2020 and 2021 saw escalating cybercrime and data breaches across the US. Now, state legislators in over 29 US states have thrown the spotlight on data privacy this year. They have put it high on the agenda in legislative sessions.
The rights of consumers to opt-out of data collection on websites, providing watertight protection and privacy for children online, and the monitoring of employee emails have all been closely scrutinized. Perhaps most crucially, legislators have taken a closer look at the role and responsibility of commercial and governmental entities in ensuring data protection. Companies will also have to clarify what data is collected, what will be done with it, and how long it will be kept.
Ultimately, only Virginia and Colorado have signed data privacy bills into law this year. These came into effect on March 2, 2021, and July 7, 2021, respectively. It makes them the second and third states after California to enact such laws. However, other states have seen their data privacy bills fail to pass.
Without these in place, even the likes of Virginia, Colorado, and California will fail to adequately protect consumer data privacy. This is due to two critical factors:
- The internet is not contained within a single state’s boundaries, so any laws would fail to meet cross-state federal regulations and compliance
- Participants operating online can only be regulated by the federal government under the Commerce Clause, Article I, Section 8 of the Constitution.
Consumer privacy underpins other rights
Consumer privacy legislation is a critical foundation in protecting the rights of consumers and ensuring their safety and privacy online. Currently, no US national legislation ties the responsibility for this to any commercial or governmental entity. Given the increasing magnitude of data breaches and digital stewardship failures, the importance of addressing this has now become paramount.
Today, we are living in an environment of escalating cybercrime. Every year brings a record-breaking number of data breaches of increasing sophistication and severity. So it comes as no surprise that consumer confidence in the promise of data security is at an all-time low. The majority of Americans now believe that they have lost total control of their data.
A Patchwork of Existing Protection
Furthering this patchwork of state privacy laws will only create more confusion and instability for both business and customers. For example, these laws do not provide for interstate commerce. As such, they will impinge on any business operating in or selling to customers across multiple states.
In the absence of a consistent national privacy protection regime, more states will enact their own local rules. These will raise costs and complicate compliance even further – with a myriad of enforcement regimes for businesses and individuals alike.
The Challenge of Responding to Data Breaches
Much of the western world has adopted comprehensive legal protections for personal data. But the United States continues to struggle with this. Its sector-specific laws and regulations fail to protect consumer data adequately. Furthermore, they only serve to deliver complicated and often contradictory requirements for businesses and consumers.
A good example of this is the Health Insurance Portability and Accountability Act (HIPAA). It is the United States’ primary health privacy and security law. It only applies to “covered entities” holding “protected health information”. The system is so complicated that most Americans have no grasp of when their health information is protected by the law or what security standards apply to their individual case.
Additionally, separate privacy laws govern specific areas of the US healthcare system. Student immunizations and other school health records are generally covered by the Family Educational Rights and Privacy Act (FERPA). It, in turn, intersects with and sometimes conflicts with the Children’s Online Privacy Protection Act (COPPA), which protects data but only of children under the age of 13.
State laws add to the confusion
State laws only add to this confusing patchwork, particularly with respect to data breaches. It is recognized that the widespread collection of personal information puts people’s privacy and security at risk. Federal laws exist that require individuals to be notified if their information is compromised. However, the types of personal information that warrant protection, which entities are covered, and even what constitutes a breach varies state-to-state.
Even the most sophisticated organizations will eventually experience a breach thanks to the persistent threat of cybercriminals, insider threats, or commercial intrusion. Additionally, the damages resulting from the collection and misuse of data are constantly evolving and worsening.
Therefore, the time is right to readdress introducing federal legislation and the creation of a national data breach notification standard. It will ensure individuals know when a data breach that includes their personal data has taken place.
Moving Towards a Unified National Framework for Data Protection
The US legal framework has typically relied on individual states to introduce their own flavors of data privacy legislation. Yet, the EU’s General Data Protection Regulation (GDPR) has led the global dialogue on data protection. It has set an international standard for protecting all personal data, regardless of who collects it or how it is processed.
Progressive digital economies like Canada, Israel, and Japan are starting to align with this. It could arguably put US companies at a global disadvantage.
To bring the United States in line with these emerging data-protection norms, Congress should now initiate one comprehensive framework to cover all institutions. IT should override and resolve differing federal laws and regulations, rights and responsibilities. Companies must become ethical stewards of data for the better protection of all US citizens.
It is now time for state legislators to encourage this and work together with Congress to deliver an overarching, progressive solution that reflects the importance of an individual’s right to privacy and organizations’ duty to protect it.
Titus is synonymous with world-class data classification and our solutions are key components of HelpSystems’ robust data security portfolio.
Titus solutions are trusted by millions of users in over 120 countries around the world, including top military, government and Fortune 100 organizations. With the addition of data identification and advanced machine learning technologies, Titus has evolved into a global leader in enterprise-grade data protection solutions.
