In the News

Should the US Have a Federal Data Privacy Law?


Sep 26, 2018

If the entire European Union can come together to enact serious data privacy regulations for its citizens, why can’t the United States Congress do the same? Right now, U.S. data privacy laws are scattershot among individual states, covering different things and, like the state-based data breach notification laws, only add more confusion. Having a national law would provide the same protections to everyone.

On the other hand, GDPR has only been live for a few months, so we don’t know what the long-term implications will be. Or maybe we should wait to see how well the state privacy acts function before we take on a federal mandate.

I asked security and privacy professionals for their opinions: First, do we need a data privacy law at the federal level and second, if we do, what do you think should be in that law?

Almost everyone agreed that yes, a law passed by Congress is necessary.

“After numerous large-scale breaches and the well-publicized misuse of consumer data, we are well past the time for comprehensive data privacy protections for all U.S. citizens,” Michael Magrath, director, Global Regulations & Standards, OneSpan, said, adding that the data privacy law should apply to online and offline data.

Callum Corr, data analytics specialist from ZL Technologies, agreed that we need to do this, but he’s concerned about who would take the lead in writing that bill. “Big tech giants have been pushing politicians and commissioners alike to allow them to come together and write a policy that is going to be favorable to the largest companies in the industry,” he said. In fact, a number of big tech firms plan to introduce a data privacy framework to the Senate.

“If we allow the tech leaders to write the law that is supposed to regulate them, then it defeats the purpose,” Corr added. “The regulation needs to be consistent and therefore, it has to be federal.” State laws are set up to fail because they all have boundaries attached, and the flow of data today has no boundaries. A federal law would address that.

There is Something Started

There is one pending bill, S.2289, which was introduced to the Senate in January, Pravin Kothari, CEO of CipherCloud, pointed out. This bill calls for the creation of an Office of Cybersecurity within the Federal Trade Commission (OCS-FTC, which would create, issue, and distribute regulations that require covered business entities (predominantly credit bureaus) to provide a complete overview of the technical and organizational security measures they have in place.

But, while this is a start, we need to proceed with caution. “The legislative environment is uncoordinated and generally ineffective. Look at HIPAA and PCI, which have been in place for long periods of time, but have not stopped health care organizations or financial institutions from becoming victims – regardless of the requirements and penalties,” said Kothari.

Empower Individuals and Their Right to Data Privacy

So we need the federal law, but what should it cover? The federal law should ideally empower individuals, said Rishi Bhargava, cofounder at Demisto. That includes following rights:

  • The right to know what data is being collected by a data controller/processor
  • The right to deny the collection of that data
  • The right to ask for removal of that data at any time
  • The right to be informed about any major breach that compromises their data

We Need Accountability

Despite the industry-based federal privacy laws enacted now, Ali Golshan, CTO and co-founder at StackRox, explained, we lack overall accountability for times when consumer data is lost or mishandled. However, he added, before we can have accountability, we need to figure out how to make the current compliances work with a broader privacy act. And any privacy law will need to include transparency of data management across organizations of all sizes.

Privacy Needs Protection

You can’t think about data privacy without considering data protection. Any U.S. federal data privacy legislation should include a requirement, not a recommendation, that multifactor authentication must be used to access systems containing personal information, Magrath suggested, and should leverage the NIST’s Digital Identity Guidelines v1.1 and future revisions.

Please visit ITBusinessEdge to read the full article.

Click here to download the PDF version.