software development tools make it trivially easy to produce an SBoM. Unwillingness could also suggest that there are undisclosed potential harms (e.g., licensing violations, vulnerabilities) that they are essentially passing onto unwitting buyers.”
Kelsey Guyselman, senior director of government affairs at the Information Technology Industry Council (a trade association representing the information and communications technology industry: IoT devices “need to be secure and resilient. That said, focusing exclusively on devices will not solve all IoT security challenges, as IoT cybersecurity also requires addressing broader ecosystem security issues. There is also need to develop a consensus around baseline security capabilities for all IoT devices. We recommend identifying a common set of best practices and secure capabilities that are broadly applicable and driven by market demand. NIST’s NISTIR 8228, “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks,” provides a framework for organizations seeking to address and mitigate vulnerabilities associated with IoT devices. Any legislation should be appropriately tailored in scope and give NIST the flexibility to work with industry for adoption of baseline security standards.”
Election security legilsation
Examples of Proposed Bills: “Securing America’s Federal Elections (SAFE) Act,” “Election Security Act of 2019,” and Election Security Assistance Act.
Art Ehuan, Crypsis Group: “Today, each state runs elections quite differently—thus, employing election security consistently is quite a formidable challenge. At the federal level, multiple election security bills have been introduced and defeated; recently, $425M of federal money was approved to help secure state elections, but many argue this is not enough to secure elections, and standards are needed at the federal level. The fight between states’ rights and the need for security is unlikely to be resolved soon.”
Daniel Castro, vice president the Information Technology and Innovation Foundation: “The decentralized nature of how elections are run is also a serious problem, and the Election Assistance Commission should ideally play a much larger role as it can house election expertise, but states do not want to cede this authority to the federal government.”
Kiersten Todt, president and managing partner, Liberty Group Ventures: “…We’ve got to look at the state level, provide resources to the states – [because] they know their environments and their threats well – in partnership with the federal government to identify the best approach for it ,and then to be able to build out a national structure of state-level, jurisdiction-level security efforts.
“We at the federal level need to be doing a better job sharing threat environment information, sharing threat information with the states and helping them be better at cybersecurity. Because cybersecurity has become a line item within the last decade… They’re still integrating it into how they’re allocating money, and I think that’s very true for elections. This is where the federal government can provide legislative resources [and] authority: to work with the states, to provide that threat information, to provide best practices and resources and to offer guidance on approaches for securing election systems.”