The US is Overdue for Stronger, Federal Privacy Legislation

Charles henderson

Charles Henderson

EVP, Cyber Security Services, Coalfire

June 12, 2024

If you heard about a nuclear power facility that was misplacing, mishandling, and providing criminal enterprises with radioactive waste, how would you react? How would our government react? What if the vast majority of nuclear plants worldwide engaged in this behavior? This famous (and apt) analogy written by Cory Doctorow almost two decades ago drew a connection between radioactive material and personally identifiable information (PII). 

In the years since, the situation in the US has only become more dire. Seemingly every week another major enterprise experiences a major breach, and while Europe has implemented regulations with steep penalties for non-compliance, the US has made virtually no legislative progress.

I’m in close contact with a lot of CISOs in the Fortune 500 and every one of them knows how to secure their organizations. The problem is that the rest of the company outside the security organization is not incented to make security and privacy a priority. Ultimately, it starts with the board and CEO. One company that has started to make strides in this area is Microsoft. After their notable high profile security failures, CEO Satya Nadella emphasized his commitment to “Prioritize security above all else.” There are many tactics Microsoft is taking to achieve that goal, but most importantly, they are tying executive compensation to meeting security plans and milestones. Unfortunately, most organizations are not going to be as intrinsically motivated as Microsoft, which is why legislation is now, more than ever, required. 

Something has to change. The American Privacy Rights Act (APRA) proposed by Senator Cantwell and Representative McMorris Rogers is a long overdue step towards holding organizations accountable for the personal information they process. But even still, it’s a step too short. Any meaningful piece of data privacy legislation needs to have steep enough penalties that companies are incented to collect, process, and store the minimal amount of PII for the least amount of time required by their business. Further, we need to have serious conversations about penalties for repeated breaches. 

In his piece for Dark Reading, “Is a US Nationwide Privacy Law Really Coming,” Richard Hancock describes the early stages of the APRA draft legislation, and the optimism from the notion of a US federal privacy law. I wholeheartedly agree that this is a positive step forward. Where I urge further scrutiny is how the incentives, positive or negative, would materially alter the behaviors of how US organizations collect, process, store, and secure PII. Legislators must not shy away from the harsh penalties and enforcement mechanisms put in place by our colleagues in the EU. 

The fact of the matter is that every day these mechanisms aren’t in place, individuals suffer. Cyber criminal groups keep getting faster, and are increasingly targeting PII; however, companies rarely suffer the worst consequences. Fraudsters often gain data from these breaches, and in 2023 they stole over $1 trillion from their victims. For reference, advertising, a nearly ubiquitous human experience in modern society, won’t hit $1 trillion in global revenue until 2025

We are far past due on meaningful privacy and security legislation at the federal level in the US, and while the proposed legislation is a step forward, it’s a step far too short.