Blog

Bipartisanship Exists: Red or Blue, Data Privacy and Cybersecurity is Something Everyone Can Agree On

With California and New York among states leading the charge for data privacy and cybersecurity regulation and enforcement, the federal government is also showing great interest and bipartisan support toward finally progressing federal cybersecurity regulations. These proposed measures are attempting to increase federal support for efforts by states in the arena of cybersecurity. Many in Congress recognize the role of the federal government to support state and local entities based on their need for resources and training to not only prevent cyber attacks but to also respond to such attacks.

One such bill was introduced with bipartisan support in the U.S. Senate last month. The proposed bill would allow the Department of Homeland Security (DHS) to create a program whereby federally funded “cybersecurity coordinators” would be placed in every state to oversee relationships connecting the federal government, states and local authorities. This program would be run from the Cybersecurity and Infrastructure Security Agency (CISA). These coordinators would essentially act as facilitators to share information on relevant cyber threats and promote awareness of federal resources for preventing cyber attacks with their state and local counterparts. The coordinators would provide further support in response to a cyber attack and any remediation efforts that follow. It is certainly not difficult to see how such a bill at the federal level would allow the relationships between federal and non-federal entities (such as schools and hospitals) to progress more fluidly and efficiently, especially for the undeniable speed required by those entities to remediate a rapidly unfolding cyber attack.

Likewise, the U.S. Senate’s congressional counterpart in the U.S. House of Representatives introduced a bill this month, again with bipartisan support, that would allow DHS to set-up a $400 million grant program to assist states and their localities fight cyber threats and any potential vulnerabilities. Regarding this piece of proposed House legislation, CISA would be directed to establish a plan to improve cybersecurity for local governments and create a State and Local Cybersecurity Resiliency Committee to help keep CISA apprised of what jurisdictions need to protect themselves from cyber attacks and breaches. 

The news is replete with stories noting the growing threat and actual full scale attacks by hackers over the last several years on state and local governments, often with crippling effect and underestimated financial consequences. Such a bill would be a solid move forward toward giving state and local governments the much needed ability to allocate critical resources and to establish their own cybersecurity readiness framework and response. Check out XPAN’s previous blog post on government-related cyber attacks.

Most recently, U.S. Senator Kirsten Gillibrand announced legislation to confront what the Senator has termed “a data privacy crisis” in the United States. Her proposed legislation would create a Data Protection Agency (DPA) through the Data Protection Act. This to-be-created federal agency would look to protect what the data organizations are collecting on Americans and safeguard their privacy by making sure the data practices of those organizations are fair and transparent. The DPA would be granted not only the authority, but the resources necessary to enforce data protection rules, either originating from the agency or Congress, and would be given a wide range of enforcement measures. Those enforcement measures could range from civil penalties to injunctive relief and equitable remedies. 

Such an agency would encourage data protection and privacy initiatives across all industries, which is a new concept in the United States given it is a jurisdiction that embraces a more siloed approach to data privacy. It would also develop and provide resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the unnecessary/overcollection of personal data. 

In short, according to the proposed legislation, the DPA would be tasked with three core missions:

  1. Give Americans control over their own data by enforcing data protection rules; 
  2. Work to maintain the most innovative, successful tech sector in the world and ensure fair competition within the digital marketplace; and 
  3. Prepare the American government for the digital age. 

Such an independent agency is arguably way overdue in light of where the United States compares to other advanced economies and where it lags behind those countries in addressing data protection challenges and many other challenges arising from the digital age, e.g., the EU’s General Data Protection Regulation. Just as Americans should be afforded strong and unwavering protections on their freedom, they should likewise be afforded similar uniform protections at the federal level for their personal data and privacy.

All of these proposed legislative initiatives with bipartisan support of course could not come a minute too soon. IBM Security and Ponemon Institute released last July the 2019 Cost of a Data Breach Report that is based on in-depth interviews with more than 500 companies around the world who experienced a data breach between July 2018 and April 2019. The analysis in the study takes into account hundreds of cost factors from legal, regulatory and technical activities to loss of brand equity, customer turnover and the drain on employee productivity. A few salient highlights include the following:

  • the percentage chance of experiencing a data breach within two years was 29.6% in 2019, an increase from 27.9% in 2018;
  • organizations today are nearly one-third more likely to experience a breach within two years than they were in 2014; 
  • the global average cost of a data breach for the 2019 study is $3.92 million, a 1.5% increase from the 2018 study; and 
  • the time it takes organizations to identify and contain a breach, or the data breach life. cycle, is 279 days. The 2019 life cycle is 4.9% longer than the 266 day average in 2018.

As such, the longer a breach’s life cycle is, the greater the total cost to the company. With eye-catching numbers like the ones outlined in the study, it leaves little wonder to how critical comprehensive bipartisan federal cybersecurity and data privacy legislation is to the financial and reputational health of our public and private institutions.

XPAN continues to monitor these legislative developments at the federal level. Our experienced team can help both public institutions and private companies assess how current cybersecurity and data privacy regulations impact their organizations and also prepare those organizations on the road ahead in light of the rapidly changing state and federal regulatory landscape. Reach out to our team to learn more!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.