What Could a U.S. Federal Data Privacy and Security Law Look Like?

Posted on in Podcasts

Congress has tried for years to pass a comprehensive federal data privacy and security law without success, which impacts consumers, industry, and security. Meanwhile, other countries and multiple U.S. states have moved forward with laws. However, the bipartisan, bicameral American Data Privacy and Protection Act (ADPPA) could be an opportunity to change this. This podcast will cover why data privacy and security legislation is important and look at the R Street Institute’s report on reaching consensus on traditional roadblocks, specific aspects of the bill like data security, the bill’s current status and possible next steps, and remaining challenges.

Podcast Transcript

You're listening to the RSA Conference podcast, where the world talks security.

Kacy Zurkus:
Hello listeners, and welcome to this edition of our RSAC 365 podcast series. Thanks so much for tuning in. I'm your host Kacy Zurkus, Content Strategist with RSA Conference. Today I am joined by Brandon Pugh at R Street Institute, and we'll be talking about data privacy and security legislation, where we are and where we are going. But before we get started, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now I'd like to ask Brandon to take a moment to introduce himself before we dive into today's topic. Brandon.

Brandon Pugh:
Well Kacy, it's great to be here. I've enjoyed following your work, along with all your colleagues at the RSA Conference. So thanks for having me on, especially for such an important topic. I'm fortunate to be a senior fellow and policy council at the R Street Institute on the cyber and emerging threats team. And on that team, I lead our data privacy and security work. So this topic is very relevant and very timely. But before joining the R Street Institute, I was the legislative council for the New Jersey General Assembly in the minority office, where I handled almost all of our legislation on tech, cyber, and privacy. And before that, I was fortunate to serve in four different elected and appointed offices, and a host of different cyber roles before that. So I know that's near and dear to your listeners, including the military. I did a fellowship at the FBI. So it's now neat to be with the R Street Institute and have the opportunity to focus on these important issues.

Kacy Zurkus:
I love that, and I love that wealth of experience that you bring to the conversation. I want to jump right in by asking you to share some background with our listeners, as we know that passing a comprehensive federal data privacy and security law in the US has been largely unsuccessful. Who knows what will happen before the Senate breaks, but can you perhaps pull back the curtain for us a little bit to help us understand some of the competing viewpoints that have created this stalemate in which we find ourselves?

Brandon Pugh:
And you are right. Unfortunately, this has been going on for years, and truthfully there could be a book on the history of this alone and the different iterations, the different compromises. It just seems like when we're getting close, there's something new to hold it up historically. But I think before I get to where we're at now, I think it's helpful just to remind people, what do we have in the US in terms of privacy legislation? Right now, we see a lot of states passing laws and I'll touch on that later. We also see sector specific laws, like HIPAA. That's probably the more prominent example. We see many international approaches, the most famous example being the GDPR, but now many others have made their own laws, including China even. And we also see voluntary adoption. A lot of times people will critique larger tech companies, but multiple of them have voluntarily taken privacy initiatives without being forced to, and specifically, because we don't have a comprehensive federal law on data privacy and security in the US.
Outside of this example I shared with you, there's no consistent standard. I specifically say privacy and security because we do think they go hand in hand. We don't think you can have one without the other, and they're both important aspects. But specifically to your point, what are some of the roadblocks? Traditionally, I'd say there have been several major roadblocks, along with this series of other issues, but just for the sake of time, we can't go into everything. But just broadly speaking, we've had issues with preemption, which essentially means how does a federal law interact with state laws. That's particularly important because many states have these laws now, or I shouldn't say many, we're at five. The second being a private right of action, meaning can individuals sue a company or covered entity directly for violations of the law. And then third, what is the role of the Federal Trade Commission, or the FTC, in terms of both enforcement and rule making?
The problem is individuals have usually taken one stance or another on these issues. What I mean by that is let's take preemption as one example. The question historically has been, should a new federal data privacy and security law preempt state laws, or should it not? And it's always been one or the other. There's really not been a focus on reaching a middle ground and finding areas to negotiate and compromise. We've seen significant movement on reaching the middle ground in our current legislation. And then if you add to that, there's certain people and groups that would prefer to hold out for a more ideal bill. The challenge with this is it just slows down progress, or it just stops progress altogether. The belief is maybe we could wait for a future Congress and pick up the legislation then and hope we get a better bill. I think the challenge with that is there may not be an ideal bill for everybody. So if we continue that belief, we may never have a bill. So I think there is a middle ground that's needed in trying to reach consensus.

