SIA’s Commitment to Data Privacy: What You Need to Know

SIA's Commitment to Data Privacy, Jan. 24-28, 2022

Presented by the SIA Data Privacy Advisory Board

To mark Data Privacy Week – which the Security Industry Association (SIA) is proud to be a “Champion” of – the SIA Data Privacy Advisory Board is publishing its first monthly update to the security industry. This update will provide readers with news and information about privacy developments, legislative and regulatory activity and advisory board projects and events. Questions and comments about any of the content can be directed to SIA Director of Industry Relations Ron Hawkins at rhawkins@securityindustry.org.

Board Plans for 2022

As the SIA Data Privacy Advisory Board begins its sixth year, its mission is more important than ever: to educate SIA members about privacy and provide practical tips to comply with the myriad laws and regulations that are proliferating.

Privacy’s importance in the delivery and operation of security systems and services drives the Data Privacy Advisory Board’s development of practical materials and events driven by member needs and input. This year, the board will be focusing on the following issues and actions:

  • The need for comprehensive data privacy legislation that supersedes the patchwork of state laws so that manufacturers, integrators and end users understand and can comply with a single regulation. To this end, the SIA Data Privacy Advisory Board will work with SIA’s government relations team to engage lawmakers at both the state and federal levels. Core principles for any legislation include preemption of state laws, exemptions for appropriate security uses, the inclusion of safe harbor provisions and the exclusion of a private right of action.
  • The development of white papers and codes of practice that parse out the many facets of privacy as they affect the technologies and services the security industry develops and delivers to customers around the globe.
  • The sharing of privacy news and expertise through participation in industry events such as ISC West, ISC East and SIA GovSummit, as well as online presentations.
  • Regular communication with SIA members about privacy.

Readers are invited to contribute their thoughts, ideas and questions about privacy. Members of the Data Privacy Advisory Board are looking forward to a productive and interactive year with SIA members as we all work to protect privacy while, at the same time, securing people, places and assets.

FTC Considering Privacy Rulemaking

In 2019, the Federal Trade Commission (FTC) made headlines when it levied its largest penalty ever, $5 billion, on Facebook for deceiving users about its privacy practices. As the nation’s de facto privacy enforcement arm, the FTC recently issued a notice regarding its desire to develop rules for privacy, security and artificial intelligence.

In the notice, the FTC said it was “considering issuing a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses and ensure algorithmic decision-making does not result in unlawful discrimination.” Under Section 18, the FTC can lawfully prescribe “rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce.”

In a way, this would be a welcome change to the current and nebulous “rules” under which the FTC brings enforcement actions against companies both small and large. In many cases, such actions are based on the FTC’s interpretation of what constitutes unfair or deceptive practices, leaving companies at a loss to understand what the privacy and security requirements actually are.

However, such rulemaking would add another layer of complexity to compliance challenges faced by businesses, since it would not preempt existing and emerging state privacy laws. The patchwork of privacy rules and regulations already in existence is daunting and does not help either businesses or consumers achieve the needed privacy and security protections.

The solution is for Congress to enact comprehensive privacy legislation that addresses the concerns of all stakeholders through clear and concise language outlining the rules for all entities. Such legislation should preempt the myriad state laws and provide a safe harbor for companies who abide by industry best practices in their security and privacy operations.

Despite the many congressional hearings on the topic and often bipartisan agreement on the need for such legislation, no federal privacy law exists today. And while the FTC may be the appropriate entity to enforce such legislation, leaving the agency to draft and enforce rules that add to, rather than preempt, state requirements will increase confusion and compliance costs, not privacy protections.

Legislative Update

Lawmakers in at least 15 states and the District of Columbia are considering privacy legislation already this year, leading a writer for the International Association of Privacy Professionals to observe on Jan. 20 that “state-level momentum for comprehensive privacy bills is at an all-time high.”

JD Supra, meanwhile, stated on Jan. 18 that privacy proposals are expected to be introduced in at least five additional states and “many states also are considering multiple bills, making the landscape of bills increasingly complicated.”

Three states in particular are regarded by many as key places to watch this year – Florida, New York and Washington.

While the privacy issue can cross party lines, the inclusion (or not) of a private right of action – which allows consumers to sue businesses for privacy violations – in legislation has frequently been divisive and will likely continue to be a determining factor in the success or failure of proposals.

At the federal level, meanwhile, substantive action on privacy anytime soon seems unlikely.

“The politics are so intense in a midterm year, and members of Congress are probably devoting more time toward their reelection campaigns and supporting their own parties,” Mary Hildebrand, founder and chair of Lowenstein Sandler LLP’s privacy and cybersecurity group, told Bloomberg Law. “2023 may be more fruitful, and it would give us another year for states to adopt more laws.”

Data Privacy Advisory Board Update

  • SIA signed on to a Jan. 13 U.S. Chamber of Commerce letter to members of Congress urging them to pass “legislation that equally protects the privacy of all Americans” and set a national standard to supersede the “growing patchwork of state laws [that] are emerging which threaten innovation and create consumer and business confusion.”
  • The Data Privacy Advisory Board will be holding an in-person meeting at ISC West in Las Vegas on Wednesday, March 23. This meeting will be open to non-board members.

Further Reading: Recent Articles of Note

Compliance Week: Gensler Says SEC to Consider New Rules for Cybersecurity, Data Privacy Disclosures, Jan. 25

Excerpt: SEC Chair Gary Gensler laid out potential rule changes he said would strengthen existing cybersecurity hygiene and incident reporting disclosures for financial sector participants; enhance disclosures made to clients and customers regarding data breaches; and enhance existing cyber risk disclosure requirements for public companies, with a goal of increasing the transparency of their cybersecurity practices.

The Washington Post: Google Deceived Consumers About How It Profits From Their Location Data, Attorneys General Allege in Lawsuits, Jan. 24

Excerpt: The complaints also allege the company has deployed “dark patterns,” or design tricks that can subtly influence users’ decisions in ways that are advantageous for a business. The lawsuits say Google has designed its products to repeatedly nudge or pressure people to provide more and more location data, “inadvertently or out of frustration.” The suits allege this violates various state and D.C. consumer protection laws.

Reuters: Cybersecurity and Data Privacy Foresight 2022, Jan. 19

Excerpt: In 2022, as it was in 2021, it is often better to set a high mark for your privacy program if you operate in multiple U.S. or global jurisdictions. Aiming high is likely to better enable your organization to accommodate new laws or regulations, or new interpretations of them.

CNBC: Fines for Breaches of EU Privacy Law Spike Sevenfold to $1.2 Billion, as Big Tech Bears the Brunt, Jan. 18

Excerpt: EU data protection authorities have handed out a total of $1.25 billion in fines over breaches of the bloc’s General Data Protection Regulation since Jan. 28, 2021, law firm DLA Piper said in a report published Tuesday. That’s up from about $180 million a year earlier. Notifications of data breaches from firms to regulators climbed more modestly, by 8% to 356 a day on average.

The Wall Street Journal: Come the Metaverse, Can Privacy Exist?, Jan. 4

Excerpt: “At any given time, the way you move, the way your gait is, the way you’re gazing, your pupil dilation, is giving away information to developers,” she said. All these tidbits could give companies greater ability to deduce users’ traits, Ms. Pearlman said, defying current notions of privacy and security and straining corporate policies to protect them.