Federal Cybersecurity Regulation? It Could Be Coming!
Steve Berlin, Esq. is an Associate with the firm Rumberger, Kirk & Caldwell and focuses on product liability and casualty litigation with an emphasis on deconstructing complex matters and issues involving technology. This post is part of an ongoing series of cybersecurity law articles provided by Mr. Berlin. Our gratitude to him and Rumberger, Kirk & Caldwell for sharing their valuable insight!
Two Senate Committees recently held hearings focused on cybersecurity and data privacy with the creation of federal law as the main topic. The Commerce Committee held a hearing called “Privacy Principles for a Federal Data Privacy Framework in the United States” and the Judiciary Committee held a hearing called “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.” The Senators demonstrated a solid grasp of the issues and asked focused questions regarding whether the U.S. should create comprehensive federal privacy regulation.
One of the key issues is how the California Consumer Privacy Act (CCPA) would affect interstate commerce. For example, after California’s law comes into effect in 2020, it will have reaching effects on those who conduct business in California and on the internet with Californians; thus, a Florida business that maintains a customer database that includes Californians may have to comply with the CCPA. The quandary is whether Congress should create a baseline regulation that applies to all Americans equally or allow states to create similar legislation without federal interference that would create a patchwork of rules.
Another key issue is how to enforce such legislation. The consensus was that the Federal Trade Commission (FTC) would be the appropriate federal agency to oversee cybersecurity and data privacy due to its role in consumer protection. New regulation would likely provide the FTC with the authority to create regulations to refine and enforce a federal data privacy law. Such regulations may also provide authority for states attorneys general to enforce cybersecurity and data privacy regulation at the state level. This is important because the FTC tends to have a higher threshold to take an action, whereas a state attorney general can be more responsive to their constituency.
When it comes to industry regulation, one such proposal is self-regulation, which is what mostly happens now. The Senators’ demeanors reflected their waning deference to industry due to recurrent data breaches. One hot-topic regulation, in particular, was opt-in versus opt-out. For the most part, the default selection in America is to opt out of data collection. This requires a user to take affirmative steps to limit data use by a controller. Alternatively, opt-in requires the user to take a step to allow the controller to use one’s data in ways that are more expansive.
The hearings indicate a growing appetite for federal cybersecurity and data privacy law with the CCPA being the catalyst. As a result, Florida businesses should take a close look at how they handle data. may be advantageous as a business model for a Florida business to use opt-in as a standard. A Florida business should also take a hard look about its cybersecurity and data privacy practices ahead of possible legislation because the elected officials are reflecting the concerns of the American people, which is also the customer base. A business can go beyond compliance by setting itself apart from its competitors when it comes to protecting its customers’ data.
Please note: the information provided here is for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization’s specific needs.