Edgewise is now part of the Zscaler family. Learn More

Is a GDPR-like Cybersecurity Regulation on the Horizon for the U.S.?

Leading up to the enforcement of the European Union General Data Protection Regulation (GDPR) in May 2018, companies all over the world were forced to take a look at their data collection and handling practices. Because the law requires privacy protection for the personal data of EU citizens, any company conducting business in EMEA had to revamp current data governance strategies and tactics. Larger companies, in particular, realized that making changes which impact the entirety of their data handling was a simpler and cheaper fix than trying to segment individual portions of databases and networks. That said, when it came time to actually enforce those changes, many U.S. companies decided to maintain separate policies for non-EU citizen data, leaving default opt-in and liberal data sharing practices in tact for everyone but EU citizens. Why forfeit the opportunity to monetize consumers’ personal data if it’s not mandatory to do so?

Still, the data breaches keep on coming and companies are spending millions of dollars on clean up costs, legal/regulatory fines, and repairing brand damage after a breach. Presumably companies have calculated the cost-benefit of leaving privacy protection “as is” and decided the return on investment to renovate isn’t worth the effort. Targeted marketing opportunities and generated fees from list sales/rentals are too profitable to abandon, and implementing technology to encrypt, segment, or otherwise add supplemental security features that mitigate the probability of data breach only eats into profits. The recent Facebook scandals and investigations into data handling practices at Google and Twitter underscore this point perfectly. For the most part, companies that can make money off of collected consumer data will.

Fragmented data security requirements

With GDPR in the rearview mirror for many U.S. companies, individual state legislatures have stepped up to the plate. The California Consumer Privacy Act (CCPA) of 2018, which takes effect in 2020, is the first of its kind in the U.S. to put consumer privacy before profits. This new regulation follows other data-centric cybersecurity regulations by the State of California, including laws mandating breach disclosure and privacy rights for children. Other states, too, have enacted their own regulations about data collection, usage, and storage, leading to a piecemeal approach to data security for any company interacting with U.S. consumer data. The questions become: Should businesses protect data to the most stringent regulation or gamble on the probability of a breach? Where is the financial tipping point? How much data and network security are already in place? What kind of and how much personally identifiable information (PII) does the company process? 

Stay on the cutting edge. Subscribe to our blog.

There are so many variables—and continued large-scale breaches affecting U.S. consumers—that state legislators have been compelled to act. Astute organizations are watching data protection and privacy developments closely. On the one hand, complying with disparate state laws is tricky, but speaking out in favor of stricter regulations is potentially financially and operationally burdensome. A few high-powered CEOs like Tim Cook have spoken publicly in favor of a federal regulation, but it’s worth noting that Apple, unlike Google, Facebook, and the like, does not earn substantial revenue from PII data harvesting. Thus, Cook and like-minded colleagues see support of data protection regulation as an opportunity to further public opinion in the wake of the Cambridge Analytica scandal.

Recognizing the writing on the wall, other tech giants including Amazon, Alphabet (the parent company of Google), Microsoft, Lyft, Uber, and Twitter proffered their support to Congress for a federal privacy law. On the surface this sounds like a big win for consumer data privacy. In reality, this attempt, made in early Q4 2018, was meant to temper individual, stringent state mandates such as the CCPA which will guarantee California consumers the right to learn exactly what personal data is being collected about them, how it’s being used, and for what purposes. In addition, Under the CCPA, consumers must be able to opt out of data sharing/sales to third parties, access and download their stored data, and transfer their PII to a competing service without penalty or backlash. Importantly, certain circumstances allow consumers to demand the deletion of their PII and to sue in the case of a data breach.

Data privacy protection won’t be at the heart of new laws

Placing control over data governance into the hands of the government and consumers is not what enterprises had in mind when they lobbied Congress last September. In truth, enterprises’ aims are to:

  • standardize requirements into a softer version which addresses the issue yet continues to allow businesses to collect and use PII most profitably;
  • ensure that any law passed is based on realistic technological capabilities (e.g., preventing a law that requires software companies to write backdoors for encryption).

Seizing control at a national level now lessens the probability that too many onerous or self-defeating changes will be imposed later on. The CCPA is an early indicator of things to come, and enterprises want to ensure they don’t have to navigate disparate or irrational data privacy and breach requirements across multiple jurisdictions. One uniform, federal law would preempt states’ mandates, and companies fully understand that the current U.S. administration leans away from strict regulation. Striking while the iron is hot kills two birds with one stone: the creation of a data breach and/or privacy regulation that addresses some of consumers’ concerns and adds accountability for a breach, but one that doesn’t necessitate the large-scale technology and process changes which accompany GDPR and (to a lesser extent) the CCPA.

It’s likely that a GDPR-like cybersecurity regulation is on the horizon for U.S. companies, but don’t expect it to treat data protection and privacy like a fundamental human right. Data handling laws may be stricter in the coming years, but U.S. companies and consumers alike have not shown the desire for the type of rigorous policies instituted in the EU. In anticipation of forthcoming regulation, companies may want to evaluate current data handling processes and embrace the opportunity to shore up any unnecessary data collection, weaknesses in data protection, and over- or misuse of PII that makes a data breach more likely.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.