Privacy legislation: E pluribus unum

Privacy legislation: E pluribus unum
featured image

This article originally appeared in SC Magazine on May 1, 2019.

In the last several months, a series of tech company executives have sat before Senate and House panels, peppered with questions, smart ones at that, about how their companies protect data. Imagine that, Congress asking prescient questions about a tech-related subject. The hearings held on Capitol Hill marked a turning point of sorts – lawmakers motivated to act on privacy…and au courant to boot. Well, sort of.

Fueled by a spate of state privacy bills, including the hard-nosed California Consumer Privacy Act and some eye-popping, difficult-to-ignore privacy violations, it seems Congress is finally motivated and engaged. And that puts a national law, on par with Europe’s GDPR, within spittin’ distance, as they say down South.

“The tectonic plates are coming together,” says J. Trevor Hughes, president of the International Association of Privacy Professionals (IAPP). “Whether that creates an earthquake or a volcano remains to be seen.”

At the heart of all privacy initiatives is a four-letter word – data. “We all know that data is money, and for this reason, businesses have been on a data gathering binge enabled largely by the internet. All that is about to change,” says Chris Olson, CEO of The Media Trust. “Landmark privacy laws like the California Consumer Privacy Act are tipping the scales in favor of consumers, who are demanding more transparency and control over what of their information is gathered, how it’s used, and to whom it’s sold.”

As well they should. Imagine being a survivor of a disaster then having the Federal Emergency Management Agency (FEMA) share your personal data – including banking information – with a third-party contractor.

FEMA overshared the personal information on survivors of three hurricanes – Maria, Harvey and Irma – and the 2017 California wildfires who used its Transitional Sheltering Assistance program.

The incident, which exposed information on more than two million Americans, underscores the need for a national privacy law, says Ping Identity CCIO Richard Bird.

As does Facebook’s most recent privacy transgression, in which the company discovered that it had stored some user passwords in a readable format within its internal data storage systems, according to a March 21 blog post.

“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” writes Facebook Vice President of  Engineering, Security and Privacy Pedro Canahuati. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

Canahuati explains in the post that the passwords were never visible to anyone outside the company and there is no evidence that they were internally abused or improperly accessed at the moment.

And the threat to privacy from outside the country’s borders continues to grow. Leveraging PII is just one of the corrosive cyberthreats the U.S. faces from nation-states, Gen. Paul Nakasone, commander of the United States Cyber Command and NSA director, said recently at RSA.

In lieu of a federal law, the way that privacy violations – notifications, penalties and the like – are handled vary from state to state. But no matter how closely stitched the patchwork of state laws, they leave gaps. “The piecemeal approach happening state by state will create no safety net for our citizens,” says Bird.

It also leaves organizations hanging without consistent guidance on how to handle privacy breaches – or even what constitutes protected information, which is why the private sector is clamoring for overarching federal legislation.

Just last fall Apple CEO Tim Cook called for a national law. Addressing attendees at the International Conference of Data Protection and Privacy Commissioners, Cook said his company is “in full support of a comprehensive federal privacy law in the United States.”

He dismissed the argument made by some tech companies that they could “never achieve technology’s true potential” if they are “constrained by privacy regulation” as not only “just wrong,” but also destructive.

“We will never achieve technology’s true potential without the full faith and confidence of the people who use it,” he said, noting that legislation should be based on users having the right to access to the data companies collect and to security. “Security is foundational to trust and all other privacy rights.”

Apple, of course, is not alone in its call for a law at the federal level. At a privacy law discussion at RSA in March, Julie Brill, vice president and deputy general counsel, at Microsoft, said, “We want some laws on the books,” calling for strong policy that applies to all major companies.

Noting that a federal bill has gained “more momentum than we have ever had,” Google Public Policy Manager Sarah Holland says the conversation around privacy “is much different from where it was five years ago.”

Holland, whose company is appealing a stiff fine from European regulators for an alleged GDPR violation, says she “didn’t think two years ago, the Chamber of Commerce would release privacy regulations.”

This time it will be different

This isn’t the first time a federal law has been discussed in earnest – over the years, lawmakers have tried to tackle privacy but with limited success. Unlike many legislative efforts on Capitol Hill, those efforts haven’t been so much constrained by partisanship – privacy is by and large a bipartisan pursuit and members of both parties have advocated for legislation.

“Look at the political spectrum – I don’t think we’ve ever seen those on right and left calling for the same thing,” Holland says.

Strong advocates in Congress like Sen. Ron Wyden, D-Ore., and Rep. Will Hurd, R-Texas, have been hammering on privacy and compelling their colleagues to finally take action.

The tech companies, too, are adding their weight and expertise to the initiative. “Part of our job to show up and actively engage and say what we think impact of law will be,” says Holland. “We know how these systems work and we want to provide this information as long as the conversations are transparent.

While the “odds are greater than ever there will be a federal privacy bill, still [there’s] only a 30 percent” chance of passage, says Brill. “We’re seeing more conversation, so why?”

Privacy legislation, even with widespread support, is difficult. Defining what constitutes both personal data and adequate privacy protections can challenge the most tech-savvy experts, so it often seems insurmountable in the hands of a Congress, whose members are sometimes woefully ill-prepared to tackle even the most clearcut of technical issues.

