Signs of Progress Toward Federal Data Security and Privacy Legislation?

By: Andrea Little Limbago, Chief Social Scientist, Virtru

The U.S. government took significant steps this week to both share and protect federal data. The OPEN Government Data Act was officially signed into law Monday as part of a push toward evidence-based policy making. The law requires, “government data assets to be published as machine-readable data.” It also requires each organization to have a Chief Data Officer to institute best practices and oversee the lifecycle data management. This law marks an ongoing movement to make non-sensitive government data more accessible for data analysis.

At the same time, not all federal data can be shared, and it remains difficult to protect the vast amounts of federal data from compromise. Not only is a data officer required to streamline the data lifecycle, but this data must also be protected from misuse. To oversee the security of federal data, a bipartisan bill sponsored by William Hurd (R-TX) and Robin Kelly (D-IL) unanimously passed the House yesterday. The Federal CIO Authorization Act of 2019 makes the federal CIO a direct report to the President, and denotes the CISO as a direct report to the CIO. Both positions are elevated to presidential appointees.

These two laws are indicative of the broader challenges all businesses increasingly encounter. They need to leverage big data analytics through sharing and transparency while also ensuring the security of the data. Elevating two executive level security positions is one important step to protecting data. As Rep. Hurd noted, “From our bank account and credit card numbers to our social security numbers, bad actors across the globe are working around the clock to hack into our digital infrastructure and steal our personal data.” He sees this law as signaling the government’s commitment to protect Americans’ online identities.

This security bill comes on the heels of the year’s first proposed bill which includes a significant emphasis on election security. Moreover, following a series of proposed legislation last year such as the Data Care Act and SMART IOT Act, coupled with the passage of data protection and privacy laws in California and Vermont, there clearly is a legislative movement toward greater data security and privacy. The bipartisan and unanimous nature of the CIO bill just may signify progress across an even more comprehensive range of security and privacy legislation.

Unlike many other areas of legislative deadlock, there also is strong consensus across a range of interest groups in favor of thoughtful data privacy and security legislation in response to the growing risks. For instance, the World Economic Forum just released The Global Risks Report 2019. Among the decision-makers responding, three-fifths believe the risks associated with the loss of privacy to companies and governments will only expand in 2019. Unfortunately, within the United States many doubt much legislative progress will actually be made. In a recent survey 82% of respondents believe Congress should do more to regulate how tech companies collect and share their data, but only 40% believe Congress will actually do more to protect consumer data and privacy.

Despite these low expectations and pessimism, with the OPEN Government Data act signed into law to institute best data practices, and the unanimous passage in the House of the CIO bill, there is a glimmer of hope that federal progress can be made to advance security and privacy. As Rep. Kelly explained, “I’m glad to see that IT modernization remains a bipartisan priority in this Congress.” This bipartisan support will be essential as the CIO bill heads toward the next test in the Senate. If it successfully passes the Senate, 2019 may be the year Congress makes long overdue progress toward a federal approach to data and privacy.