Democratic Senators Introduce Data Security LegislationSeparately, Digital Rights Group Pushes for National Privacy Law
Democratic senators have introduced yet another version of data security legislation that would create a federal breach notification requirement. Meanwhile, the nonprofit digital rights group Center for Democracy & Technology has drafted a model for a broad national privacy bill.
Some 15 Democratic senators, led by Sen. Brian Schatz, D-Hawaii, last week introduced the Data Care Act, which would require those offering websites and apps, and other online providers, to take steps to safeguard personal information and stop the misuse of users' data, according to a statement issued by Schatz's office.
The bill would require prompt notification of individuals affected by data breaches; prohibit the use of individual identifying data in ways that harm users; and ensure that the data protection duties extend to third parties when disclosing, selling or sharing individual identifying data. It would grant the Federal Trade Commission rule-making authority to implement the legislation.
Several past attempts to enact similar legislation have failed.
Meanwhile, the Center for Democracy & Technology, has unveiled its model for a comprehensive national privacy bill.
The CDT draft proposes to set limits on the use, collection and sharing of personal information and also aims to provide individual rights to access, correct, delete and port data.
"We are seeing an extraordinary number of stakeholders entering the broader privacy debate at the national level."
—Kirk Nahra, Wiley Rein
The European Union's General Data Protection Regulation, for which enforcement began in May, provides enhanced privacy protections that other nations are now considering emulating.
"We are seeing an extraordinary number of stakeholders entering the broader privacy debate at the national level," notes attorney Kirk Nahra of the law firm Wiley Rein. "Many of them have come from the industry, but this is one of the more significant proposals that comes generally from the consumer side."
A CDT spokesman tells Information Security Media Group: "We're not expecting any member to introduce our draft in its entirety, but we think the language we've drafted can provide useful guidance to members who are working on their own drafts."
CDT is also supportive of the new bill introduced by the 15 senators. "We commend Sen. Schatz for tackling the difficult task of drafting privacy legislation that focuses on routine data processing practices instead of consumer data self-management. It signals an important shift in how Congress views consumer privacy issues and foreshadows a serious privacy debate in 2019," CDT's Richardson said in a statement about the Data Care Act.
CDT says it's taken its "best shot" at addressing numerous difficult privacy challenges.
"For legislation to be more than a Band-Aid, we have to rethink the relationship between businesses and the people whose data they hold," said Michelle Richardson, director of CDT's privacy and data project, in a statement.
"We need to establish sensible limits on data collection, use and sharing so that people can entrust their data to companies without accepting unreasonable risk."
In addition to tackling an array of privacy issues pertaining to consumers' personal information, the CDT proposal defines "health information" protected under the legislation as information related to health conditions or the provision of healthcare, information processed in the course of providing health or wellness services, and information derived from testing or examination of the body.
Components of CDT Draft
The CDT draft bill also calls for:
- Requiring companies to certify their privacy oversight policies and disclose any material data security or privacy incidents, including notifying individuals affected;
- Establishing affirmative rights for individuals with respect to personal information, including the right to access data and make corrections, and the right to data portability, such as permitting individuals to transmit or download their personal information from a business;
- Granting the FTC authority to enact regulations that are tailored to business practices, the type of personal information and the current state of the art in safeguards;
- Addressing the current lack of data broker transparency by directing the FTC to create a centralized opt-out registry for all brokers;
- Providing for joint enforcement of the new requirements by the FTC and state attorneys general, with the FTC having the ability to pre-empt action by states and creating new civil penalties for violations.
The draft legislation also would transfer privacy and security enforcement responsibilities from the Federal Communications Commission to the FTC for businesses regulated under the Communications Act, as well as bring not-for-profit organizations under the purview of the FTC.
In addition to CDT's draft, some healthcare groups have been calling for regulatory changes, including refining HIPAA.
For instance, the American Medical Informatics Association and the American Health Information Management Association have called for extending the HIPAA provision on an individual's right to access their health data to include organizations that are not currently considered HIPAA covered entities or business associates - such as companies that offer mobile health apps and health-related social media (see: Does HIPAA Need to be Modernized?).
'Stakes in the Ground'
The CDT proposal "will get a lot of attention, because it is coming from a respected consumer-focused organization," Nahra says. "But at the same time, it is simply one of the stakes in the ground on these issues."
Although the U.S. is still a long way away from having national privacy legislation, Nahra says, "this train is moving quickly and each passing day lifts the odds of a national law in the next two to five years."
Privacy attorney Iliana Peters of the law firm Polsinelli agrees with the CDT's proposal for a federal standard that preempts state laws in certain circumstances and its call for providing a federal baseline of protection of personal information.
"The proposed provisions ... are well-written and contemplate many factors about which potentially regulated entities may be concerned, particularly with regard to individual rights and deceptive trade practices," she says. "That said, I remain uncertain regarding the appetite of Congress to impose additional burdens on potentially regulated entities at the federal level, while expanding the jurisdiction of the FTC."
Nonetheless, Peters says the CDT proposal "is an excellent draft to begin the discussion of these issues."
So, what's the potential impact on CISOs and chief privacy officers if privacy legislation eventually become law?
"Job security. There will be more of them, in more industries, and they will have more obligations," Nahra says.