I’ve written a lot over the past months about why we need to have federal law that is the equivalent to GDPR. States are stepping up on data privacy, but we may need something more. Most security folks I talked to agreed with me. We need a federal law.
But I said most, not all. Gabriel Gumbs, vice president of Product Strategy, STEALTHbits Technologies, takes a contrarian view on the need for a federal law. We don’t need one because there are already a lot of other privacy protections enacted right now, even if those regulations are patchworked and not all encompassing.
He’s right. A number of current federal privacy laws address very specific areas of concerns or groups of people. For example, COPPA exists to protect the privacy of children online, FERPA protects the privacy of students, HIPAA protects the privacy of patient data, and the FTC enforces consumer data privacy, to name a few.
Do you see a trend there with these privacy laws already on the books? They are all overseen by a specific agency within the federal government, not by a single government authority. That’s because we don’t have a data privacy authority, whereas the EU countries all do. Without one, it would be very difficult to enforce a federal privacy law. As William Kovacic, a former general counsel, member and chair of the FTC during the Barack Obama and George W. Bush administrations, told the Washington Post on data privacy lawmaking:
In many ways we have an antiquated policymaking infrastructure. It’s a patchwork of controls that have no unifying principles and no unifying institutions to coordinate policy.
Another issue is that we might be generating too much data. Think of all the IoT devices out there and the amount of data produced. Who is responsible for all that information? A discussion from a Brookings article asks a valid question around that point. Our fitness trackers and smart watches, which it used as an example, hold a lot of personal and medical data, the kind of information that is in part covered by HIPAA and would be covered, theoretically, under a data privacy law, depending on which company held the data. But, the article continued, no matter who holds it, it is still all the same information:
It makes little sense that protection of data should depend entirely on who happens to hold it. This arbitrariness will spread as more and more connected devices are embedded in everything from clothing to cars to home appliances to street furniture. Add to that striking changes in patterns of business integration and innovation — traditional telephone providers like Verizon and AT&T are entering entertainment, while startups launch into the provinces of financial institutions like currency trading and credit and all kinds of enterprises compete for space in the autonomous vehicle ecosystem — and the sectoral boundaries that have defined U.S. privacy protection cease to make any sense.
So maybe we don’t need a federal law. These are certainly points to think about, and Gumbs summed it up this way in an email comment:
One overarching federal data privacy law is not necessary in my opinion and a working group of public and private agencies capable of helping both government and private businesses improve their data security practices would be far more beneficial.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba