Data Inspector

U.S. data privacy regulation advances

Print Friendly, PDF & Email

The U.S. House Committee on Energy and Commerce has formally introduced an American Data Privacy and Protection Act (ADPPA) which promises to raise the bar in terms of requiring organizations to better manage and protect data.

The current draft covers civil rights protections that limit the use of personal information including biometric data, additional limits on data collection and sharing of personal information, and a right to sue for injuries caused by privacy violations along with a section that reads as follows:

A covered entity shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.

A bilateral statement of support authored by Energy and Commerce Committee Chair Frank Pallone (D-N.J.), ranking Republican member Cathy McMorris Rodgers, (R-Wash.) along with Subcommittee on Consumer Protection and Commerce leaders Jan Schakowsky (D-Ill.) and Gus Bilirakis (R-Fla.) suggest it’s now just a matter of time before the core provisions of the ADPPA become the law of the land. As such, that law would supersede a hodgepodge of conflicting data privacy legislation passed by various state legislatures that organizations today need to navigate. In that regard, the ADPPA would at the very least represent a significant step forward in terms of simplification.

There is, of course, a proverbial fly in the ointment. While Sen. Roger Wicker (R-MS), the ranking Republican member of the Senate Science, Commerce & Transportation Committee in the U.S. Senate has signaled support, the chair of the committee, Sen. Maria Cantwell (D-WA), has signaled through aides that she will advance another version of the bill that adds stronger enforcement provisions.

The ADPPA naturally borrows from the General Data Protection Regulation (GDPR) adopted by the Europe Union so many larger organizations that do business in Europe are already in compliance with the bulk of the ADPPA provisions. However, the ADPPA is not as comprehensive or prescriptive as the GDPR so neither the cost of compliance nor penalties are as severe.

Nevertheless, there are plenty of organizations in the U.S. that don’t conduct any transactions in Europe so the ADPPA will require them to make significant adjustments to how data is managed and protected. The truth is that most organizations are not especially good at managing data, much less actually protecting it. All kinds of sensitive data reside in everything from email to spreadsheets that are stored on individual a wide range of endpoint devices. It’s impossible to manage or protect something when there is little to no visibility into how it’s being employed.

The root cause of that problem is that too many organizations tend to perceive data as an asset they own versus something that has been entrusted to them. Regardless of what the letter of the law might say, individuals increasingly view their personal data as something they essentially allow an organization to use when necessary. Any time there is a data breach the trust that has been established between that end-user and the organization that has collected that data is at the very least diminished.

Regulations such as ADPPA and GDPR are essentially efforts to codify in law not only who owns what data but to what degree they are responsible for its care. Privacy regulations force organizations to up their cybersecurity game as part of that obligation. Like it or not, that’s generally a good thing for cybersecurity at a time when the current compliance bar for securing data is simply way too low.

Scroll to top