Kacy Zurkus:
Yeah. I mean, that's really no way to legislate on any bill. I mean, we could have that hope for the next Congress when it comes to every legislation, but at the end of the day, we need legislation to drive change. We certainly know that multiple states have had success passing their own data privacy act, as you mentioned, but what impact does this have on consumers and industry and even security as a whole, when we are lacking this central comprehensive legislation at the federal level?

Brandon Pugh:
So I alluded to it earlier, but we're at five states now that have a state level privacy law, most prominently being California, and even more shockingly, 27 states have worked on a bill this year. Not all 27 are going to pass, but they're still negotiating and considering them and some are still active. I think this shows that the trend at the state level is just going to continue. So if some have concerns now that there's a patchwork emerging, I think that those concerns are just going to get even bigger. But you're right, there are concerns here for consumers, industry and security.
Just to start with consumers. The vast majority of Americans live in a state without a privacy law, so they don't enjoy the protections and the benefits that a federal law would afford them or other like Americans that live in a state with one have. So that is as a concern. In poll after poll, we see that there's interest by consumers to have data privacy and security legislation. But even if you do live in a state with a state level law, the challenge is there's going to be variations between your state and other states that have a law. And that makes it hard because you're not sure what rights you have, what rights you don't have, and applying those is even harder.
That brings me my second point for industry. It's really challenging without having a consistent standard for industry. We have this patchwork emerge, and some people say that's just become more of a buzzword, end the patchwork, but truthfully, there is a lot of merit to that. If we have 50 states, and maybe that's an exaggeration to happen in the next month, but long term, we're going to see more and more states with laws, that puts a company in a position where they now have to follow every single state's law. They are much easier to amend than what we see at the federal level. And there's just not a consistency. That makes it hard to do business.
Third, and probably most important for your listeners, are the security aspects, and what I truthfully love, because that's something we routinely flag is there is security to this piece. It's just not about consumer privacy here. There's massive security implications, really for the benefit. And the challenge without that, without clear guidelines, it makes knowing who has your data, how it's used and who it's shared with virtually impossible. Also there's not just consistent data security rules, outside of just specific industries. So this means you can have a rule in one state, how to regulate your data and how to secure it, but not in another state. A federal law could change that. I can dive into some of those specifics later in terms of how this bill is doing that.
But even outside the consumer perspective, we see threats from foreign countries and adversaries, and even countries that some wouldn't say are adversaries, but they have an interest in collecting and using our data. China's probably the most prominent example of what we see in the news recently, but the fact of the matter is it's a threat. And with the amount of personal information online increasing 150% from 2019 to 2021, the amount of information that's out there is just increasing, and not to mention the number of data breaches we saw last year reached an all time high. So if you combine those two, it's not the best scenario when it comes to security.

Kacy Zurkus:
I mean, it's a staggering amount of data that's being collected. I would imagine, as we talked about, there is this consumer impact, but even industry, and just the idea of doing business and being able to be compliant with a patchwork legislation rather than one central federal legislation has to be incredibly challenging for those GRC folks. Can you talk to our listeners about the American Data Privacy and Protection Act, commonly known as ADPPA, and how this law could be an opportunity for change?

