The Facebook-Cambridge Analytica scandal is the latest of many incidents in recent years that have left consumers jittery about the security of their online personal information. It also is yet another event that shines a bright light on the need for more regulation protecting data.
But while data security becomes an ever more pressing issue for businesses and users, the Trump administration’s anti-regulation fervor has translated into little to no new federal action enforcing it.
What happens when an unstoppable force meets an immovable object? In this case, states are stepping in with their own cybersecurity measures. More than 240 bills were introduced in 42 states last year covering a range of security issues, from improving government practices to restricting public disclosure of confidential information, according to the National Conference of State Legislatures.
Interestingly, the willingness of the states to wade into cybersecurity regulation is both a positive development and a potentially problematic one.
First, let’s explore the good.
Some states are breaking new ground as they force companies to be more accountable for maintaining the security of personal information.
For example, a regulation called 23 NYCRR Part 500 that went into effect in New York in March 2017 established detailed security rules for financial services companies, which of course hold some of the most sensitive customer data.
In California, tough legislation has been introduced that would require any company selling an Internet-connected device to equip it with features that protect it from unauthorized access and to obtain consumer consent before it collects or transmits information.
In Illinois, lawmakers considered a bill requiring public utilities operating in the state to report annually on the vulnerability of the state’s water supply system to cyberattacks.
Such measures show that the states are serving as catalysts for better cybersecurity, with ideas that can be replicated in other states and, hopefully one day, nationally. The situation is analogous to health care policy in the years before Obamacare, when, in the absence of a federal consensus, Massachusetts pioneered its own law aimed at reforming health insurance (which later became a model for the Affordable Care Act).
Some of these state measures seem more in step with efforts in other countries to protect personal data—such as the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25—than with the U.S. administration’s anti-regulation fervor.
But there’s a fly in the ointment in states’ individual action on cybersecurity—the prospect of a patchwork of different laws governing something, the Internet, that knows no geographical borders.
For example, 48 states mandate that private or government organizations notify individuals of security breaches of information involving personally identifiable information. (The remaining two—South Dakota and Alabama—are working on similar rules.) But the laws can be inconsistent and confusing to comply with across the various states.
“For businesses doing business in multiple states, the different and confounding state laws make responding to a data breach in an appropriate, timely and in a compliant fashion very difficult,” asserted Stephen Embry in an American Bar Association blog post. “This is compounded by the aftermath of a breach being filled with the uncertainty, concern, and even panic that any emergency brings. Add to that the multiple competing interests in such a situation and the opportunity for a wrong decision with significant consequences is magnified many times over.”
Some worry about even more serious, constitutional issues.
A nationwide assortment of state cybersecurity regulations “raises the issue of whether such regulations violate the U.S. Constitution’s ‘dormant’ Commerce Clause, which restricts states’ ability to discriminate against or unduly burden interstate commerce,” write Matthew A. Schwartz and Corey Omer for the Clearing House, a banking and payments trade group.
All this said, with scant new regulatory activity on the horizon at the federal level, siloed statutes at the state level are a whole lot better than nothing. Let’s just hope that the innovation taking place at the state level eventually finds its way into the uniform, national set of policies that we really need.
Greg Arnette is the director of data protection platform strategy at Barracuda, a Thoma Bravo company. Previously, he was founder and CTO of Sonian, a cloud archiving company that was acquired by Barracuda in November 2017.