A view from DC: What does the government shutdown mean for privacy and cybersecurity?

The city is empty. It is an emptiness of many kinds, but the most noticeable today is the lack of people. The park and ride lots are empty out in the suburbs where I live. The streets are deserted downtown during the day. For weeks already they have been deserted at night.

Is D.C. asleep? If so, its dreams are those of its 750,000 furloughed civil servants. They are dreams colored by memories of prior government shutdowns and animated by the feeling that this one could be record breaking. They are fitful dreams, reflecting on a time of uncertainty, with no surety of what waking will bring for the dreamers.

This shutdown is different from prior iterations, not just because of the lack of a clear path to ending it. There are also legally ambiguous risks of permanent layoffs and funding cuts, especially for agencies and programs that are deemed to not align with the administration's agenda.

The disruptions of a lengthy shutdown in the tech policy world are relatively minor when compared with the broader landscape, but they are still palpable.

Some federal agencies are almost entirely shuttered, including the U.S. Federal Trade Commission, the country's most influential privacy enforcer. Within the FTC, the Bureau of Consumer Protection is the hardest hit by furloughs, with only 19% of its staff exempt or around 77 full-time employees.

Except in those cases where harms are deemed exceedingly high, consumer protection matters will be paused, whether in initial investigation, administrative proceedings or pursued in federal courts. All response dates for Civil Investigative Demands and subpoenas will be extended by the number of days the agency is closed due to a lapse in appropriated funding unless there is an FTC order to the contrary. The FTC will not process consumer complaints or respond to Freedom of Information Act requests during the shutdown, as appears to be true of all federal agencies.

For active litigation, the FTC's shutdown plan explains how the Bureau of Consumer Protection will triage pending lawsuits. "In assessing which BCP matters will be pursued during a shutdown, BCP, in consultation with the General Counsel, will carefully review every consumer protection matter (including investigations that are nearing completion), focusing on the cases where there is the highest threat of immediate harm and on cases where the harm is ongoing."

The FTC's are not the only court cases that will be paused. Federal courts across the country are implementing delays to allow for reduced staffing at the Department of Justice.

The status of other privacy enforcers is more complicated.

The Consumer Financial Protection Bureau is not subject to the shutdown as it is independently funded via the Federal Reserve. Though ostensibly still reporting to work, most of the agency's staff remain in a state of limbo as legal challenges to massive staffing reductions at the agency have continued for months.

Similarly, the Office for Civil Rights within the department of Health and Human Services, which enforces privacy and security rules under the Health Insurance Portability and Accountability Act, was already subject to downsizing and restructuring earlier this year. It remains unclear how many staff are assigned to reviewing and investigating HIPAA complaints, but these activities are likely paused under the shutdown.

Although much of the Commerce Department and its many agencies are in a state of shutdown, the International Trade Administration is largely self-funded and thus remains operational. ITA manages cross-border data programs including the EU-U.S. Data Privacy Framework. Relatedly, the Senate-confirmed Members of the Privacy and Civil Liberties Oversight Board remain on active status for the duration of the shutdown, but the staffing of PCLOB overall will reduce from 26 to 8 once appropriated funds are exhausted.

On the cybersecurity side, internal agency cyber teams are generally exempted from furlough as essential employees, though looking ahead, the administration’s proposed 2026 budget would trim an estimated USD1.23 billion in cyber spending across civilian agencies.

The biggest cyber impact is at the Cybersecurity and Infrastructure Security Agency, where prior staffing cuts are being compounded by the shutdown, which will see its staffing reduced to about 35 percent of levels from May 2025.

As the Washington Post reports, 1 Oct. marked an unhappy coincidence for CISA, as the 2015 law shielding companies from liability when sharing cybersecurity threats in industry clearinghouses expired. Proposed budget measures will reauthorize the law, but only when Congress can come to an agreement on the current impasse. This means a lapse in "collective defense" mechanisms.

The longer the shutdown lasts, the more the effects of these reductions could be felt, but much remains uncertain. Like Snow White in her glass coffin, U.S. federal workers sleep on for now, suspended in time. One day soon, a kiss from Congress in the form of a continuing resolution, or even a full budget proposal, will break the spell.

Please send feedback, updates and contingency memos to cobun@iapp.org.

Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.