Greetings from snowy Portsmouth, NH!
We here at the IAPP managed to make it through Thursday's "bomb cyclone" relatively unscathed, but some of our neighbors on the immediate coast took on extremely high tides. The icy Atlantic Ocean made its way into several local businesses and homes here on the coast, reminiscent of the famous Blizzard of '78. Hopefully the clean up and repairs won't be too expensive and fingers crossed that such a thing won't happen for another 40 years.
Though we're bundled up in what's been a frigid winter so far, we're getting warmed up for what will surely be a busy year in 2018. Of course, implementation of the GDPR is top of mind, but that's not the only thing on privacy pros' radars. Just before the holiday break, the publications team got together to review 2017 and talk about what's ahead in 2018 in the latest Privacy Advisor Podcast. We even set the record straight on proper cliches.
Politico published a really good article this week on why, after the Equifax breach last year, Congress has not moved federal data breach notification legislation forward in the four months since one of the largest breaches in U.S. history. Like other major breaches before it, the fallout included "white-hot" bipartisan outrage, a series of contentious Congressional hearings, and a slew of legislative proposals. All for nought. So far.
But there appears to be some movement behind the scenes. Of course, the devil is in the details. For many companies, navigating 48 separate state laws is cumbersome, time-consuming, and costly. Some state laws are more comprehensive than others, so how should a federal law preempt state laws, if at all? Plus, we're in a deregulatory phase right now, meaning Republicans likely won't want a law that would give more power to federal regulators.
Industry verticals also play a role here. Many in the banking industry, according to the report, want their robust regulations applied to other industries, but the retail industry fears strong rules could hurt small businesses that don't collect as much sensitive data. It also appears that the telecommunications industry, already subject to industry-specific privacy rules, is pushing back.
Sen. John Thune, who chairs the Senate Commerce Committee, said there is not yet "consensus among major stakeholders on data breach and data security legislation." But, according to Politico, there is optimism for 2018. Jason Kratovil, who serves as VP of government affairs for the Financial Services Roundtable, said, "there's a lot of energy being spent trying to get this one right and work toward a legislative outcome that isn't just a product of one committee or one committee's jurisdiction," but rather something that will have "a lot of support from many stakeholders."
Will we see comprehensive federal data breach legislation in 2018? My guess is that we will not. I think there's a greater chance we'll see more massive data breaches, which may, indeed, prompt another round of "white-hot" bipartisan outrage. The question is, will there be a breach big enough to catalyze a federal law and get us out of this cycle?
Either way, privacy pros will be busy navigating those 48 state laws and ensuring their company stays off the front page of The Wall Street Journal.
May your 2018 be breach free.