The proliferation of technology in our social fabric has made consumer data ever more accessible to companies, making data security a growing concern. According to a poll conducted by Polling the Nations, 92 percent of respondents wanted the Federal Government to put in a great deal of effort to combat cybersecurity threats. How then, is the government responding?
Where do we currently stand?
While cybersecurity vulnerabilities dominate news cycles, government intervention at the federal level is minimal. The National Institute of Standards and Technology (NIST) creates guidelines for best cybersecurity practices, but they are merely suggestions to help companies reduce cybersecurity risk. Some states have stronger protections, however. The California Consumer Privacy Act seeks to protect Californians’ right to data privacy and goes into effect in January 2020. A set of regulations from the New York Department of Financial Services places cybersecurity requirements on certain financial institutions, requiring them to implement cybersecurity programs and assess risks.
Proposed Federal Legislation in 2019
Cybersecurity can cover many different stages at which a company may interact with personal information. Typically companies engage with one or more of these three activities when engaging with data: data collection, data storage and organization, and data usage and analysis. The bills addressed here cover all of these stages. The Algorithmic Accountability Act of 2019 seeks to address security concerns in how data is used. The Internet of Things Cybersecurity Improvement Act of 2019 and the Data Broker List Act both address the collection and storage of consumer data. The Data Accountability and Trust Act addresses both data storage and the procedures for addressing a breach if it occurs.
The Algorithmic Accountability Act of 2019 seeks to address the problem of bias and discrimination caused by automated decision-making. The act will require security teams to audit their automated decision-making algorithms to prevent such discrimination. Under this proposed legislation, security teams will be required to conduct impact and data privacy assessments on any automated decision-making system used by companies. This might require security teams to disregard certain demographic variables when auditing their automated decision making models, to ensure that decisions based on them are not discriminatory.
The Internet of Things Cybersecurity Improvement Act of 2019 seeks to improve the security of the data collected by IoT devices used by the federal government. This law would impact companies that provide any IoT devices to federal government agencies, as they may be subject to minimum information security requirements.
While device data security is a significant concern, information security among data brokers has recently been under scrutiny. The Data Broker List Act will require data brokers to register annually with the Federal Trade Commission, in addition to meeting minimum requirements regarding how consumer data is acquired. The Data Accountability and Trust Act is more robust and plans to lay out minimum information security requirements, requirements for post-breach audits, as well as civil penalties. Security teams will find themselves having to create internal mechanisms to comply with these requirements if the law goes into effect.
What should security teams be on the look-out for?
The legislation highlighted here is indicative of the general cybersecurity concerns held by the public. Preventing discrimination in automated decision making, improving the security of IoT devices that collect data and strengthening cybersecurity requirements for data brokers are at the forefront of legislative discussions. While these bills have not been enacted into law, security teams should prepare to create more robust procedures in the near future that address these concerns. For organizations that use automated decision-making in any aspects of their business, conducting audits on their algorithms and ensuring that data is responsibly collected will be essential.
Data security will continue to be prioritized as we embrace technology in increasing areas of our lives, and it is inevitable that data collection, storage and usage of personal information is resulting in strengthened procedures and protections. Security teams should be prepared for audits of their information security, and to develop security procedures that can identify breaches in a timely manner for notification requirements.