After years of false starts, the US is edging closer to a federal data privacy law. In a surprise move, two lawmakers last month introduced a bipartisan, bicameral piece of legislation described as “the best opportunity we've had in decades” to finally enshrine a national privacy and security standard into law.
With detailed provisions mandating strict control of sensitive information, it will force organizations to revisit and enhance their data security policies and controls.
Up until now, state legislatures have been forced to take matters into their own hands to protect American’s privacy rights. California was the first to do so in 2018, with a GDPR-like law, the California Privacy Protection Act (CPPA). It’s been followed by many others. As of March 2024, there were 15 discrete state-level data protection laws, plus a privacy-focused act in Florida aimed specifically at large technology companies.
The battle to get the same passed at a federal level has been fought since the early days of the internet, but bipartisan agreement has thus far proven a step too far. In 2022, an American Data Privacy and Protection Act (ADDPA) was canned after Democrat concerns that it would “pre-empt” or overrule stronger state privacy laws at a state level – particularly in California. It’s unclear why the stars have aligned at this specific moment – especially in an election year. But experts are predicting the legislation – sponsored by Democratic senator Maria Cantwell and Republican representative Cathy McMorris Rodgers – has a great chance of becoming law.
Like the GDPR, the proposed legislation both empowers data subjects with new rights over their personal information (and what organizations do with it), and obliges those organizations to take strict measures to protect that data. The part of the bill related to data security is Section 9 which states:
“A covered entity and service provider shall establish, implement, and maintain reasonable data security practices to protect—the confidentiality, integrity, and accessibility of covered data; and covered data against unauthorized access.”
The exact measures organizations will be expected to take will depend on the size and complexity of the organization, the volume and sensitivity of the data and other factors. But at a minimum they could include:
Sensitive data covered by the act includes government-issued identifiers (Social Security numbers, passports and driver’s licenses), health, genetic, biometric and financial information, log-ins and other personally identifiable information (PII). Organizations will also be forced to appoint a Data Security Officer to run their data privacy and security program.
There’s no mention of fines for erring companies at this stage. But crucially, the law gives individuals the right to sue bad actors who violate their privacy rights—and recover money for damages when they’ve been harmed.
“A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right,” said Maria Cantwell, chair of the Senate Committee on Commerce, Science and Transportation. “Working in partnership with Representative McMorris Rodgers, our bill does just that. This bipartisan agreement is the protections Americans deserve in the Information Age.”
It follows that the quickest and easiest way to meet the Section 9 requirements for “reasonable data security practices” is through strong data protection. In fact, the draft law mandates the launch of a pilot program within a year to encourage private sector use of “privacy-enhancing technology.” This includes “any software or hardware solution, cryptographic algorithm, or other technical process of extracting the value of the information without risking the privacy and security of the information.”
This is exactly what tokenization can do – enabling organizations to use data in analytics and other business-enhancing use cases without compromising on security. Comforte’s Data Security Platform offers this and other data protection options including format-preserving encryption. It continually and automatically discovers and classifies sensitive data wherever it resides in the organization, and applies these protections seamlessly in line with policy.
As a federal data privacy law edges closer, the need to enhance corporate data protection policy with powerful security controls has never been greater.