Privacy has been a hot political topic the last couple of months. President Obama proposed, among other things, that Congress enact the following:
- Personal Data Notification and Protection Act, which would nationalize consumer privacy standards and breach notification obligations; and
- Consumer Privacy Bill of Rights, which would give Internet users certain rights to control their data.
He also announced that he was creating a new federal agency called the Cyber Threat Intelligence Integration Center to collect and analyze cyber attacks against U.S. companies and develop and coordinate strategic defenses to those attacks.
These initiatives signal the administration’s belief that there should be a national solution for what we all know is already a national problem: cyber attacks. But expanding the federal government’s role in these areas, as the media has reported here and here and elsewhere, raises some concerns.
The Personal Data Protection Act and Consumer Privacy Bill of Rights
The proposed PDNPA and CPBR would overrule – lawyers use the word “preempt” — state law. In theory, this seems like a good idea: if the law is uniform, it will be easier to comply with, and it will cost less to do so. And the Administration’s draft Consumer Privacy Bill of Rights – released today – looks promising inasmuch as it incorporates the “fair information practices” of transparency, participation, purpose specifications and use limitations, data minimization, data quality and integrity, security, and accountability and auditing.
But reality may get in the way. Legislation invites lobbying. Lobbying invites political compromise. And political compromise sometimes results in laws that are complex and difficult to apply (see CERCLA for example).
Still, if done right, these national laws, could be a benefit to consumers and companies looking for well thought-out and straightforward rules.
Right now the current state of affairs is manageable. Every state, save three, has a data privacy law governing the disclosure of personal information. These laws are not uniform. They apply to different types of information. They require different notice periods to consumers. And some require notice to State Attorneys General, or consumer credit reporting agencies, while others do not.
But, in practice, the differences matter little. The most restrictive state’s law generally controls how a company responds to a breach, just as the most restrictive state’s law generally controls what a company puts in its Internet privacy policy (though the CPBR would alter that, too). The exceptions are relatively easy to account for.
It therefore remains to be seen whether federalization of the legal landscape will be better than the current regime (or will happen at all). The proof will be in the pudding.
Cyber Threat Intelligence Integration Center
The CTIIC, like the federalization of consumer privacy protection laws, also seems like a good idea in theory. It makes sense to have a single agency to analyze cyber threats and coordinate strategy to counter those threats, rather than separate agencies with separate information silos. A single agency can build an institutional memory and respond to attack trends in ways that separate entities realistically cannot – presumably with more speed and coordination.
One concern, however, is that this agency will increase the government’s ability to conduct domestic surveillance (see here, for example). But the force of this concern will, as with President Obama’s proposed federal privacy laws, largely depend on the actual execution of the plan – how the agency will operate in practice. The relatively small team of 50 CTIIC employees will, I suspect, be too busy analyzing and responding to cyber attacks to do much else any time soon.