WASHINGTON, May 9, 2024 – Leaders of leading cybersecurity companies American Privacy Rights Act at a subcommittee hearing Wednesday. Although the law creates a uniform federal approach to protecting data, experts question whether it is sufficient as a national standard.
After witnesses shared their suggestions for strengthening data security, the senator, chairman of the Senate Consumer Protection Subcommittee, said: john hickenlooperthe Colorado Democratic Party used this opportunity to seek constructive criticism of APRA.
This bill was introduced by the Chairman of the Senate Commerce Committee. maria cantwell A similar bill was introduced by the Washington Democrat, chairman of the House Energy and Commerce Committee. Cathy McMorris RogersR-wash, On April 7, we outlined federal standards for privacy and data protection.
Prem Trivedidirector of policy at New America's Open Technology Institute, praised APRA's sound privacy safeguards, including online civil rights protections and provisions that allow users to view and delete their data.
Trevedi also praised the law for establishing strong data minimization principles. Data minimization prevents service providers from collecting more user data than is necessary for the service.
However, Trivedi expressed skepticism about APRA's transfer of pre-emptive authority from the Federal Communications Commission to the Federal Trade Commission. He believes the FTC does not have the professional ability to regulate service providers in the same way as the FCC.
Since its release, multiple stakeholders We are concerned about the transfer of the FCC's data privacy authority.
Another witness is jake parker Members of the Security Industry Association praised APRA as an improvement over previous legislation. Parker also questioned whether it would provide a strong enough first strike.
James E. Lee Members of the Identity Theft Resource Center raised another concern. Mr. Lee recognized the potential consequences of data minimization efforts and cautioned the subcommittee against reducing data to the point where it inadvertently facilitates identity theft.
Mr. Lee also advised on improving data breach notification laws. Some state data breach laws allow compromised organizations to independently decide whether to notify users of the details. According to Lee, this imbalance between users and providers should be corrected.
Hickenlooper also used the hearing to urge Congress to “step up” on implementing national standards as a framework to build on APRA.
“This should not be a bipartisan issue,” Hickenlooper said, noting the difficulty of passing partisan issues in an election year. Hickenlooper reported that in 2023 alone he had 3,205 data breaches affecting 143 million people.
Sen. marsha blackburn, the ranking Republican on the subcommittee, also used the hearing to highlight Congressional inaction. Blackburn said businesses are being exposed to a “patchwork of regulatory headaches” as more states adopt standalone data security laws.
Blackburn also pointed to the European Union's regulatory policy, the General Data Protection Regulation, as another example of Congress lagging behind. According to Blackburn, GDPR is being used as the basis for regulating AI.
Sen. peter welch, the Vermont Democratic Party, expressed concerns to witnesses about the potential for national standards to negatively impact small businesses. In response, Trivedi said national standards should remain flexible enough to accommodate companies of varying capabilities.
Trivedi recommended universally applicable precautions, such as “access controls” that allow companies to ensure that only the employees who need access to user data have access.
