Hello from Portsmouth, New Hampshire!
Another day, another $74 million class-action lawsuit pursuant to a data breach is settled. This time, the defendant was Premera Blue Cross, the largest insurer in the Pacific Northwest. Highlighting just how desensitized we have become to data breaches due to their sheer frequency, Professor Dan Solove tweeted out this funny cartoon. Indeed, you might have also shrugged at the news that 23 million accounts were compromised this week in a hack of CafePress, a custom t-shirt and merchandise company. And you probably did not even blink an eye as you read the headline that insurer State Farm was the target of a “credential stuffing” attack.
As Professor Fred H. Cate, who was my doctoral advisor, put it so succinctly: “breaches are the new normal.” In his op-ed for The Hill, Cate makes the point that “it is no exaggeration to say that despite investing billions of dollars in increased cyber protections, we are incapable of securing any data absolutely.” While offering detailed solutions for policymakers in Washington, Cate also provides some simple, practical recommendations for individuals, such as taking advantage of our right, provided by federal law, to freeze our credit reports without charge.
Speaking of federal law, the Information Technology & Innovation Foundation, a Washington-based think tank, published a report this week on The Costs of an Unnecessarily Stringent Federal Data Privacy Law. It pegged the cost of a U.S. federal law resembling the GDPR or CCPA at potentially $122 billion per year. The study also suggests Congress could pass a more targeted regulation that would include the rights to access, portability, deletion, and rectification, among others, with a price tag of about $6.5 billion per year.
Yet, given the realities of American politics, a federal privacy law still faces significant obstacles across both sides of the aisle. While a broad range of ideas have been put forth — by businesses, industry groups, government agencies, privacy watchdogs, advocates and professionals — the list of proposals with a real chance of survival is narrower. Indeed, forging a political consensus around some of them would seem to be a Herculean (or Sisyphean) task.
For example, it will be difficult for lawmakers to agree on any proposal for a new federal privacy law that contains an explicit private right of action, such as that found in the CCPA, which will allow consumers affected by data breaches to sue the businesses responsible for them. In discussions surrounding federal proposals, however, a private right of action has been called “a non-starter for industry and Republicans.” Much more popular are proposals that would, rather than granting individuals a private right of action, expand the FTC’s enforcement powers, such as in the Information Transparency & Personal Data Control Act (HR 2013).
To take another example, it would also be a challenge for Congress to pass any new privacy law that preempts state law if that preemption would weaken protections currently in place at the state level. Although preemption has been “a top priority for industry,” as The Hill reports, “Democrats insist they won’t approve any law that is weaker than the California one.” Making a similar argument in their article entitled Catalyzing Privacy, scholars Anupam Chander, Margot E. Kaminski and William McGeveran conclude that “California’s outsized role in the U.S. economy, its identity as the home to Silicon Valley, and its history as a regulatory innovator in areas from auto emissions to data security breaches all make it unlikely that the CCPA will be steamrolled out of existence.”
Despite these obstacles, I and other observers still sense that momentum continues to build for a new U.S. federal privacy law. And, whether one gets passed or not, privacy pros can and should have a say in these policy discussions. With that in mind, we must continue to follow these legislative developments, while contemplating and studying the impacts that a new U.S. federal privacy law would have on privacy, competition, economics, and the ever-evolving regulatory landscape of data protection around the globe.
But that can probably wait until Monday. Enjoy the weekend.
Müge Fazlioglu
Senior Westin Research Fellow