Governance & Risk Management , Government , Industry Specific
US Bipartisan Privacy Bill Contains Cybersecurity Mandates
American Privacy Rights Act Has Genuine Chance of Becoming LawA bipartisan privacy proposal in the U.S. Congress backed by a key Senate Democrat and her House counterpart contains provisions that would place vast swaths of the American economy under new cybersecurity mandates.
See Also: OnDemand | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies
The American Privacy Rights Act is still in draft stage but has the support of Sen. Maria Cantwell, D-Wa., and Rep. Cathy McMorris Rodgers, R-Wa., the chairs, respectively, of the Senate and House Commerce committees.
Cantwell's support distinguishes the bill from other recent attempts - even bipartisan ones - to pass a comprehensive national privacy law. Cantwell's refusal to endorse previous compromise proposals during her three-year tenure as committee chair has been an insurmountable obstacle for both Republicans and Democrats.
“A federal data privacy law must do two things: It must make privacy a consumer right, and it must give consumers the ability to enforce that right,” said Cantwell.
Congress has, in fits and starts, discussed passing a privacy bill for more than two decades, although pressure to act has gone up amid backlash against what critics call "surveillance capitalism" and statehouses acting in a congressional vacuum to approve their own privacy bills.
Serious attempts to legislate private sector cybersecurity beyond already covered sectors such as energy and healthcare collapsed in 2012 - but the hands-off approach characterized mostly by cajoling the market into better security has come in for a reappraisal, as well. Biden administration officials for years have signaled frustration with voluntary guidelines and suggested that mandatory requirements are the only way to obtain better results.
The Cantwell-McMorris proposal would require almost any corporations, except small businesses, that collect or process data to maintain "reasonable data security practices." Those practices would need to protect the confidentiality, integrity and accessibility of data that identifies an individual or device, or "or is linked or reasonable linkable" to such data. They would also need to guard against unauthorized access.
The bill isn't an exhaustive set of cybersecurity requirements. It lays out high-level practices that would become mandatory, including routine vulnerability assessment, acceptance of bug reports, and "taking preventative and corrective action" to address risks.
Privacy Effects
The bill's main focus is on creating rights of access and correction and allowing consumers the right to opt out from their data being used for targeted advertising. It would prohibit corporations from retaliating against individuals for exercising their opt-out rights, such as by denying service or charging different rates.
It would also create oversight requirements for large companies with minimum revenues of $250 million that use decision-making algorithms, including algorithms that facilitate human decision-making. Those companies would need to annually assess their algorithms for potential biases and evaluate them for bias prior to putting them into production. Annual assessment would be publicly available and transmitted to the Federal Trade Commission.
Consumers would have a right to opt out of algorithmic assessment in matters such as access to housing, employment, education, healthcare and financial activities. The FTC would publish guidance on how to comply with that section within two years.
Individuals could sue companies for violations of most sections of the act. This would preempt the bevy of state data privacy laws that have come up in recent years, including in California.
Those two issues - private right of action and state preemption - have made it difficult for Democrats and Republicans to find common ground. Democrats mostly insist on an individual right to sue and on allowing states to craft stronger measures than a federal standard. Republicans, typically against the creation of new torts, balked in the past about private right of action and sought strong preemption of state laws.
"I think we have threaded a very important needle here," Cantwell told The Spokesman-Review on Sunday. “We are preserving those standards that California and Illinois and Washington have."
Whether the California congressional delegation agrees will prove an important factor in whether the bill becomes law, since the heavily Democratic contingent of legislators has been protective of the first-in-the-nation privacy law.