After years of false starts, the US is edging closer to a federal data privacy law. In a surprise move, two lawmakers last month introduced a bipartisan, bicameral piece of legislation described as “the best opportunity we've had in decades” to finally enshrine a national privacy and security standard into law.
With detailed provisions mandating strict control of sensitive information, it will force organizations to revisit and enhance their data security policies and controls.
Filling the void
Up until now, state legislatures have been forced to take matters into their own hands to protect American’s privacy rights. California was the first to do so in 2018, with a GDPR-like law, the California Privacy Protection Act (CPPA). It’s been followed by many others. As of March 2024, there were 15 discrete state-level data protection laws, plus a privacy-focused act in Florida aimed specifically at large technology companies.
The battle to get the same passed at a federal level has been fought since the early days of the internet, but bipartisan agreement has thus far proven a step too far. In 2022, an American Data Privacy and Protection Act (ADDPA) was canned after Democrat concerns that it would “pre-empt” or overrule stronger state privacy laws at a state level – particularly in California. It’s unclear why the stars have aligned at this specific moment – especially in an election year. But experts are predicting the legislation – sponsored by Democratic senator Maria Cantwell and Republican representative Cathy McMorris Rodgers – has a great chance of becoming law.
What’s in the APRA?
Like the GDPR, the proposed legislation both empowers data subjects with new rights over their personal information (and what organizations do with it), and obliges those organizations to take strict measures to protect that data. The part of the bill related to data security is Section 9 which states:
“A covered entity and service provider shall establish, implement, and maintain reasonable data security practices to protect—the confidentiality, integrity, and accessibility of covered data; and covered data against unauthorized access.”
The exact measures organizations will be expected to take will depend on the size and complexity of the organization, the volume and sensitivity of the data and other factors. But at a minimum they could include:
- Vulnerability assessments to routinely identify “any reasonably foreseeable internal or external risk to, and vulnerability in” data processing, retention, collection or transfer technologies. This could include unauthorized access, “human vulnerabilities,” access rights, service provider risk, and more
- Preventative and corrective action to fix any discovered risks/vulnerabilities, including “implementing administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software”
- Updating the above in light of any changes to technology, internal/external threats and business operations
- Permanently erasing data that is no longer necessary for the purpose for which the data was collected, processed, retained, or transferred
- Employee training in data protection/handling best practice
- Incident response so that the organization can detect, respond to and recover from data security incidents/breaches
Sensitive data covered by the act includes government-issued identifiers (Social Security numbers, passports and driver’s licenses), health, genetic, biometric and financial information, log-ins and other personally identifiable information (PII). Organizations will also be forced to appoint a Data Security Officer to run their data privacy and security program.
There’s no mention of fines for erring companies at this stage. But crucially, the law gives individuals the right to sue bad actors who violate their privacy rights—and recover money for damages when they’ve been harmed.
“A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right,” said Maria Cantwell, chair of the Senate Committee on Commerce, Science and Transportation. “Working in partnership with Representative McMorris Rodgers, our bill does just that. This bipartisan agreement is the protections Americans deserve in the Information Age.”
Putting controls in place
It follows that the quickest and easiest way to meet the Section 9 requirements for “reasonable data security practices” is through strong data protection. In fact, the draft law mandates the launch of a pilot program within a year to encourage private sector use of “privacy-enhancing technology.” This includes “any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of the information without risking the privacy and security of the information.”
This is exactly what tokenization can do – enabling organizations to use data in analytics and other business-enhancing use cases without compromising on security. Comforte’s Data Security Platform offers this and other data protection options including format-preserving encryption. It continually and automatically discovers and classifies sensitive data wherever it resides in the organization, and applies these protections seamlessly in line with policy.
As a federal data privacy law edges closer, the need to enhance corporate data protection policy with powerful security controls has never been greater.