Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/23/2019
10:30 AM
Seth P.  Berman
Seth P. Berman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Will the US Adopt a National Privacy Law?

Probably not before the 2020 election. But keep an eye on this Congress as legislators debate how to define personal data and what limits to place on how companies use it.

As we approach the one-year anniversary of Europe's General Data Protection Regulation (GDPR), Congress is again considering whether the United States should join Europe (and most major economies) by adopting some form of national data privacy and security regulation. In February, the House and Senate each held hearings on data privacy, and for the first time in years there appears to be at least some interest among the different stakeholders for national legislation.

Why Are We Talking About National Privacy Regulation Now?
Until recently, one major factor preventing a serious discussion about a national privacy law was the almost uniform opposition of Silicon Valley and the large tech companies. These companies were concerned that data privacy regulation would inhibit their ability to monetize the data they collect and prevent further innovation in the information sector.

Recently, however, the industry has started to rethink that view. As abuses of data by major tech companies have come to light, Silicon Valley leaders have come to fear that data privacy legislation may be inevitable and have moved from a posture of opposing all legislation to seeking to shape the new regime. At the same time, the nation's first state-level generally applicable data privacy law, the California Consumer Privacy Act (CCPA), is scheduled to take effect in 2020. Several other states have proposed similar data privacy laws, causing businesses to grapple with the fact that they may shortly need to comply with a patchwork of complicated and conflicting state-level regulations.

Consumer groups, meanwhile, have long wanted more stringent data privacy rules in the United States. Ironically, they recently have become less interested in a national standard because they worry that the large tech companies will shape national legislation to reduce the levels of protections now being granted or contemplated at the state level. Thus, one of the core issues that Congress will need to consider is whether any new national privacy legislation preempts state law — essentially wiping out any state-level protections (as the business lobbies desire), or if instead it sets a floor for the minimum amount of data protection allowed while still allowing states to create their own, more stringent protections (as advocated by consumer groups).

What Might Be in a US Privacy Law?
Though it is highly unlikely that Congress would model any US law after GDPR or even the CCPA, it is likely that the debate about such a law would force Congress to address some of the same issues. For example, GDPR defines a series of "rights" that individuals maintain in data about them, such as the right to know what data companies hold about them, to correct that data, and to erase it in certain circumstances. Though the United States is unlikely to elevate these kinds of protections to the level of a "fundamental human rights" (as GDPR describes them), Congress will need to consider whether to grant individuals any power to determine how or when their data is used by companies. Similarly, the United States has so far avoided mandating general security standards and does not have a national data breach notification statute; instead, each state has its own such statute. A new privacy law might well include such a national standard.

Probably the two biggest challenges facing legislators considering a national privacy law is how to define personal data and what limits ought to be placed on how companies can use such data. The US has generally adopted a fairly narrow definition of personal data — including certain health information as well as Social Security numbers and key financial information, but excluding more general information about a person, such as their political, ethnic, or sexual identity. The tech industry would prefer a narrow definition so that it can continue to monetize the vast amounts of data it collects about activities and consumer preferences — such as reading habits, hobbies, friend groups, political affiliations, and even location data — without further regulation.

Consumer groups seek to broaden the definition of personal data to prevent the kinds of practices that led to the recent Facebook scandals. Similarly, consumer groups aim to set clear limits on when and how companies can use personal data. GDPR, for example, only allows the processing of personal data if the company has one of six enumerated legal bases for doing so. US law is unlikely to be quite so restrictive but will need to find some method of describing what companies are allowed to do (or at least what they are not allowed to do).

How Would a National Privacy Law Be Enforced?
Once the contours of the restrictions are determined, Congress will then need to determine how the new privacy law will be enforced. To date, regulation of data privacy and security issues have either fallen to special agencies enforcing industry-specific privacy regulations (such as Health and Human Services, which enforces HIPAA violations, or the bank regulators, which enforce Gramm-Leach-Bliley violations) or to other federal agencies using their preexisting regulatory authority. Thus, the Federal Trad Commission has brought privacy and security actions pursuant to its authority to promote consumer protection, and the Securities and Exchange Commission has brought enforcement actions against public companies pursuant to its regulatory authority over public companies.

A new federal privacy law would create a much clearer regulatory regime and potentially a new regulator to enforce it. More controversially, consumer groups would like to guarantee that any privacy regulation allows for an individual right of action to ensure that individuals can force companies to abide by privacy regulations even in the absence of government action. It is probably unlikely that a new national privacy law will be passed before the next election, but it is worth keeping an eye on this Congress, as it may begin to shape the future of privacy and security law in the United States.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Seth P. Berman leads Nutter's privacy and data security practice group. Corporations and their boards engage Seth to address the legal, technical, and strategic aspects of data privacy and cybersecurity risk, and to prepare for and respond to data breaches, hacking and other ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...