Brandon Pugh:
Yeah. So, ADPPA is really groundbreaking for a few reasons, but just to note, this legislation is bipartisan and bicameral. So it has support from both parties and there's three major sponsors from both houses. So we see the chair and the ranking member for the House Energy and Commerce and the counterpart in the Senate, being the ranking member there. So the three of them have joined a bill in areas that have traditionally been roadblocks, they've reached general consensus on. Perhaps there's some that still want to see some more fine tuning. Even I've identified areas that could be fine tuned, but overall they've reached consensus on big areas. And I'll dive into them. But just in terms of where we are first, ADPPA has made progress. It passed the House Energy and Commerce Committee with a 53 to two vote with widespread support, and we've seen multiple amendments since this was introduced. I think that really shows the willingness between members and those that are sponsoring legislation to continue to fine tune this.
It's a very difficult piece of legislation, so I don't want to convey that this is an easy process, that we can have a solution overnight because there are big ticket items that haven't been worked through, but this has the ability to make large changes in how we do business and how consumers are protected and for our security. But just to start with security, maybe I'm slightly biased, then I'll go into some more broader provision. Like I said before, we believe privacy and security go hand in hand. There's several provisions in this bill just to flag. Interesting enough, privacy notices aren't a new concept, but something this bill would do is it'd require individuals to be informed if their data is going to select countries like China and Russia. Sometimes maybe that's done voluntarily now, but it's not widespread. That would change with this.
This bill also would establish data security practices, specifically that you would have to have administrative, technical and physical data security practices and procedures. I know that's a little generic and I guess some people are listening are probably wondering what does that mean? I think a portion of that is addressed because the Federal Trade Commission will make regulations in conjunction with NIST for complying with those. And truthfully, the bill does a decent job in this section because it does realize that not every business is the same size, not every business has the same type of data. So you can't just put broad rules out there and expect every business to comply. There does need to be variations. So, nice to see that included. And there's also a variety of other areas where security specifically is mentioned in the bill. So, that's great to see.
In terms of what does it do broadly, just to take a step back. Some of the rights we see in the GDPR and in California in particular are present in this bill. So individuals will have many rights surrounding their data. This can include a right to access their data, the right to delete their data. I know those don't sound groundbreaking, but on a national level, it's a big concept. There's also provisions in here to minimize, or data minimization in terms of limiting the amount of data you collect just for specific purposes. There's rules in terms of consent.
But just to circle back to where we started with these major roadblocks, just to touch on how they've been addressed, there is a private right of action in this bill. Historically traditionally Republican members, there's been Democrats as well, have been against including a private right of action, because that means you could sue companies directly. So that is present in this bill and it's narrowed. There is a delayed start for that and there's some limitations around that, but that is present. That is a way to reach a consensus point in this bill.
There's also preemption. I know I'll touch on this a little bit too, but generally speaking, state level laws for data security and privacy would not be able to stand. There are a series of carve-outs, but a law like California, there's exceptions, but generally speaking, that would not be able to continue if ADPPA was successful. I think that's important because without that, you could continue to have just variations across the country. So I'd say that's just a broad overview. I know that you could probably have a book just on ADPPA alone. I know there's been a lot of great analyses out there of it.

Kacy Zurkus:
Yeah. I mean, there's so much to cover and I'm sure that there's so much in the bill that we can't even begin to touch upon, but I'm wondering what are maybe some other challenges in terms of the work that R Street Institute is doing to help overcome these challenges when we look at the steps ahead?

