ArchiveOODA OriginalSecurity and Resiliency

Will the United States Enact a National Data Privacy Law?

In the aftermath of massive data breaches that have exposed the personal identifiable and financial information of millions of people around the globe, it became clear that there has beena need for legally-mandated data protection.  Europe leapt to the forefront, implementing its General Data Protection Regulation (GDPR), a comprehensive law that empowered European citizens to have substantial control on how organizations used, processed, and stored their information. In addition, the GDPR created a regulatory framework mandating how companies went about ensuring data privacy protection and setting costly fines for those that fell out of compliance. The message of the GDPR was clear; it put consumers ahead of the companies that they patron, forcing the former to adhere to the GDPR or else not do business in Europe. Similarly, other governments have followed suit with Bahrain, Brazil, China, Japan, Kenya, Nigeria, and South Africa, among others enacting GDPR-like laws.

The impact of the GDPR has been substantial.  According to one recent study, nearly eight out of ten U.S. companies took steps to comply with the GDPR, a telling sign that organizations were not only willing to follow the strict regulations but eagerly demonstrated their ability to do so. This is noteworthy as it required these companies to invest millions of dollars (an estimated USD $9 billion has been spent in compliance) in the process to ensure that they avoided the steep fines levied on those committing infractions. Since January 2021, EU data protection authorities have imposed nearly USD $1.2 billion in fines over data breaches.  Amazon and Meta are two companies that have received some of the larger penalties.  Though the GDPR is only four years old, it appears to be a success, not only in enforcing the principles of data protection, but also emerging as the basis and a catalyst for governments to emulate as they modernize their own data privacy legislation.

The United States does not have a national data protection legislation in place but relies on a mixof state and local jurisdictional laws and sector-specific federal laws (e.g, the Healthcare Insurance Portability and Accountability Act) that address data protection.  Currently, all 50 states have some form of data breach notification/protection laws, but they are not uniform and differ in scope, enforcement, and applicability.  Of these, only California, Colorado, and Virginia have robust and comprehensive data protection and consumer privacy laws. This is a disconcerting turn of events given that a study conducted by the Pew Research Center found that half of Americans believed their information is less secure. The lack of confidence comes as no surprise considering the number of massive data breaches have exposed the most sensitive of personal information impacting health records and credit scores.  

Since 2019, several bills have been introduced into Congress, a positive acknowledgement for the need of such legislation in today’s Internet-driven world. Though differing in many aspects to include the rights of individual action against businesses, the bills overlap when it comes to creating rights to protect consumers’ digital privacies.  However, none of them have gained traction, which is troubling considering there appears to be bipartisan support when it comes to limiting what personal information companies can harvest from their users, requiring companies to issue clear policies on what information they are collecting and how they intend on using it, and providing consumers control over how their data gets shared.  While progress has been made, continued failure due to lack of urgency has kept this debate on the backburner and consequently keeping the unsatisfactory status quo in place.  Two key points of contention remain: should a federal law preempt existing state rules, and should individuals be allowed to sue companies over privacy violations? And while there is legitimate debate to be had, it might be easier to find common practical ground on these issues than expected.  After all, neither current U.S. state laws include private right of action for privacy, begging the question why it would be a sticking point for a national law?  When taken from this perspective, compromise might not be that much of a challenge. Unfortunately, the longer consensus proves elusive, the more vulnerable U.S. citizens will be to having their information exposed in data breaches, perpetuating an environment where class action lawsuits are the only recourse left to frustrated consumers.

Should the United States enact a comprehensive data protection law, the Federal Trade Commission (FTC) is likely to be the tip of pyramid. The FTC has repeatedly entreated Congress to implement a flexible privacy law and is perhaps best positioned to oversee this effort as the organization is already responsible for enforcing existing privacy laws.  For example, the FTC was instrumental in determining if Facebook (now Meta) violated terms of a consent decree when 50 million users’ data was transferred to Cambridge Analytica, a data and media consultancy firm.  While the United States does not have to execute the same provisions of the GDPR, the European landmark legislation provides principles that can certainly be emulated and applied accordingly to fit the U.S. model.

Mandatory security requirements, information handling restrictions, and security accountability are standards all organizations should be able and willing to implement, and which can be supervised by an oversight body like the FTC. It might not be a complete fix, but it would be a necessary start, and one that is desperately needed given the complexity and dynamic evolution that occurs in the digital space. The fact that China has already implemented a national data privacy law before the United States has raised eyebrows, given China’s reputation as a perpetrator of theft and exploitation of the very data it is now protecting.

What’s clear is that the United States can’t stay on the sidelines, looking to create a perfect fit.  The government needs to assume a leadership position that others follow, not the other way around.  And it accomplishes this by demonstrating its commitment to protecting the privacy of its citizens while simultaneously positioning its commercial enterprises to operate responsibly with respect to safeguarding customer information domestically and internationally.  The United States cannot rely on “defend forward” operations by U.S. Cyber Command to dissuade malicious actors from stealing information.  There are too many gangs, criminals, and state actors too take on for this to be a viable solution.  Failure to act has led data breaches to become an “accepted” norm, where victims are provided a token identity theft monitoring to assuage their concerns. Not only is this unacceptable, that mindset must change.  And that change initiates when the United States puts the interests of its citizens ahead of everything else.

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.