Strengthening Privacy and Data Protection Policy in the National Cybersecurity Strategy

As many as half of US consumers have been affected by data breaches because a company holding their personal information was hacked. That is significantly higher than the global average of just 33 percent of consumers. Although it can be difficult to remedy the harms of identity theft, preventing the underlying breach is in many cases neither difficult nor expensive. The Department of Homeland Security has estimated that 85 percent of data breaches were preventable, and more recently the Internet Society has estimated 95 percent of breaches could have been prevented. Companies must be incentivized to invest in safeguards to protect consumer data with which they have been entrusted—or else multiple breaches each impacting tens or hundreds of millions of Americans will continue to occur every year.

In March 2023, the White House unveiled a National Cybersecurity Strategy that includes a five-pillar plan to work towards a more secure and reliable digital ecosystem. In July 2023, the White House released its Implementation Plan for this strategy. In addition to covering a range of cybersecurity-focused issues, such as disrupting malicious actors online and investing in secure infrastructure, the strategy also makes clear that it is essential to reduce harmful data practices in the marketplace. Many governmental and non-governmental groups have begun to focus on building and supporting the cybersecurity workforce and infrastructure, but EPIC believes that the privacy and data security components of the strategy demand closer attention. In particular, it is important for civil society to have a coordinated action plan to promote better legislative and regulatory standards.

That is why EPIC is launching a new project on Strengthening Privacy and Cybersecurity Standards, with the support of craig newmark philanthropies’ Cyber Civil Defense Initiative. Our goal is to partner with other members of the Cyber Civil Defense to advance important elements of the National Cybersecurity Strategy including:

1. Establishing cybersecurity minimum requirements in critical sectors (Strategy Pillar One- Defend Critical Infrastructure); and
2. Improving privacy and data security practices in all sectors (Strategy Pillar Three- Shape Market Forces to Drive Security and Resilience).

By advocating in support of stronger minimum cybersecurity requirements to defend critical infrastructure and in support of comprehensive privacy and data security practices that shape market forces to drive security and resilience, EPIC will raise public awareness of threats to online security and will spur the creation of tools to promote privacy and defend our nation’s networks.

Minimum Cybersecurity Requirements to Defend Critical Infrastructure

As part of its work to support the National Cybersecurity Strategy, EPIC will advocate for federal policies that mandate stronger cybersecurity standards to defend critical infrastructure and improve public safety. Where sensitive information such as precise geolocation, communications, health, and/or financial information is at risk the stakes are especially high. Preventing bad actors from harvesting personal data from repositories containing this information is both a cybersecurity and privacy priority, and federal policy must reflect this reality through sensible minimum cybersecurity requirements. These requirements should include annual audits and adherence to basic technical and procedural safeguards, and could be supplemented by education campaigns.

The federal government should impose annual auditing requirements in critical sectors where they are not already required, as California’s Privacy Protection Agency (CPPA) has proposed to do for any business covered by the California Consumer Privacy Act (find comments of EPIC, et al., on CPPA’s proposed regs here). Even where there are annual audits, there can be still slippages in compliance[1]—if audits were less frequent than once per year, that would invite the enhanced risk of more pervasive and persistent non-compliance with minimum cybersecurity requirements.

EPIC has already undertaken advocacy to multiple federal regulators in favor of baseline cybersecurity requirements, and will continue to do so. Most recently, EPIC filed Reply Comments with the Federal Communications Commission (FCC) to urge the agency to require baseline data security practices for telecom providers seeking international authorization, including annual cybersecurity audits. In terms of financial data, EPIC has argued that the Consumer Financial Protection Bureau should extend protections at least as strong as the Gramm-Leach-Bliley Act’s Safeguards Rule to protect consumer data. Additionally, data aggregators, tech companies, and other non-financial entities who accept custody of consumer financial information should be held responsible for securing that information against unauthorized use. EPIC submitted similar comments to the Federal Trade Commission (FTC).

EPIC also recognizes that there may be subsets of the population within these critical sectors who are exposed to different cybersecurity vulnerabilities such that baseline cybersecurity best practices might not be sufficient to protect them. Federal policy must not overlook these needs.

Apart from explicit annual requirements themselves, efforts like the FCC’s workshop on Border Gateway Protocol security which aimed to improve the security of global internet traffic, as well as the National Institute of Standards and Technology’s Request for Information on cybersecurity in electric vehicle infrastructure, an ecosystem attack vector for geolocation and other personal information, are encouraging indicators that federal policy is moving in the right direction.

Establishing strong minimum requirements for cybersecurity in critical sectors is a necessary step both to protect sensitive data from being breached and to protect public safety, through use of principles such as data minimization and use of mechanisms like encryption. However, consumer interests and vulnerabilities extend beyond critical sectors. Comprehensive legislation and regulatory policy will be necessary to ensure privacy and data security interests are adequately protected.

Comprehensive Privacy and Data Security Practices that Shape Market Forces to Drive Security and Resilience

EPIC will also continue to advocate for strong, comprehensive privacy and data security standards and to push market forces to incentivize better safeguards for the personal data of all Americans. This will require both direct policy advocacy and education through legal filings (e.g. amicus briefs), analysis, and regulatory comments (e.g. on breach notification regimes).

