EPIC, Consumer Reports Urge National Cyber Director to Consider Consumer Privacy and Promote Prevalent Cybersecurity Practices

On October 31, EPIC and Consumer Reports urged the Office of the National Cyber Director (ONCD) to consider privacy alongside cybersecurity as part of ONCD’s Request for Information on harmonization of cybersecurity regulations, promoting principles such as data minimization. Earlier this year, the White House’s National Cybersecurity Strategy Implementation Plan tasked ONCD with reducing contradictions in cybersecurity regulations. In addition to recommending that ONCD incorporate privacy concepts into its process, the consumer advocacy organizations urged ONCD to immediately begin advancing bare minimum cybersecurity standards that appear in nearly all cybersecurity requirements and best practices (rather than wait until the long task of harmonization for multiple regulations and frameworks is fully completed before promoting such fundamental and commonly-accepted information).

EPIC’s and Consumer Reports’ additional recommendations included emphasizing to agencies that companies subject to multiple sets of cybersecurity requirements should comply with the most rigorous requirements and not be permitted to claim compliance with the most rigorous by satisfying the requirements of the least rigorous, that regulated entities are responsible for unregulated third parties whom they give access to their data and systems (e.g. Target is responsible for its HVAC vendor), that permitting companies to self-certify compliance requires enforcement to ensure the certifications are accurate, and that audits should be independent and thorough.

EPIC continues to call on lawmakers across the country to take up the cause of establishing comprehensive privacy protections and to limit harmful data practices and impose data minimization standards. This includes urging regulators to incentivize stronger industry data security practices and to mandate transparency for consumers when breaches do occur.