If federal data privacy legislation is ever going to be passed, it may be in 2019, said Intel’s head of U.S. government affairs, Lisa Malloy.
More and more people have become aware of how much of their personal information is on the internet, and they are more aware of the risks of having that information exposed. Over the past couple of months, legislators, trade organizations and even tech companies have stepped up their efforts to pass data privacy and cybersecurity legislation.
While sector-specific cybersecurity bills have been enacted, earlier proposals for comprehensive data privacy and security legislation failed to get off the ground. As early as 2009, for instance, U.S. Senator Patrick Leahy, D-Vermont, introduced a bill for the Personal Data Privacy and Security Act . The bill never received a floor vote.
Why now? More companies appear to be growing concerned with the idea of having a jumble of federal and state data privacy and cybersecurity laws, especially with the passage of the California Consumer Privacy Act of 2018 in June of this year. However, the California law will not fully take effect until 2020. There are also several different laws governing data privacy by sectors, such as the Health Insurance Portability and Accountability Act and The Fair Credit Reporting Act.
David Hoffman, associate general counsel and global privacy officer at Intel Corp., based in Santa Clara, California, said that with the CCPA comes more of a patchwork of different regulations with which companies would have to work to comply.
“It’s the patchwork issue that people are most worried about,” Hoffman said.
James Shreve, a partner and head of the cybersecurity practice at Thompson Coburn in Chicago, explained that California is the only state that has a comprehensive law on cybersecurity or that goes beyond reporting a data breach. He said California tends to be the trendsetter for that kind of legislation. Right now, states have different laws on when companies are supposed to report data breaches.
“There’s more interest among industry [in having something passed] than we’ve seen in the past several years,” Shreve said.
In Congress, legislators have introduced a number of proposals recently hoping to get away from a patchwork of state and federal laws to create an overarching law governing data privacy and cybersecurity: In July, Rep. Hank Johnson, D-Georgia, announced that he would be re-introducing two bills on cybersecurity and data privacy. One of them, The Application Privacy, Protection and Security Act of 2018 (H.R. 6547), would govern how data is collected and secured on mobile devices. He also introduced the Data Broker Accountability and Transparency Act of 2018 (H.R. 6548), which would require data brokers to establish procedures for accessing and correcting their collected information, and allow U.S. citizens to have their data erased from corporate servers. This bill has a companion in the U.S. Senate introduced by Sen. Edward Markey, D-Massachusetts, S.1815.
In September, the Financial Services Committee in the U.S. House of Representatives passed the Consumer Information Notification Requirement Act H.R. 6743, sponsored by Rep. Blaine Luetkemeyer, R-Missouri. The bill, if enacted by Congress, would allow the Federal Reserve and Comptroller of Currency to establish standards to prevent a data breach, but would leave it up to state insurance regulators to enforce the federal standards on licensed insurance companies, according to an advisory by Crowell & Moring attorneys John Sarchio and Richard Liskov. The bill would allow except in some circumstances federal preemption of state laws, such as the model act for the cybersecurity of insurance data enacted by the National Association for Insurance Commissioners. The NAIC act was patterned after the New York Department of Financial Services’ comprehensive financial services cybersecurity regulations enacted in 2017.
In November, Sen. Ron Wyden, D-Oregon, introduced draft legislation on data protection bill that would amend the Federal Trade Commission Act to allow the commission to enforce data privacy and security standards and allow executives to be jailed for 10-20 years if they were found to be in violation of the standards.
Tech Companies Weigh In
Tech companies also have gotten into the act, releasing their own opinions and model federal legislation for data privacy and security in response, not only to the California Privacy Act but also to the European Union’s earlier General Data Protection Regulation of 2016.
• Intel released its draft proposal in early November with the hopes of fostering discussion on data privacy. Intel is accepting feedback on its draft legislation and will publish a second draft of the bill in 2019.
• Alphabet Inc., the parent company of Google, which declined comment for this story, referred to its opinions on federal privacy legislation to a September blog post authored by the company’s chief privacy officer Keith Enright. In that post, Enright wrote that the organizations that misuse consumer data should be held responsible and that a consumer’s power to control their own personal data should not be difficult.
The prevailing thought among the tech companies and the legislators is that the Federal Trade Commission would be the body that governs whatever kind of comprehensive law is passed. The FTC already oversees different privacy related regulations for sectors of industry.
Improved Prospects for a Federal Law
Thompson Coburn’s Shreve indicated that regardless of whether a comprehensive bill on data privacy and cybersecurity would preempt state laws will be an issue of whether a bill gets support, because companies would want a federal law to preempt state laws.
While many companies have spent years preparing for the European Union’s GDPR, Hoffman said he hopes that whatever bill would govern cybersecurity in the U.S. is different from the European law.
“We don’t need a version of the GDPR,” Hoffman said. “We need a law for the U.S. with our unique culture and ethos of innovation and entrepreneurship.”
While many companies would prefer to see some kind of federal legislation governing cybersecurity and data privacy, there are still reservations.
Shreve, who spent 20 years working in Washington, D.C., as a cybersecurity and data privacy attorney, said he’s seen many attempts fail at federal legislation in the realm of data privacy and cybersecurity. He explained that many times those failures are explained by partisanship but that he believes it is overstated.
“I think, on the privacy side, you can end up with people who have very different views coming together and seeing things very similarly,” Shreve said.
Malloy said the challenge in lobbying for a single federal law governing cybersecurity and data privacy is that it is still difficult to get people to see eye to eye on issues such as preemption. In opposition to preemption, 32 states’ attorneys general signed a letter to the Committee on Financial Services in March of this year. The letter, which was authored by Illinois Attorney General Lisa Madigan, stated that the states are better equipped to handle data breaches and enforce cybersecurity standards than the federal government is.
“There has to be some coming together and compromise,” Malloy said.