Analysis: The Potential Impact of a National Privacy Law
This article originally appeared in the October 2022 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
The American Data Privacy and Protection Act (H.R. 8152) recently cleared the Energy and Commerce Committee of the U.S. House of Representatives and is being sent to the Senate for debate and approval – clearing a path for nationwide GDPR-like regulation in the United States.
While it passed the House by a vote of 53-2, the legislation is still far from being passed into law in this country; in fact, its prospects in the Senate are unclear with only a few months left on the legislative calendar. The bill has encountered resistance from tech companies that do not want to see any new legislation, heavy lobbying from data brokers, and pushback from states that do not want federal authorities interfering with their security and privacy rules due to the creation of a new bureau – the Bureau of Privacy – which would fall under the authority of the Federal Trade Commission (FTC).
That said, most experts think it is only a matter of time before this legislation, or something similar, passes in the United States – which of course, will have a major impact on the security industry.
The Security Industry Association (SIA), along with other bodies representing the security industry, is deep into lobbying Congress to make sure any final law does not interfere with the effectiveness of security systems; however, SIA also states that a national privacy law will be much easier for the industry to navigate vs. a collection of varying state laws.
“Enactment of a national data privacy framework as proposed in H.R. 8152 could provide clear, meaningful and workable data privacy rules at the federal level,” says Jake Parker, SIA’s senior director of government relations. “SIA advocates for ensuring any framework provides for the continued functionality and effectiveness of safety and security technology applications and the societal benefits that follow. We also think this bill is likely to change and evolve before it receives further consideration and will be tracking it closely for the industry.”
A Closer Look
Through the enforcement of data minimalization, this bill looks to give users control over how their data is collected and used and requires businesses to enact additional security controls to protect user data that is retained. It would supersede any state privacy laws, such as the California Consumer Privacy Act (CCPA). Other states that have enacted formal privacy laws include Maine, Nevada, Utah, Colorado, Virginia and Connecticut.
If passed, H.R. 8152 would require most companies to minimize their collection, processing, and transfer of personal data to the bare amount necessary to support their services or products. Importantly, it also prohibits companies from transferring individuals' personal data without their expressed affirmative consent while allowing individual users to access, correct, and delete personal data collected or opt out completely.
This consent provision has caused some consternation and confusion in the security industry, where it may be construed that anyone caught on surveillance video would need to give consent – obviously rendering it essentially unusable. Fortunately, SIA’s Parker says this is likely not the case.
“Instead of a consent-based framework, the collection and processing of personal data is permitted by H.R. 8152 based on whether the activity falls within specially defined categories of permissible uses, in an effort to minimize the overall amount of data collected,” Parker explains. “We were pleased that these categories specifically include physical security, life safety, network security and several other purposes that align with end-use of products provided by our industry.
“At the same time, there are a number of definitions and requirements that lack clarity, and additional restrictions on data transfer that could result in mixed impact on security technology implementation, depending on the application,” Parker adds.
In addition to user data protections, the bill would also create additional protections for individuals under the age of 17, including a prohibition on targeted advertising and the establishment of a Youth Privacy and Marketing Division at the FTC.
The Potential Impact for Businesses and Security End-Users
All these new user protections will require businesses to alter how they collect, store, process, transfer and destroy user data. The bill will require firms to demonstrate how they minimize data collection. For many, this will require implementing new data handling processes and creating and documenting detailed data management and governance procedures.
Additional administrative, technical, and physical security practices will have to be implemented at most businesses depending on how user information is collected, processed, and transferred, as well as the volume and type of data stored. For most companies, this will require new technology, new practices, and additional staffing.
For security managers, this means implementing a data management program with all of the associated policies, procedures, and technical controls necessary for compliance. For C-Suite managers, it means understanding where data is and how it can be administered under these new protocols.
