After Jerry Brown signed the California Consumer Privacy Act (CCPA) paperwork in June 2018, shock waves reverberated throughout Silicon Valley. Lobbyists at the Information Technology Industry Council, a Google-backed think tank, quickly went to work drafting proposals for a federal law that would supersede the stringent California bill.
Twelve states subsequently followed California's lead and passed similar legislation, causing some of the largest tech companies, including Google, Facebook, Apple, Intel, and Microsoft, to clamor for federally-mandated consumer data privacy regulation. Although 15 bills have been proposed in the last year alone, as of September 2019, none have yet to pass. However, it’s only a matter of time before a federal data privacy bill passes. Businesses need to be prepared to make drastic changes to their data gathering and privacy processes, and determine if outside help is needed.
Looking to the future: a law on the horizon
The bills that have been proposed and turned down to-date have common threads running through them, so we can accurately deduce what a future federal data privacy law might look like. Below are the common themes that have appeared in the bills that were proposed but did not pass.
It will give citizens control of their data or the ability to opt out
Consumers want access to and control over their own data. The Data Broker Accountability and Transparency Act was put together in the wake of the Cambridge Analytica uproar, and it directly targeted data brokers – companies that collect consumer data and sell it to third parties. Additionally, this bill would allow US citizens to remove their data from corporate servers.
Another bill, the Consumer Data Protection Act (CDPA) called for the creation of a national “do not track” registry.
It will keep large corporations in check
The American Data Dissemination Act was introduced by Marco Rubio in January 2019 as another opportunity to supplant the current patchwork of state laws. In an effort to keep large, incumbent companies from dominating the space, Rubio's bill called for the FTC to create exemptions for smaller companies.Creating more opportunity among competition should ultimately benefit consumers.
It will create severe punishments for data breaches
Aside from calling for the creation of a “do not track” registry, the CDPA also proposed data breach fines as high as four percent of offending businesses' annual revenue, as well as 10 to 20 years of jail time for negligent executives. The bill also proposed hiring 175 more FTC employees to monitor the sale of private data.
The Corporate Executive Accountability Act, issued in April 2019 by Elizabeth Warren, would affect companies with over $1 billion in annual revenue. Like the CDPA, the bill calls for jail time for senior executives; however, the threshold for incarceration is quite high. According to the proposed bill, senior execs are only liable if a data breach is the result of illegal activity, and prosecutors must prove that these executives were negligent.
Companies need to be prepared for consumers to have more control over their data; they should expect more balanced competition, and to be held accountable if consumer data is left unsecured.
An opportunity for managed service providers
If the United States enacts a federal data privacy law, this change will provide an opportunity for managed service providers (MSPs). As we've already seen in Europe, many MSPs have taken advantage of the GDPR, opting to position themselves as experts in data privacy compliance. These MSPs essentially offer consultancy services, which can include providing clients with data protection officers (DPOs), technicians, and internal auditors. By encrypting data, patching software, and providing auditor checklists, these MSPs help businesses address their GDPR compliance issues.
When MSPs provide their clients with external DPOs, it helps to prevent business conflicts of interest from arising; for example, if a business were to have a sys admin or someone else doing double duty as a DPO, he or she might not want to change their everyday activities—even if it were required for compliance. Hence, it can be more beneficial for a business to use a DPO provided by an MSP than to use an employee from inside their own organization. However, it's important to keep in mind that paying an MSP for DPOaaS (data protection officer as a service) doesn't provide businesses with immunity from data breach fines.
Who is liable?
MSPs can open themselves up to fines, lawsuits, and reputational damage should a breach happen while they're hosting a client's data. However, if an MSP is solely providing their client with software or tips, the responsibility then likely lies with that client. Answers to questions around liability continue to be vague, with the industry paying attention to new precedents as they are set.
Ultimately, we are going to see a shift in two directions: 1.) companies using third-party advisors; 2.) companies owning and taking on liability. Companies and advisors will both be highly dependent on technology solutions to provide the necessary transparency and data security to keep up with future federal regulations. In addition, the solutions relied upon will need the right mix of intelligence and automation to course correct individuals and companies in the moment in response to regulatory changes. Picking the right technology vendor that can keep up with the rapid change ahead will be key.
Companies must start determining their technology stack, as well as their strategy for complying with the impending changes that federal regulation poses, including whether or not to utilize an MSP that specializes in data protection. While there will be a certain level of risk for MSPs, there clearly is a lucrative opportunity ahead for those who are willing to fill this gap. The question is whether utilizing MSPs' services will become companies' preferred strategy for dealing with the federal regulations that are on the horizon.