For more than 25 years, EPIC has been urging Congress to enact a comprehensive federal privacy law to protect consumers from exploitative data practices. Most recently, EPIC has supported the American Data Privacy and Protection Act (ADPPA). ADPPA would establish a data minimization regime that limits the collection and use of personal data, extend greater protections to more sensitive data (e.g. health and location information), require algorithmic oversight, and promote accountability through a private right of action in addition to both federal and state enforcement authority.

In terms of indirect methods for shaping market forces, EPIC files amicus briefs in support of corporate liability for cybersecurity deficiencies, and supports consumer information efforts, breach notification regimes, and other regulatory activities. EPIC has filed amicus briefs in support of aggrieved consumers victimized by deficient corporate cybersecurity practices, to facilitate accountability for baseline cybersecurity protections. Cases include a widespread data breach at Marriott and a targeted cryptocurrency theft effectuated by a bribed AT&T employee.

Agency rulemakings also provide opportunities to shape cybersecurity policy. The FCC has initiated two rulemakings that offer an opportunity to improve transparency for privacy and cybersecurity risks to consumers. EPIC will soon be filing Reply Comments with the FCC regarding its proposals for nutrition label-style notices regarding the cybersecurity of Internet of Things (IoT) devices. EPIC has also recently urged the FCC to improve transparency around the privacy practices of broadband providers in the next version of the agency’s broadband nutrition labels—disclosures of a provider’s service plans in a form akin to a food nutrition label. Initially, the FCC proposed that the privacy section of the labels only contain a link to a broadband provider’s privacy policy. However, noting that privacy policies are notoriously lengthy and difficult to understand, EPIC has proposed that the FCC require broadband labels to include simple, yes / no checkboxes regarding providers’ data collection and disclosure practices, as well as consumer opt-out information. We believe this requirement would put a spotlight on service providers’ practices and thereby incentivize improved security standards and reduced data collection.

Federal regulators have been paying increasing attention to breach notification rules as well. In its plan to enhance breach notification requirements for telecommunications and VoIP (Voice over Internet Protocol) providers, the FCC proposed that companies only be obligated to report a data breach if there was a likelihood of harm to result from the breach. Consumer advocacy groups including EPIC cautioned the agency against allowing companies to first determine the likelihood of harm resulting from a breach before deciding whether to notify consumers, as that determination process could delay notifications or result in underreporting of threats to consumer privacy and security. In June 2023, EPIC submitted a letter comment to the Securities and Exchange Commission to encourage public incident reporting that both equips consumers to protect themselves from breach-related harms and incentivizes covered entities and their vendors to improve data security practices to avoid the reputational harms of breach reporting. EPIC has also supported the FTC’s proposal to extend the Health Breach Notification Rule to mobile applications and other digital services (such as period tracker apps), not merely direct providers of health services, requiring that they notify consumers when there has been a breach of their data.

More broadly, EPIC submitted robust comments to the FTC as part of its Commercial Surveillance and Data Security Advanced Notice of Proposed Rulemaking, urging the agency to treat deficient cybersecurity measures as unfair or deceptive practices as a means of internalizing the cost of breaches to the companies in the best position to prevent them. We expect a draft rule to be published this fall. EPIC also recently submitted comments commending the FTC for taking enforcement action against Vitagene, a direct-to-consumer genetic testing company that misrepresented its data security practices and stored sensitive consumer health information in publicly accessible Amazon S3 Datastore buckets. In its proposed consent order, the FTC frames “Covered Incident” to include situations in which consumer information is “reasonably believed to have been” accessed or exposed publicly without authorization. EPIC praised the Commission for this definition and encouraged it to build on this concept of a cybersecurity incident in the future, as it reflects the understanding that cybersecurity enforcement should prevent data from being stored insecurely in the first place, not just retroactively address security breaches. EPIC is similarly encouraged by the FCC’s recent Notice of Apparent Liability against Q Link Wireless and Hello Mobile Telecom, charging the companies with deficient authentication practices, putting the security of consumer data at risk.

Overall, by shifting the liability for privacy and security onto product developers and service providers—as the White House strategy suggests—EPIC believes we will begin to see industry-wide changes that result in increased privacy protections and higher cybersecurity standards.

Supporting the Success of the National Cybersecurity Strategy

EPIC believes in the importance of raising public awareness of threats to online security. By advocating for improved business practices and urging regulators to incentivize stronger industry standards, we believe we can help create the tools and digital infrastructure needed to help strengthen America’s networks, promote privacy, and defend national security.

---

[1] Verizon, 2022 Payment Security Report 82 (Sept. 2022),

https://www.verizon.com/business/resources/T38f/reports/2022-payment-security-report.pdf (Verizon has consistently reported that 44 percent or more of organizations fail to maintain PCI- DSS compliance in between annual compliance validations (most recently more than 56 percent failed to maintain compliance, Verizon did not report this data in 2023)).