But lawmakers – or their staffs – seem to be doing their homework. The questions during hearings are smarter and more incisive. And privacy legislation has taken on a certain urgency – they’re facing increased pressure to pass a bill before the CCPA goes into effect in January.

“The industry is looking for pre-emption, they want a single law,” says Hughes, “which would require legislation by the end of this year.”

As challenging as crafting privacy legislation might be, U.S. legislators don’t have to conjure a bill completely from scratch but rather might borrow from what already exists legislatively at the state level and overseas – a little GDPR, a little California with a dash of other state efforts thrown in.

The EU has done much of the legwork with GDPR, successfully tackling the definition of personal data, adding teeth to legislation in the form of hefty fines and granting regulators the authority to pursue violations.

The European Union spent a lot of time putting together, debating, reviewing and finalizing GDPR. The rules replaced the EU’s previous data protection laws dating from 1995 when the internet was just emerging. It gives citizens more control over their own private information and it’s intended to give businesses clarity and legal certainty. Fines can be up to four percent of global turnover and the law requires speedy breach notifications (where feasible, within 72 hours).

Congress also is likely to find guidance in the CCPA, which could serve as a blueprint of sorts on the national state.  While the upcoming law isn’t a carbon copy of GDPR, Kalinda Raina, senior director and head of global privacy and LinkedIn, recently told an RSA audience that it is part of a greater trend she referred to as a “GDPRization of laws across the world,” including new privacy legislations recently proposed by countries like Brazil and India and also by individual U.S. states.

The CCPA is built around a set of goals to allow users to understand the data that is being collected about them, how it’s shared and used as well as let them access the data and forbid companies from selling it. Companies that have been breached can be compelled by the courts to pay $100 to $750 for each California resident affected.

State legislators defined personal information, recently expanding it to include medical, healthcare and a variety of other personal identifiers.

Even with GDPR and CCPA to serve as guidelines and deadlines looming, that’s not to say legislation is imminent – Congress still has a long way to go to craft a bill that can pass muster.

“The devil is in the details – you have to watch the deals that are being made” to bring a law to bear, says Hughes.

“At least two bills have been introduced with an eye to avoiding the confusion and chaos that a patchwork of state laws might trigger,” says Olson. “It will likely take more than a year for a data privacy bill to get through the committee hearings process and then signed into law.”

In the mean time, companies shouldn’t sit back and assume compliance with GDPR will meet any new legislation’s privacy bar. “This is not the time to take a wait-and-see approach,” said Ruby Zefo, chief privacy officer at Uber, in an RSA conference keynote session, discussing the California law. “It’s here, it’s not going to change very much in my opinion, unless it’s to get more onerous for businesses, so you really should start prepping now.”

And Raina noted, “if you’re not already started, now is the time.” 

Privacy Legislation

What makes a good privacy law?

U.S. lawmakers are likely to draw from both the GDPR and the California Consumer Privacy Act (CCPA), as well as other strong state legislation to craft a robust privacy law that includes at least the following elements: 

Concept of notice. Organizations’ policies on information gathering and use vary. “A person should know why information is collected and what will be done with it,” says Peter Blenkinsop, co-chair of the Drinker Biddle information security, privacy and governance practice,.

Notification. Requirements for notification in the aftermath of a breach or violation also vary. GDPR says that organizations are required to notify regulators within 72 hours after it’s discovered. A U.S. law should do the same.

Choice. Once consumers provide information to an organization, they often have no idea where it goes from there. “Individuals should be able to choose with whom they share information and how information is shared with third parties,” says Blenkinsop.

Ability to amend. There’s a lot of information out there, some of it inaccurate, outdated and stored much longer than necessary, leaving users vulnerable. “Do individuals have the right to understand what information is collected about them and to what extent information can be amended?” Blenkinsop asks. That’s something a new law should address.

Definition of personal information. “GDPR is a good template” for determining what organizations need to protect, says Baffle CEO Ameesh Divatia, because it “clearly defines what is sensitive data, even down to IP addresses.”

DPO requirement. GDPR calls for data protection officers (DPOs) to oversee and maintain compliance for organizations or groups of organizations that they represent. The DPO sits on the non-asset side to make sure data is collected, stored and processed in accordance with the law, says Divatia.

Enforcement authority. In Europe, the Information Commissioner’s Office is the enforcement authority for GDPR. In the U.S. that task will likely fall to the Federal Trade Commission (FTC), already the primary enforcer of federal law and regulations surrounding consumer privacy. “Right now, they have to rely on the FTC Act,” says Blenkinsop. “Legislation would then most likely give FTC specific authority to regulate privacy and enforce requirements,” says Blenkinsop.

Under a bill reintroduced in March by Rep. Suzan DelBene, D-Wash., the FTC “will have the authority to hold companies accountable,” the lawmaker said in a release.

The bill, says Daniel Castro, vice president of the Information Technology and Innovation Foundation, would “significantly strengthen the FTC’s enforcement capabilities” and “establish uniform national rules.”

Stiff fines. Of course, no enforcement is effective unless it has teeth. This is the section that made organizations around the world stand up and take notice of GDPR. It also marked a departure from assessing fines based on damages incurred. “Regulators said

[fines are]

going to be based on how much revenue they make – that got their attention,” says Divatia.