What’s the likelihood of a federal data privacy bill passing in the COVID-19 age? The answer is unclear, but it’s not for a lack of trying. Congress has recently introduced multiple federal data privacy bills—some from the GOP, some from Democrats, and some bipartisan—each with varying elements and components that would affect businesses in different ways. Whatever the outcome, it’s clear that we do need a federal data privacy law. Otherwise, we risk taking the same route as data breach notification legislation as states pass up to 50 different data privacy bills that will not be feasible for companies to manage.
During our first virtual CISO roundtable on June 4, our distinguished panel provided an overview of three bills.
The following post summarizes some of the key points made during our discussion with Jordan Crenshaw (Executive Director and Policy Counsel, U.S. Chamber of Commerce’s Technology Engagement Center), Michelle Roback Kraynak (AVP, Counsel at Voya Financial), Robert Ball (Chief Privacy Officer at Ionic Security), and moderator Jodi Daniels (Founder and CEO of Red Clover Advisors).
This bill will “protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis.” It requires affirmative consent for the collection, processing, and sharing of COVID-19 health emergency data and contains purpose limitations, reporting requirements, and a requirement for reasonable security policies and practices.
One concern from companies is the bill’s concept of workplaces. Currently as written, this bill contains a workplace screening exception. The COVID bill excludes “employee screening data” and depends on the type of employee (“an employee, owner, director, officer, staff member, trainee, vendor, visitor, intern, volunteer, or contractor of the covered entity”) and their activity (“whether the individual is permitted to enter a physical site of operation of the covered entity”). Some concern exists with that language. For example, let’s say you’re an employee going out to fix internet cable somewhere or you are a real estate agent only meeting your clients at a home. Both employees would not be entering the physical headquarters of a company. Would that data be included in the exemption?
Also, the bill preempts state laws related to COVID-19 data (although full preemption is not clear from the bill’s language) and there is no private right of action (a contentious point that often becomes an obstacle when passing data privacy bills).
This bill will “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” It’s a comprehensive privacy law with some direction about data security, likely influenced by the California Consumer Privacy Act (CCPA) and the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation. The first striking element about this bill is that it presents a sort of Miranda rights for privacy, with the goal of simplifying and clarifying what constitutes a violation. Those rights include the:
This idea sounds great until we think about the complexity of data, what constitutes data, and the numerous industries that deal with data. A federal data privacy bill can actually backfire if made too simple and not effectively account for the complexity of data.
In addition to Miranda Rights, the bill also:
If compared to GDPR or the CCPA, CDPSA is a more comprehensive data privacy bill focusing on aspects such as consent, a right to erasure, and a right to correction. While a privacy bill, CDPSA also contains data security elements requiring appropriate technical, administrative, and other safeguards. Highlights of the bill include:
Overall, this bill moves us toward a comprehensive privacy, consent, and use minimization regime that, along with components such as data breach notification legislation, is part of a comprehensive policy that we need to put into effect.
The panelists were asked this concluding question: “When looking at these bills and considering the probability of their passage, what might a company consider for its security and data breach processes that it’s not already doing?” They offered some observations about how data security is addressed in these bills and then provided some useful takeaways for CISOs and companies.
The CDPSA “requires each covered entity and service provider to develop, document, implement, and maintain a comprehensive data security program that contains reasonable administrative, technical, and physical safeguards designed to protect personal data from unauthorized access and related harmful disclosures.” A critical element of privacy is controlling access to data. The negative implication means, “If I shouldn’t have access to certain of your data, or if I shouldn’t be able to use certain of your data without consent, then I need something in place to protect that from happening.”
In COPRA, a consumer has a right to data security. But where CCPA includes a vague reference related to “reasonableness,” in COPRA “a covered entity shall establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data. Such data security practices shall be appropriate to the volume and nature of the covered data at issue.” Then, specific requirements include areas such as penetration testing, vulnerabilities, and the retention and disposal of data. This bill is very specific, more specific than the general reasonable security measures in place with CCPA.
So, irrespective if any one of these bills passes any time soon, enough legislation with broad definitions already exists at the state level. Any company needs to comply now. Enough laws exist that could potentially apply to companies, especially for regulated industries (such as financial services or healthcare). Like with GDPR, companies should not sit and wait. From a business perspective, it’s good business to make privacy part of your business processes and overall governance, risk management and compliance program if you’re handling any measure of customers’ personal data (or handling it as a third party). To wait on any of these bills is perilous, especially when considering existing laws.
Also, sitting back and waiting like companies did with GDPR or the CCPA creates a bigger reputational risk. Often, companies are focused on financial consequences, which can certainly add up to a sizable amount of money. But privacy and security also relate to trust. Companies have worked hard to build relationships with customers, create products and services, and build a strong brand. If companies don’t maintain trust through privacy and security, then the risk to their reputation is significant.
Panelists urged companies to act now and take practical steps. Minimize your usage of data when practicable and try to both aggregate and deidentify data. While we’ve seen a reprieve of states trying to pass privacy laws this year, we’re going to start to see them come back next year. Data minimization is so important, and it’s so inexpensive these days to store data. So many parts of organizations want to collect as much data as possible and store it forever. While implementing data privacy best practices is challenging, it’s important to collect only what is necessary for business purposes and, at a minimum, deidentify data as much as possible.
The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, underwriter, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.