The Poorly Stitched Patchwork of US Data Security Policy

May 9, 2019 at 5:24 pm by Paul Falcone

Every few months it seems like we have a new data breach that exposes hundreds of thousands – if not millions – of individual’s personal and private data. From the Equifax leak in 2017, to Yahoo in 2013, to the Marriott in 2018, customers are losing faith in companies to properly handle their private data. In fact, as of 2017, over 64 percent of Americans have personally experienced a data breach, and with the latest leaks over the last two years, it’s fairly safe to assume that the number has grown even higher.

As the rest of the world continues to move towards a singular, comprehensive, and consumer-focused data security protection plan, the United States continues to fail to pass any meaningful legislation. This lack of forward movement, coupled with the fact the U.S citizens are more concerned for their data than ever, has led to individual states taking the responsibility onto themselves. The problem, however, is this only makes more headaches for both consumers and companies as a whole.

So what laws are in place right now?

Right now, instead of a unified regulation for personally identifiable information (PII), individual industries are given regulations. The healthcare industry and the credit card industry are two examples of this, governed by HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS (Payment Card Industry Data Security Standard), respectively. While having some sort of regulation can provide clarity for companies and more transparency for citizens, the truth is states can pass their own regulations within these industries, making a state by state case of how a singular company might have to respond. Confusing, right?

To fix this, some states, like California, have decided to try and lay the groundwork for a more uniform consumer-focused, approach. The California Consumer Privacy Act (CCPA) that was passed in 2018 will be going into effect January 1, 2020 and looks a lot like Europe’s General Data Protection Regulation (GDPR) that went into effect in 2018. The Act, which would affect any company who does business with customers who are citizens of California, would provide the following protections to consumers:

    • A consumer must be notified of what personal information is being collected, how it is collected, and whether it will be disclosed or sold.
    • Consumers must have the right to easily opt out of having their personal information sold.
    • Consumers must be informed that they have the right to have their personal information deleted. The process to do so must be easy and straightforward.
    • A consumer exercising these new rights cannot be discriminated against as a customer for opting out of any data sharing or for having their information deleted.

This is a good start for not only consumers in California, but across the U.S. As stated above, this Act would affect any company that does business with consumers in California; meaning that companies that exist in other states, but still sell to California, will be affected.

Other states including Colorado and New York also have their own state laws that they have passed. In Colorado, the Protection for Consumer Data Privacy Act was passed in September 2018, while in New York the Stop Hacks and Improve Electronic Data Security Act was first introduced in 2017. In fact, 35 U.S. states currently have some form of data privacy and disposal regulation in place. And all of these regulations have variations from the California Act, which makes it even more difficult for companies to comply to when doing business across state lines.


So why isn’t this happening at the federal level yet? There seems to be bipartisan support with bills being submitted from both sides of the aisle, but progress has been slow. As these data breaches continue to happen, policy at the federal level will have to jump in sooner or later.  Over the last year, five separate bills have been drafted and submitted to Congress with varying takes on the governments roll on regulation. The bills include the following:

    • The Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act by Richard Blumenthal (D) and Ed Markey (D).
    • The Social Media and Consumer Rights Act of 2018 introduced by Amy Klobuchar (D) and John Kennedy (D).
    • The Consumer Data Protection Act introduced by Ron Wyden (D).
    • The Data Care Act introduced by Brian Schatz (D).
    • The American Data Dissemination Act (ADD) introduced by Marco Rubio (R).

Each of these bills looks at the issues of data security from a different point of view and has various opinions on the role of government, how much access a customer should have, and what the consequences for responsible parties should be in the result of infractions.

The CONSENT Act by Blumenthal and Markey was proposed in April of 2018 and looks to have the Federal Trade Commission (FTC) draft a set of federal rules around suggested guidelines. These suggestions are for the consumer to have to opt-in to have their data collected and used as opposed to having to opt-out, like so many companies do now. The Act also suggests that the consumer would have the right to know, if they opted in, how their data was used and to whom it was going. It would also prohibit companies from refusing service to consumers who refuse to share their data.

