The Benefits of a Comprehensive Federal Data Protection Law for the United States, Part 2

It’s no surprise, then, that governments are increasingly interested in enacting data protection legislation. In fact, 61 percent of consumers believe laws have a positive impact on protecting privacy, the Cisco survey found.

Consumers and citizens increasingly value data protection, as a growing number of studies show. For instance, 76 percent of consumers say they won’t buy from a company they can’t trust with their data, and 81percent say the way a company treats their personal data indicates whether it respects them. That’s according to the fourth-annual Cisco Consumer Privacy Survey, which queried 2,600 adults in 12 countries.

What a Federal Data Protection Law Should Cover

Six states have comprehensive data protection statutes in place, and another 23 are introducing or have introduced legislation. The result for enterprises is a patchwork of compliance requirements and potential penalties, which  a comprehensive U.S. federal law that provides a consistent framework for safeguarding personal data could help address.

1. Data categories

What provisions should a comprehensive federal data protection law include? Here are seven key issues that would be beneficial to address in any national-level legislation:

2. Scope and context

Federal legislation should make clear what data is subject to the law. In general terms this should include personally identifiable information (PII) such as name, address, and telephone numbers  as well as identifying data such as location, IP addresses, and online cookies.  More stringent protections for sensitive PII such as race or ethnicity, financial or health records, and political affiliations would be appropriate to include in the legislation as well.

3. Individual empowerment

The law should also specify the geographic scope and use-case context of the PII. In particular, the provisions should have an extraterritorial scope, similar to the European Union’s General Data Protection Regulation (GDPR), to allow it to apply to the data wherever it’s stored or transmitted. That way, even if the data travels outside the borders of the US, it’s still protected under the US law.

4. Incorporating a balanced approach

A fundamental aspect of data protection and privacy is personal agency and control. Consumers and citizens should have say over who collects their data, how it’s collected, what kind of data is collected, what it’s used for, and to whom it is transferred. They should also be notified when their personal data is being collected or used. They should likewise have the right to opt out of certain uses – quickly and easily – unless other laws require that certain data be retained for specific reasons or if there is an overriding justifiable reason for the organization to keep such data. For instance, it could allow individuals to prevent organizations from sharing their data for marketing purposes or demand that their data be deleted, while permitting organizations to retain such data if otherwise required by law.

5. Data protection best practices

When it comes to data protection laws, some legislation tends to incorporate overly stringent requirements that could seriously inhibit companies’ ability to conduct standard operations. For example, a bill proposed by India’s government was withdrawn in 2022 due to the significant impact it would have had on India’s economy as a result of the burdensome requirements. A U.S. federal law should take a more balanced approach, enabling organizations to collect, retain, and use data in ways that don’t restrain business to an unreasonable degree, so long as it is appropriately protected and used in accordance with the rights of the individual.

For instance, the law might dictate that one level of protection is required when moving PII to an economic zone with robust privacy and protection rules, while a higher level is needed for data transferred to a higher-risk jurisdiction. That level of protection might call for data encryption, though the law wouldn’t likely spell it out to that level of specificity, leaving the details for the Regulators.

The legislation should define how to protect PII and delineate levels of protection for certain types of data and use cases, while maintaining an appropriate level of flexibility to ensure that industries are able to develop relevant standards within their field. The specific methodologies and technologies required to achieve such safeguards can be left to the regulatory body that enforces the law, advisory boards, and other data protection oversight organizations (“Regulators”).

Data protection is both a business issue and a societal concern, so it can no longer be relegated to the IT department. Instead, executive decision-makers and boards of directors need to be involved. The GDPR, for example, requires companies processing personal data to appoint a data protection officer (DPO).

6. Executive and board engagement

7. Enforcement

A US law should set corporate accountability standards, ensuring that data privacy and protection receives the attention it deserves. It’s noteworthy that the SEC’s proposed rules on cybersecurity risk management will require boards of public companies and investment firms to review and approve cyber policies and procedures.

Making Data Privacy and Protection Proactive

Finally, a single overriding agency should be empowered to enforce the law. A likely candidate would be the Federal Trade Commission. The governing body should be responsible for defining regulatory guidelines and for monitoring compliance. What’s important is that individuals and possible state regulators have a single entity they can contact about privacy concerns, and that businesses have a single regulator they can interact with to demonstrate compliance and resolve issues.

Organizations should take action now to safeguard their data, protect employee and customer privacy, and ensure compliance. Start by assessing the data you collect and generate. Determine where it’s located across datacenters, clouds, networks, and endpoints. Document who has access to it, what they do with it, and how it’s shared. Data security consulting services and data visibility solutions can prove invaluable to this effort.

A proposed federal privacy bill, the American Data Privacy and Protection Act (ADPPA), stalled in 2022 over states’ rights concerns but could be reintroduced to the House floor in 2023. In the meantime, following California’s lead, Colorado, Connecticut, Utah, Virginia, and Iowa are beginning to enforce their privacy laws.

The compliance requirements of a comprehensive federal data protection law are likely to represent cybersecurity best practices anyway. Organizations that prepare to comply will be taking actions that also protect their own sensitive data and reduce their business risk. The time to begin is now.

Visibility into your data enables you to understand its level of sensitivity and its risk of exposure. That knowledge leads directly to the policies, procedures, and technologies you need to protect it – including solutions such as data loss prevention, user activity monitoring, and zero trust network access.

This post was first first published on Forcepoint website by Brice Cagle. You can view it by clicking here