Recently Apple Inc. confirmed its decision to leave the State Privacy and Security Coalition (SPSC), a group of “comprised of 30 major technology, media, communications, payment card, online security, and retail companies, and eight trade associations” focusing on data privacy laws in the United States. Apple has expressed concerns that the state data privacy legislation backed by the organization doesn't go far enough to protect users’ personally identifiable information (PII).
Privacy advocates have suggested that the SPSC advocates for weaker privacy regulations. Specifically, they indicate that the organization’s interests focus on making the potential state privacy laws more tech-industry friendly, which in turn would make the state privacy laws less likely to protect user PII effectively.
To discuss Apple’s recent actions and its position vis-à-vis the SPSC, it’s important to first understand the current environment for data privacy legislation in the United States.
Archive360's take
I have reviewed many state privacy bills and laws and have found them remarkably similar, i.e., their specific security protections, especially in their provisions around data security. For example:
The latest New York state privacy bill uses the following language to describe data security responsibilities:
Controllers must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the personal data of consumers, including adopting reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data at issue.
The Virginia privacy law states:
The VCDPA requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data," as appropriate to the volume and nature of the personal data at issue.
The 2021 Minnesota privacy bill states:
A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.
.png?width=500&name=Podcasts%20(3).png)
The Utah Privacy law states:
A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data; and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.
And the first state to pass a data privacy law, the CCPA/CPRA from California, states:
A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
As you can see from the above privacy bill and law examples, there seems to be a preference for the term "reasonable" (as well as "appropriate" in many other state privacy bills). Which begs the following question: how would a state Attorney General define and prosecute an organization for not utilizing "reasonable" security practices without specific requirements?
When it comes to specific terms or language, many legislators involved in creating new state privacy bills readily admit that they take content from other state bills to help write their own. What concerns privacy advocates is whether or not the particular language being suggested by the SPSC will result in each state’s privacy law remaining less prescriptive and not diverging much from other state's privacy laws.
Back in June 30, 2021, Archive360 questioned the lack of non-specific security requirement description for PII , with the publication of the blog titled "State Data Privacy Laws Leave More Questions than Answers." In that blog we focused on both the GDPR and California's CCPA privacy laws and probed the use of the term "reasonable."
As a reminder, the EU's General Data Protection Regulation (GDPR) was the first significant privacy regulation with a global reach and fines hefty enough to get the attention of organizations. However, the GDPR does not expressly require specific security practices, such as data encryption or multifactor authentication. Instead, it suggests using encryption technology to raise data security levels. GDPR recital 83 states:
In order to maintain security and to prevent processing in infringement of this regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
Specifically, the term "such as" implies that encryption is a suggestion rather than a requirement. The question for the GDPR is, why was data encryption not required for PII in transit and while at rest? Encryption technology has been around for decades and could be easily implemented in most data management systems. In fact, the GDPR carves out a benefit when using encryption:
The communication to the data subject referred to in paragraph 1 (breach notification) shall not be required if any of the following conditions are met:
the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
In other words, GDPR Article 34 states the cost (and reputational damage) of breach notification can be avoided if the breached PII is encrypted.
Since the end of 2021, Archive360 has been conducting podcast interviews with US state legislators who have authored their state's privacy bills and laws, including legislators from Minnesota, New York, Virginia, and Utah.
During each of these interviews, I have asked the individual legislators why they steered away from specificity with the use of the term "reasonable" when describing data security requirements. In every case, the legislators have responded that they wanted to ensure that the first iteration of their specific privacy law wouldn't put up technical barriers that would cause difficulty in organizations complying with the new laws. In my opinion, part of the exclusion of more technical requirements was to minimize the potential for pushback, which would reduce the chances of the bill becoming law.
In a couple of the podcast interviews, the state legislators admitted that the laws needed more prescriptive security requirements and would plan on amending the laws to raise the data security requirements in the future.
Reasonable versus prescriptive
One major issue with the state privacy bills and laws is the lack of direction from the federal government. The federal government has not passed a comprehensive consumer data privacy law that would supersede state laws.
The Biden administration did issue Executive Order (EO) 14028 on May 12, 2021, aimed at all federal agencies titled "Improving the Nation's Cybersecurity." The EO instructs them to enhance their cybersecurity and software supply chain integrity. Among other requirements, EO 14028 directs all Federal agencies to adopt secure cloud services, implement zero-trust architectures, mandate the deployment of multifactor authentication, and data encryption within a specific time period.
EO 14028 is a significant first step in adopting common-sense prescriptive data security technology and processes for US federal agencies. But could state legislators adopt some of EO 14028 requirements for future state privacy bills? I believe that they could, over time.
However, as we know, it’s not that simple. Executive Orders are more straightforward - the President didn't face pushback from industry or rely on congress to agree and create the law. On the other hand, state legislators must work with other legislators and lobbyists to craft a privacy law that has a chance of being negotiated and passed.
This challenge brings us back to the original topic of this blog; that Apple decided to leave the State Privacy and Security Coalition (SPSC) over concerns the state data privacy legislation backed by the organization didn't go far enough in protecting users' personally identifiable information (PII). I have not spoken to anyone at Apple about their decision, but my guess is the lack of security specificity played a role. By withdrawing from the SPSC, Apple may be sending the message that not addressing the specific privacy issues now means that companies will need to do it later after users insist on more prescriptive protections.
The corporate members in the SPSC need to push for more specific data security requirements in the state privacy laws they are assisting with. At a minimum, the should provide companies with compliance targets to meet (and know they are compliant) and give the state AGs a defined base from which to prosecute organizations.
.png)
Whitepaper: Why Zero Trust is Important
Osterman Research Whitepaper Why Zero Trust is Important offers direction to decision-makers and influencers on best practices and solutions to support the move to zero trust. Enter your email to receive your copy.