The Social Media and Consumer Rights Act of 2018 was introduced in April of 2018, just two days after the CONSENT Act. The Act was drafted by Klobuchar and Kennedy and shared many similar ideas to the CONSENT Act. This Act aimed to make data collection from companies more transparent and give the consumer the ability to both opt out of data collection and the ability to view what data has been collected. A following key point was that in an event of a data breach, all affected parties must be notified within the first 72 hours of detection. The FTC would be the governing body and individual states attorney generals would act as the civil enforcement.

The Consumer Data Protection Act by Wyden was introduced in late fall 2018 and carries a lot of the same ideas as the previous two. The Act suggests that consumer have the right to opt out instead of opting in to data collection, and that companies be more transparent with how the data is used. He also suggests that the FTC be provided with increased funding to be able to properly oversee these new regulations. However, the big difference in senator Wyden’s Act comes from the penalties companies should face.

In the Act, Wyden suggests that any company that has revenue exceeding one billion dollars or warehouse data on over 50 million customers must submit an “annual data protection report” to the government detailing the steps taken by the company that year to protect customer data. The catch is that if there is any misinformation or attempt to willingly mislead the FTC, there can be a five million dollar fine and up to 20 years in prison for executives. The severity of the penalties make it a strong contrast to the two acts the came before it.

Next was Brian Schatz’s The Data Care Act, which was proposed on December 12 in 2018 and builds on all the bills proposed before it. The Act calls for companies to be more secure in handling their consumers data and states that consumers must be notified in the event of a data breach. The FTC would be given the power to penalize companies that are misusing consumer data, as well as hold them responsible for all information given to third parties that originated within that company. The Data Care Act broke down its mission into these bullet points:

    • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information.
    • Duty of Loyalty – May not use individual identifying data in ways that harm users.
    • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data.
    • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene.
    • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

The Data Care Act had the largest following, with 14 other Congress members co-sponsoring the proposal.

Rubio’s American Data Dissemination Act takes a different angle. Proposed in February 2019 with no co-sponsors, his bill suggests that the FTC themselves draft up the rules, like the CONSENT and Data Care Act, and send them to Congress for approval. It is stated that the FTC would seek to create rules for the “tech giants” while exempting smaller companies from the same rules, allowing them a chance to be competitive within their industries. The Act would prioritize consumer welfare over corporate welfare and would preempt state law, meaning that this would supersede the state laws that are being drafted and implemented in individual states. Unlike the previous proposals, Rubio’s was more open to the FTC drafting the ruleset with fewer suggestions beforehand from him directly.

So where are we now?

While none of these proposals have gained a lot of traction, they serve as a spark that spreads into a conversation among consumers, politicians, and companies alike. The fact that these proposals keep coming show that it’s not a matter of if, but a matter of when the U.S. will have a federal data privacy policy.

Around the world, Europe, Japan, and Canada are all making uniform approaches to keep data security laws the same across their countries. This makes the guidelines easy to follow for companies and easy to understand for consumers. In Europe, GDPR has seen a launch with increased consumer rights and companies already being penalized for failing to comply. Canada had the Personal Information Protection and Electronic Documents Act (PIPEDA) go into effect November 1, 2018, further protecting the personal information of their citizens and holding companies responsible for breaches. In Japan, a Personal Information Protection Commission was created to enforce a regulation that would be in compliance with GDPR’s new guidelines.

Soon the U.S will have to follow suit, and it will make everyone’s data safer in the process. But it’s not hard to make something that is safer than the poorly stitched together patchwork of polices that we have in place now. A patchwork where we’re one data breach crisis away from it all ripping apart.

Security Engineered Machinery is the Global Leader in High Security Information End-of-Life Solutions.