Federal Data Privacy Legislation Is Likely Next Year, Tech Lawyers Say
For years, federal legislators have attempted to pass comprehensive cybersecurity and data privacy legislation. With more support than ever from the public, industry and both sides of the political spectrum, 2019 may be the year when such legislation is enacted.
November 29, 2018 at 05:00 PM
7 minute read
The original version of this story was published on Corporate Counsel
If federal data privacy legislation is ever going to be passed, it may be in 2019, said Intel's head of U.S. government affairs, Lisa Malloy.
More and more people have become aware of how much of their personal information is on the internet, and they are more aware of the risks of having that information exposed. Over the past couple of months, legislators, trade organizations and even tech companies have stepped up their efforts to pass data privacy and cybersecurity legislation.
While sector-specific cybersecurity bills have been enacted, earlier proposals for comprehensive data privacy and security legislation failed to get off the ground. As early as 2009, for instance, U.S. Senator Patrick Leahy, D-Vermont, introduced a bill for the Personal Data Privacy and Security Act . The bill never received a floor vote.
Why now? More companies appear to be growing concerned with the idea of having a jumble of federal and state data privacy and cybersecurity laws, especially with the passage of the California Consumer Privacy Act of 2018 in June of this year. However, the California law will not fully take effect until 2020. There are also several different laws governing data privacy by sectors, such as the Health Insurance Portability and Accountability Act and The Fair Credit Reporting Act.
David Hoffman, associate general counsel and global privacy officer at Intel Corp., based in Santa Clara, California, said that with the CCPA comes more of a patchwork of different regulations with which companies would have to work to comply.
“It's the patchwork issue that people are most worried about,” Hoffman said.
James Shreve, a partner and head of the cybersecurity practice at Thompson Coburn in Chicago, explained that California is the only state that has a comprehensive law on cybersecurity or that goes beyond reporting a data breach. He said California tends to be the trendsetter for that kind of legislation. Right now, states have different laws on when companies are supposed to report data breaches.
“There's more interest among industry [in having something passed] than we've seen in the past several years,” Shreve said.
|Congressional Proposals
In Congress, legislators have introduced a number of proposals recently hoping to get away from a patchwork of state and federal laws to create an overarching law governing data privacy and cybersecurity: In July, Rep. Hank Johnson, D-Georgia, announced that he would be re-introducing two bills on cybersecurity and data privacy. One of them, The Application Privacy, Protection and Security Act of 2018 (H.R. 6547), would govern how data is collected and secured on mobile devices. He also introduced the Data Broker Accountability and Transparency Act of 2018 (H.R. 6548), which would require data brokers to establish procedures for accessing and correcting their collected information, and allow U.S. citizens to have their data erased from corporate servers. This bill has a companion in the U.S. Senate introduced by Sen. Edward Markey, D-Massachusetts, S.1815.
In September, the Financial Services Committee in the U.S. House of Representatives passed the Consumer Information Notification Requirement Act H.R. 6743, sponsored by Rep. Blaine Luetkemeyer, R-Missouri. The bill, if enacted by Congress, would allow the Federal Reserve and Comptroller of Currency to establish standards to prevent a data breach, but would leave it up to state insurance regulators to enforce the federal standards on licensed insurance companies, according to an advisory by Crowell & Moring attorneys John Sarchio and Richard Liskov. The bill would allow except in some circumstances federal preemption of state laws, such as the model act for the cybersecurity of insurance data enacted by the National Association for Insurance Commissioners. The NAIC act was patterned after the New York Department of Financial Services' comprehensive financial services cybersecurity regulations enacted in 2017.
In November, Sen. Ron Wyden, D-Oregon, introduced draft legislation on data protection bill that would amend the Federal Trade Commission Act to allow the commission to enforce data privacy and security standards and allow executives to be jailed for 10-20 years if they were found to be in violation of the standards.
|Tech Companies Weigh In
Tech companies also have gotten into the act, releasing their own opinions and model federal legislation for data privacy and security in response, not only to the California Privacy Act but also to the European Union's earlier General Data Protection Regulation of 2016.
• Intel released its draft proposal in early November with the hopes of fostering discussion on data privacy. Intel is accepting feedback on its draft legislation and will publish a second draft of the bill in 2019.
• Alphabet Inc., the parent company of Google, which declined comment for this story, referred to its opinions on federal privacy legislation to a September blog post authored by the company's chief privacy officer Keith Enright. In that post, Enright wrote that the organizations that misuse consumer data should be held responsible and that a consumer's power to control their own personal data should not be difficult.
• IBM previously has said it would like to see a public-private approach rather than government mandates when it comes to data privacy and cybersecurity, according to an earlier report on Law.com.
The prevailing thought among the tech companies and the legislators is that the Federal Trade Commission would be the body that governs whatever kind of comprehensive law is passed. The FTC already oversees different privacy related regulations for sectors of industry.
|Improved Prospects for a Federal Law
Thompson Coburn's Shreve indicated that regardless of whether a comprehensive bill on data privacy and cybersecurity would preempt state laws will be an issue of whether a bill gets support, because companies would want a federal law to preempt state laws.
While many companies have spent years preparing for the European Union's GDPR, Hoffman said he hopes that whatever bill would govern cybersecurity in the U.S. is different from the European law.
“We don't need a version of the GDPR,” Hoffman said. “We need a law for the U.S. with our unique culture and ethos of innovation and entrepreneurship.”
While many companies would prefer to see some kind of federal legislation governing cybersecurity and data privacy, there are still reservations.
Shreve, who spent 20 years working in Washington, D.C., as a cybersecurity and data privacy attorney, said he's seen many attempts fail at federal legislation in the realm of data privacy and cybersecurity. He explained that many times those failures are explained by partisanship but that he believes it is overstated.
“I think, on the privacy side, you can end up with people who have very different views coming together and seeing things very similarly,” Shreve said.
Malloy said the challenge in lobbying for a single federal law governing cybersecurity and data privacy is that it is still difficult to get people to see eye to eye on issues such as preemption. In opposition to preemption, 32 states' attorneys general signed a letter to the Committee on Financial Services in March of this year. The letter, which was authored by Illinois Attorney General Lisa Madigan, stated that the states are better equipped to handle data breaches and enforce cybersecurity standards than the federal government is.
“There has to be some coming together and compromise,” Malloy said.
Read more:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThese Law Firm Leaders Are Optimistic About 2025, Citing Deal Pipeline, International Business
6 minute read'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute readJudicial Appointments After Casey: Observers Wary but Hopeful Bipartisan Spirit Will Continue
Will Khan Resign? FTC Chair Isn't Saying Whether She'll Stick Around After Giving Up Gavel
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250