June 27, 2019

Position Statement on Inclusion of Data Security in Privacy Legislation and Advocating a Risk-Based Approach

Cybersecurity Coalition Position Statement on Inclusion of Data Security in Privacy Legislation

The Cybersecurity Coalition, an organization focused on bringing together leading companies to help policymakers develop consensus driven solutions that promote a vibrant and robust cybersecurity ecosystem, believes that data security provisions must be included in any privacy legislation. The Coalition supports ensuring a federal privacy law provides a consistent security baseline that protects all Americans, and urges Congress and state legislatures to incorporate a risk-based approach to security of personal data into privacy legislation.

Data security is fundamental to privacy. This is demonstrated by the fact that nearly all major privacy laws and regulations – from GLBA to GDPR – include express data security requirements. Privacy legislation – at the federal or state level – without data security provisions will not provide effective protection for consumers. Without security safeguards for personal data, the risks of privacy harms due to accidental data breach or unauthorized access are much greater. An affirmative requirement to secure personal data is distinct from breach notification – security safeguards aim to prevent breaches before they occur, notification only alerts consumers after a breach.

The Coalition supports consistent personal data security requirements that are as effective, or more so, than existing state laws. Currently, almost half of US states have enacted laws requiring security of personal information held by the private sector. This patchwork of legal requirements provides highly uneven protection to consumers and makes it more difficult for businesses of all sizes to secure their systems. Including reasonable security of personal data as part of federal privacy legislation would improve security outcomes by creating a harmonized approach that holds all participants in the ecosystem to the same, flexible standards. An affirmative legal obligation to establish an information security program also provides greater certainty for businesses regarding enforcement for security than authority based on unfairness.

The cybersecurity industry believes that it is imperative that federal and state requirements for personal data security follow a risk-based approach that is technology and design agnostic, ideally tied to voluntary consensus-based standards. Such an approach should require organizations to implement security processes that are reasonably commensurate with the risks to personal information, such as:

  • Conduct a risk management assessment to identify and understand what an organization’s security risks, as reasonably anticipated, are and what remediations need to be made;
  • Implement safeguards including encryption and pseudonymization, authentication, vulnerability management, identity and access management controls, and zero-trust network architecture, as reasonably commensurate with the risks;
  • Maintain comprehensive data security policies and procedures, including measures related to security updates, and incident response and recovery, as appropriate;
  • Establish a vendor management program to support third parties’ also have sufficient security protections in place; and
  • Reassess security programs on a regular interval to account for an evolving threat landscape.

Moreover, a risk-based program must be flexible enough to accommodate organizations of various resources, the sensitivity of personal information, changes in technology, and shifting threats to data security. It would be preferable to provide companies that effectively implement such a risk-based approach with presumptive protection from liability under the law. We believe that clear, consistent, and meaningful incentives will help organizations of all sizes establish security measures that comply with legal obligations and effectively protect consumers' personal data.

The mission of the Cybersecurity Coalition is to bring together leading companies to help policymakers develop consensus-driven policy solutions that promote a vibrant and robust cybersecurity ecosystem; support the development and adoption of cybersecurity innovations; and encourage organizations of all sizes to take steps to improve their cybersecurity. For more information, visit www.cybersecuritycoalition.org.