In the November 2022 edition of our business privacy newsletter, you’ll find our take on:
In early November a trio of Republican Senators sent a letter to FTC Commissioner Lina Khan urging the agency to halt its new rule-making process on commercial surveillance and consumer data privacy. They argued FTC was usurping Congressional regulatory authority, adding to needless complexity already created by a patchwork of new state data privacy laws, and increasing compliance costs for businesses, reducing a company’s ability to innovate, and disproportionately hurting small businesses.
In theory, the case that FTC’s timing is inappropriate has some merit given that Congress currently has a comprehensive data privacy bill (the American Data Privacy and Protection Act, “ADPPA”) before them. Additionally, control of the House has recently changed hands in Republicans’ favor, which may give the Republicans a greater opportunity to shape its future.
But neither party has shown any particular appetite for action on data privacy laws over the past decade, with each favoring either ‘no new regulation’, or a watered-down bill that renders new state laws toothless. The FTC rule-making process is also notoriously slow, and the current value it may serve is to help identify key areas for improvement that should be included in any eventual legislation
A recent report from security firm Lookout claims a 50%+ annual increase in phishing attacks targeting state, local, and federal employees over the past two years. Analysts suggest growth is being driven by both adversarial nation-state actors, as well as financially motivated criminal gangs who have found targets like state benefits agencies easier pickings compared to the increasingly more threat-aware private sector.
The pandemic has created greater risk susceptibility across the entire economy over the last two years, with a growing number of employees working remotely, and increasingly relying on personal devices for sensitive credential authentication. That government is poorly prepared and increasingly targeted, is born out in a wide range of research. While there has been growth in State and Federal cybersecurity spending over the past two years, much of it remains concentrated among a few agencies and is unlikely to change the status quo in the near term.
In September of this year, California passed its “Age-Appropriate Design Code” into law (modeled after the United Kingdom’s ‘Children’s Code’), requiring online services accessed by children under 18 years old to comply with heightened privacy requirements. Other states (like NY, PA, and WA) quickly introduced copycat bills, and the Senate recently advanced the Kids Online Safety Act (KOSA) – a collection of updates to the Children’s Online Privacy Protection Act (COPPA) – out of committee. KOSA includes many similar provisions to CA’s framework, despite many serious concerns about the inherent vagueness of the requirements, and the perverse fact that this approach to ‘privacy’ mandates more intrusive data collection by service providers rather than less.
It may come as a surprise that this is an area of privacy regulation that many privacy advocates oppose. As The Electronic Frontier Foundation (EFF) puts it:
“These bill(s), supposedly designed to protect our privacy, actually require tech companies to collect more data on internet users than they already do.”
Legislators may be eager to be seen as “doing something” about privacy because it is politically popular, while quietly shelving the harder, less headline-friendly consumer privacy rules like those proposed in the American Data Privacy and Protection Act.
Check out our log of where DeleteMe has been featured in the news in November.
CIO & CISO Perspectives
We are excited to meet the CIOs, CISOs, and other senior technology executives gathering to talk about the biggest IT and security issues they’ll face in 2023. Let us know if you are attending this event in San Francisco and would like to meet up by reaching out to our sales team or, even better, come by our table at the event to say hello!
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.