Cybersecurity continues to be a blind spot for the United States’ lawmakers, however, Congress has made progress on the subject of data privacy.
A national privacy law that mirrors legislation in the European Union would allow people to access, correct and request the deletion of the personal information collected from them. Congress is currently considering such a bill, although there are several ideas as to the final form the bill should take.
It’s worth remembering that the National Quantum Initiative Act was recently passed, and there is even an argument that such enthusiasm for technology could help fix the impeachment process.
That’s until you remember that for all of the promises of modernism in the chamber, Congress is still stuck in the dark ages as far as cybersecurity is concerned.
Things have got so bad that individuals and companies have had to deal with matters arising themselves. The lack of a privacy law to address data privacy and cybersecurity has even seen Facebook having to permanently ban deepfakes.
Privacy Without Security
One has to understand how closely linked privacy and security are. Perhaps the easiest way of doing so is to consider an app that collects location data from its users.
Proposed data privacy law (or that which is already in force) would ensure that the company behind the app, would have to advise its users what data was being collected and also what they intended to do with that information.
An app that isn’t properly secured gives rise to the distinct possibility that information can be stolen or leaked. In this eventuality, strong privacy policies are of no use.
It’s hard to believe but such oversight exists in almost all the legislation on data privacy in the U.S. The Consumer Online Privacy Rights Act, for example, has just two of its 59 pages dedicated to cybersecurity requirements for private companies.
Congress’ inability to tackle cybersecurity has left the data of millions of Americans unprotected. Furthermore, that lack of leadership has left many companies ill at ease.
The data protection minefield has meant that those companies are, at best, confused. What should they do when it comes to protecting data from a legal, moral and ethical standpoint?
Website security remains a huge concern for them, but oddly enough, although CEO’s remain particularly aware of the problems cybercrime causes, basic precautions are still not adhered to.
What happens next?
Congress crafting a data security law to cover every private company is almost impossible. For example, any new law would need to take the adoption of cloud storage into account, and that’s just the beginning.
There is an appetite in Congress to address the issues, with a number of data protection laws covering individual industries, but the reality is that they are, at this moment, relatively weak and vague.
Looking to the future, state-level legislation is an option. For example, financial services companies in New York must meet more than 10 specific requirements, which include encryption of nonpublic information, penetration testing, vulnerability assessments, and oversight of service providers' cybersecurity.
Congress could certainly law something from the lawmakers in the Big Apple. In order to draft and enact the new law, the state convened an expert panel that brought together lawmakers, cybersecurity professionals, and the CEOs of major companies.
Such a panel at the national level could bring together responsibilities that currently are fragmented across a huge number of departments.
Even a basic indication from the government as to what constitutes adequate cybersecurity would be a help and would stop individuals taking cybersecurity into their own hands.
In conclusion, data protection is no longer an issue that Congress can ignore. The House would be damaged almost beyond repair if it should fail to take leadership on one of the most important issues facing the U.S. today.