Congressional FAIL on Data Privacy Laws
by Sean Steele, CEO, infoLock Technologies
The 111th Congress is finally addressing data privacy and security with a trio of bills--House bill H.R. 2221 (Data Accountability and Trust Act), and Senate bills S. 139 (Data Breach Notification Act) and S. 1490 (Personal Data Privacy and Security Act)--intended to standardize protection of consumers' Personally Identifiable Information (PII). The House bill was passed, while the Senate bills are pending votes.
Today, forty-eight states have data privacy laws, presenting a maze of conflicting regulations and fragmented protection for consumers. In theory, a federal data privacy law would create one overarching standard that would protect consumers, provide uniform data breach notifications, and simplify compliance for affected organizations. In practice, the proposed federal laws do not go far enough and may even weaken consumer protections. For example, H.R. 2221 would appoint the Federal Trade Commission (FTC) as chief regulator, excluding government agencies, colleges and universities, banks, and others, from compliance and enforcement measures.
Stringent state laws on the books in Massachusetts, California, and Nevada, require data storage safeguards, PII encryption, and PCI-DSS compliance. Unfortunately, the proposed federal bills define PII differently, and do not agree how or to whom to apply regulations. For example, how will preventative data protection measures – such as encryption, access controls, and data leakage prevention – be defined, evaluated, and enforced? It is easy to envision a situation where an organization is in compliance with these weaker federal regulations and yet out of compliance with existing state regulations, leaving data exposed. If a federal law is to preempt state laws, it at least needs to be as strong so that organizations do not go unpunished for yet another breach.
We need consistent regulatory standards for data privacy, as is evidenced by the millions of customer records exposed last year, and the dizzying array of state laws. Comprehensive federal legislation may be the answer if it creates a meaningful standard that safeguards consumers and strengthens data privacy protections. These proposed bills do not pass muster; Congress should head back to the drawing board.