Brandon Pugh:
Yes. So R Street, I'd say going back to June, but then a year prior to that point actually, worked in conjunction with the Belfer Center at Harvard, along with Cory Simpson of the Solarium Commission, and the goal of that project, and I was fortunate to be part of that, was to identify these roadblocks, but then more importantly, identify how you could solve those roadblocks. So give a menu of options for addressing every issue, but then from that menu of options, pull a consensus path forward. So in doing this research, over 120 entities and individuals were contacted across the spectrum, and that was very intentional. We didn't want to just have right leaning or just left leaning groups. We truthfully wanted to hear on where is that middle ground and then present that to Congress.
So our reports came out in June, and really drafts were circulated before that. It was really good timing because that's right when we saw ADPPA coming out. Up to that point, many people thought we were crazy, saying, "Well, why are you wasting your time? This is an elusive concept. We may not ever have it." But it was really validating to see ADPPA come out with compromise points, many of which we flagged in a report. So, that was something we did historically, and we're continuing to just try to be a resource as this bill moves forward and give constructive feedback. There's been, like I said before, a number of amendments and there's more that could come out potentially. So we've tried to work across the aisle really to do that. And truthfully, one of the things I value about R Street the most is that they really encouraged working with different ideologies, and really they're solutions oriented. Rather than just identifying a problem and saying, "It's an issue. We shouldn't move forward," but perhaps, "Can we actually identify a specific path?"
I'm optimistic that in terms of how far we've come, there's a long path forward. There's probably two or three specific issues out there still that need to be solved, I think. One we've seen most recently in the news was California has come out extremely against this bill. We've seen their governor, their state level Privacy Protection Agency, CPPA has come out, along with their congressional delegation, not all, but some. They're very concerned by this bill because of the preemption. They wish to see a federal law that provides essentially a floor, so they could continue to make stricter laws at the state level, but this would be the baseline. And obviously that's a challenge because this bill has been carefully crafted to reach consensus, and that's one key part of the consensus.
Another challenge is really the timing here. We have a midterm election coming up very quickly. So that presents a narrow window before the election and perhaps after the election to act in this legislation. And third is, not to call out any single member, but obviously Senator Cantwell has not endorsed this legislation, has proposed her own legislation in the past. And obviously that's a very important individual to have supporting this or willing to hear it in the Senate side because it has not moved in the Senate side. And it goes without saying, we need support in both houses.
So, I'm optimistic to see those sponsors continue to work on this, continue to make changes. And just to throw out a final thought here to add to all of this, the Federal Trade Commission has put out an ANPR, or an Advanced Notice of Proposed Rulemaking, and essentially they've raised or flagged 95 questions that deal with data privacy and security. Very broad. And they've gotten a lot of critique over it because essentially some have said they're really just trying to legislate a data privacy law, but as a federal agency, especially when Congress is out there acting. So they have a public hearing coming up and they have a comment window open right now, but it does touch on many of the same topics that the ADPPA covers. So, that's another dynamic to add to this conversation.

Kacy Zurkus:
I so appreciate your point about consensus and compromise because certainly in any legislative work, the key to passing a piece of legislation is not really in consensus, but in people's willingness to compromise. Can you share some parting words of wisdom with our listeners that will help to bring these competing viewpoints together in order to affect change?

Brandon Pugh:
Kacy, you couldn't have been more spot on. Compromise in this legislation is key. If people continue to just dig in on one narrow issue or two narrow issues, we'll never move forward and we'll be in the same spot as we are four or five years from now. So I think it is optimistic that we've had a lot of compromise to date and I think people should be encouraged to continue that path forward. Not saying you settle for a bad bill, because I personally wouldn't support that and that wouldn't be in line with R Street's work that we've put out, but as long as it's a decent bill, I think people should be willing to move slightly. And that was R Street's effort in just identifying these areas for consensus.
Off of that, I think it's important to be engaged. So if you're an individual out there or you represent an entity, reaching out to members of Congress and those working on this bill, that's important because it's easy to sit back saying, "I hate this bill," and not offer any constructive feedback. If there is, in my opinion, provisions that concern you or you think there's a better way, I would share that. That's just a core belief of mine, and that's been done a lot. We've seen a lot of different groups come out and share constructive feedback along with R Street.
For a third point, I think it's important to think ahead. Yes, I'm hopeful that this legislation will be reality in the near term and it is going to be a change for companies. So I think it's important for companies to proactively be thinking, how would I implement this? Even if it's not required by law now, it's not a bad idea to be just proactive and have some of these steps be your business practice and your business model. So hopefully we'll stay in touch and we'll have some good news seeing this move forward, or at the very least, we've had a great foundation and we've made tremendous strides from where we were really just two or three months ago, which is hard to believe. So I appreciate you raising the attention to data privacy and security today because it's such an important topic and something really the United States needs now.

Kacy Zurkus:
Yeah. I think it'll be so fascinating to get to RSA Conference 2023 in April and see where we are at that point. So hopefully we'll be able to continue the conversation even on the big stage. Brandon, thank you so much for joining us today. Listeners, thank you for tuning in. To learn more about privacy and find products and solutions related to it, we invite you to visit RSAConference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels, using the #RSAC and be sure to RSAConference.com for new content posted year-round.


Brandon Pugh

Director and Resident Senior Fellow, R Street Institute, Cybersecurity & Emerging Threats

Policy & Government Privacy

data loss prevention data security data sovereignty government regulations law legislation PII privacy

Share With Your Community