Cybersecurity Leaders Express Reserved Support for American Privacy Rights Act

WASHINGTON, May 9, 2024- Leaders from major cyber security companies expressed reserved support for the American Privacy Rights Act at a subcommittee hearing on Wednesday. Although the act creates a unified federal approach to safeguarding data, experts question if it is sufficient for a national standard.

After the witnesses shared proposals for strengthening data security, Chair of the Senate Commerce Subcommittee on Consumer Protection Sen. John Hickenlooper, D-Colorado, took the opportunity to ask for constructive criticism over APRA.

The bill, introduced by Senate Commerce Committee Chair Maria Cantwell, D-Wash., with similar legislation by House Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., on April 7, outlines a federal standard for privacy and data protection.

Prem Trivedi, policy director at the New America’s Open Technology Institute, praised APRA for its sound privacy safeguards, including its online civil rights protections and provisions allowing users to view and delete their data.

Trevedi also praised the acts enshrinement of strong Data Minimization principles. Data Minimization would prevent service providers from collecting user data beyond what the service requires.

However, Trivedi expressed skepticism toward APRA for its transfer of preemption authority from the Federal Communications Commission to the Federal Trade Commision. The FTC, he believes, would not have the same specialized capability of regulating service providers as the FCC.

Since its release, multiple interested parties have raised concern over the transfer of the FCCs data privacy authority.

Another witness, Jake Parker of the Security Industry Association, praised the APRA as an improvement over previous legislation. Parker also questioned if it provides a strong enough preemption.

James E. Lee of the Identity Theft Resource Center raised a different concern. Perceiving potential consequences created by attempts at Data Minimization, Lee cautioned the subcommittee to not reduce data to such a point where identity theft inadvertently becomes easier.

Lee also advised improving laws surrounding data breach notifications. Some state data breach laws allow the organizations which received the breach to decide for themselves if a notice of details is given to users. This imbalance between user and provider should be rectified, according to Lee.

Hickenlooper also used the hearing as an opportunity to call on Congress to “step up” in implementing a nationwide standard, with APRA as a framework to build on.

“This should not be a bipartisan issue,” Hickenlooper said, referring to the difficulty of passing divisive partisan issues in an election year.  Hickenlooper reported 3,205 data breaches in 2023 alone, impacting 143 million individuals.

Sen. Marsha Blackburn, R-Tennessee, ranking member of the subcommittee, also used the hearing to spotlight Congress’ inaction. Blackburn said businesses are becoming subject to a “patchwork of regulatory headaches,” due to the increasing number of states adopting independent data security laws.

Blackburn also pointed to the European Union's regulatory policy, General Data Protection Regulation, as another example of Congress falling behind. GDPR is being used as a foundation for regulating AI, according to Blackburn.

Sen. Peter Welch, D-Vermont, raised concerns with the witnesses over the potential for a national standard to hurt small businesses. In response, Trivedi said a national standard should remain flexible enough to accommodate businesses of different capabilities.

Trivedi recommended universally applicable precautions such as "access control," where business can ensure only employees that need access to user data can do so.