Some specific practice requirements outlined in the bill are worth calling out. These include vulnerability management, risk management, audit and assessment, data destruction, training, and incident response. For those familiar with The Gramm-Leach-Bliley Act (GLBA), The Health Information Technology for Economic and Clinical Health (HITECH) Act, or the NIST Cybersecurity Framework (CSF), you will notice that the requirements look and feel familiar, because the bill is designed to work with these frameworks – so much so that compliance with GLBA or HITECH satisfy the security requirements for this bill.
Also related to these frameworks, the bill calls for each organization to designate an officer, employee, or group of employees to maintain and implement security practice requirements.
At the bill’s core is data minimization: limit user data collection to only what is necessary to support your services or products. This goal is noble, but the bill fails to provide guidance on data and metadata collected as an operations element, including items such as video surveillance in a convenience store, server access logs necessary for security operations, biometrics for building access for employees, sign-in logs, etc. The bill states that additional guidance will be provided after the first year. Otherwise, it says that businesses need to create policies for these secondary data types that cover protection, retention, and destruction.
As long as organizational policies are designed to support business operations and can demonstrate data minimalization, it would be best to not worry about gray areas until additional guidance is provided.
For service providers such as security integration companies, not only will they have to deal with data of their own, but client and third-party data. Contracts and service agreements must state how data is handled and managed through the contract lifecycle, putting additional pressure on risk and vendor management teams on both sides of the agreement.
For manufacturers, the emphasis will be on customer data protection and how third-party vendors access the data. Knowing what data is collected, where it is, and how it is used will be essential for compliance and determining the risk if it is shared with a third party.
Large vs. Small Businesses
Fortunately, the bill is not a one-size-fits-all piece of legislation; it distinguishes between large and small data holders, each having a distinct set of requirements based on its size. "Small data holders" that have an adjusted gross revenue below $41 million over the past three calendar years and that process data for fewer than 100,000 individuals annually are allowed to delete records rather than processing corrective requests and would be exempt from most of the data protection requirements, except for the user’s right to delete data no longer in use.
In addition, these exemptions apply to businesses that do not derive more than 50 percent of their revenue from transferring covered data. A large majority of U.S. companies fall under the small data holder category, which should help diminish the burden of becoming compliant with the bill’s requirements.
On the other hand, "large data holders" who have adjusted gross revenue over $250 million in the last calendar year and who process either five million personal records or 100,000 sensitive individual records would be subject to additional controls.
The proposed law requires data holders to have a simple mechanism in place so that users are presented with clear options for controlling their data, and users should be able to make requests for opt-out, deletion, modification, or transfer requests of their data. Large data holders are given 45 days to comply with user requests, and small data holders are given 60 days to comply with user requests. Businesses are allowed an additional 45 days for compliance if the request is complex, provided that they inform the user of the delay and its circumstances. Users cannot be charged for their first two requests, but businesses can charge a reasonable fee for any additional requests.
Compliance and Enforcement
Enforcement of the proposed law would be handled by state attorneys general and the FTC. Users who attempt to file a lawsuit directly must notify their state attorney general and the FTC of their intent to bring suit. The agencies have 60 days to decide if they want to act, and if they pursue the case, individuals will be prevented from filing their lawsuits.
While the bill in its current form doesn’t provide operational recommendations for compliance, it states that within the first year, the commission will issue guidance for what they consider reasonable policies, practices, and procedures. If the bill is passed into law, businesses should take direction from GLBA and HITECH, which are cited directly in the bill as applicable information security laws, until additional guidance is provided.
There is also minimal guidance for the technical implementation of the law. Data governance is something that most organizations are struggling to wrap their heads around, let alone implement. While implementation may be difficult, small businesses will need to know what data they have and how to manage it properly. Large companies should expect to eventually fall under a compliance framework like what the financial services industry has been under for the past decade.
Because the bill deals with all aspects of user data, every organization will have to take a different approach to their implementation based on the type of data they collect and how they utilize it.
Bob Gaines, CISSP, CECI, CCFI, COSINT, CSFA, has more than 28 years of experience working in the information technology field and has developed a deep understanding of how security can protect the confidentiality, integrity, and availability of data and information systems in a regulated environment.