Episode 19: Discussing Consumer Privacy/Security Legislation with Sen. David Marsden (VA)

Transcript:

Bill Tolson:

Welcome to the Information Management 360 podcast. This week's episode is titled The State of Consumer Privacy and Security Legislation. Today, a conversation with Virginia State Senator Dave Marsden. My name is Bill Tolson and I'm the vice president of compliance and e-discovery at Archive 360. As I alluded to in the title, joining me today is Virginia State Senator Dave Marsden, the co-author of the Virginia Consumer Data Protection Act, which was passed into law in 2021 last year, joining an exclusive club totaling three states so far that have passed consumer privacy protection bills into law. The other two being California and Colorado, my state from where I'm speaking today. A huge accomplishment. It's fantastic that, especially Virginia being right near the nation's capital was on this right after California. I think, Dave, it was passed, I believe in March of last year. Is that true?

Senator Dave Marsden:

That is correct. We hurried up the signing of the bill because we heard that a couple of other states were hot on our heels, and wanted to make sure that we were the first state to do what was generally conceived to be the first really workable data privacy act.

Bill Tolson:

Yeah. Yeah. I have some questions specifically about some strange provisions that California put into theirs, but I'll save that for a little bit later. But again, thank you for taking the time to be on our podcast today. I think this is a really important subject. One question to start off with, how long have you been serving in the Virginia Senate?

Senator Dave Marsden:

Well, in the Senate since 2010, but I spent my first four years in the House of Delegates. I won a special election to replace a senator who'd been elected as Attorney General, so I finished the last two years of his term and then have won three terms since.

Bill Tolson:

Fantastic. Yeah, that's great. I was doing some research on the bill, as well as doing a little background on you. I noticed in a Blue Virginia website article, you described your bill as the first omnibus data privacy bill to give consumers control and rights over their data that is held by companies that control and process data. Now, by that you meant, like you stated just a couple of seconds ago, a workable bill, right?

Senator Dave Marsden:

Yeah. That was pretty much it. California was they overloaded their bill with so many things that it's kind of hard to comprehend it and understand it. So we simplified the process. And by the way, just to start off our podcast here with truth in podcasting is I am not a data privacy expert. I was chosen because of my relationship with the people who were interested in getting this move forward. And it was more on the plans I had for how to get it through the legislature than it was for me to have tremendous technical knowledge about how data privacy should work.

Bill Tolson:

Okay. Okay. How long, and I think I know the answer just based on what you just said, but how long had you been working on this bill? Was it something that you'd worked on in other sessions and it just didn't pass or was this kind of new for you in 2021, and you were the best guy to actually get it across the finish line?

Senator Dave Marsden:

Yeah, well, I don't know about best guy, but I had turned in some work in 2020 on this topic, working with the same folks, but we didn't go forward with it because it just wasn't ready at that point. And we needed time in the off season to prep the business community, primarily with the changes were going to be because they would be the most dramatically impacted by it.

Bill Tolson:

Right. I had actually, we just published a podcast last week of an interview I did with Minnesota state representative, Steve Elkins. And he was a co-author of the Minnesota Consumer Data Privacy Act, which didn't pass last year. But he was telling me that the prior session he had worked on one and they never got it to the point to actually introduce. They introduced his in 2021, didn't make it through, and he's already started on 2022's version of it. So, that was something that you had come across. You mentioned the companies with organizations within Virginia needing to know what's going on. For the legislature there in Virginia, was there kind of an overall actor that caused this bill to finally be introduced and passed or was there a kind of a ground swell of requests from data subject, individual citizens, as well as companies to say, we need to do something about this?

Senator Dave Marsden:

No, actually not. Actually it came out of some of the high tech, large companies from the West Coast, Amazon, Microsoft and what have you, who knew that this needed to be done. So they took the lead to create something that they thought could pass. The real goal here was to get something started, get something on the ground that would protect consumer rights and explain to processors and possessors of the controllers of the data, what the rules would be. We came up with a bill that everyone could live with. It was a great start as we experiment with the whole issue of how we protect people's data, how we create a fair environment for people who control and possess it, how we tweak it to make it fair for all different kinds of businesses and private organizations and nonprofits.

Senator Dave Marsden:

It's really a path. And it's a beginning, it's sort of we're now at the end of the beginning, but we're already starting to tweak the law here in Virginia, which we can get into in a few moments. But the whole idea was to get something that was workable. And then I came up with a strategy for how that should be done. And it worked.

Bill Tolson:

That was amazing that, I think it was introduced... you introduced it in like January and it was signed into law in March.

Senator Dave Marsden:

Mm-hmm (affirmative). I did a lot of prep work in December where I sent out an invitation, I can't tell you how many hundreds of people were invited to be on a Zoom call, and I tried to keep the whole thing a little bit light. And the first Zoom call I was met with mostly crickets, because I think the business community who we had to convince to get on board, because otherwise they would've been whispering in the ears of delegates and senators is that we can't do this it's not time, this isn't going to happen. And that would've literally killed the bill.

Senator Dave Marsden:

So after receiving the crickets, I kind of knew what was going on. We held another Zoom meeting and when they came on, I said, "Hey, look right now, we have to do this here in Virginia." I said, "Vermont's responsible for maple syrup. Wisconsin's responsible for cheese. Ohio's responsible for buckeyes, whatever those are. But in Virginia, 70% of the internet comes through the Commonwealth. And that's our job. We need to take a leadership role here, and we need to do something that Congress will take notice of so that we can get them off the dime to do something about data privacy on a national level, which ultimately has to be done."

Senator Dave Marsden:

With that I said, "Now here's the second thing, guys," and there were like 40, 45 people on the call, I said, "Right now, look at this thing as a railroad. And right now your conductors and your engineers are Delegate Cliff Hayes and myself. And you can call this railroad, the Rappahannock and Reasonable." I says, "Next year, if we don't get this bill through, it's going to be a different railroad. It's going to be the Atchison, Topeka and the PRA, which stands for private right of action, which this bill does not have in it."

Bill Tolson:

Yeah. That was one of my follow up questions, but keep going.

Senator Dave Marsden:

Yeah. So at any rate, and you know who's going to lead that. And that would be a prominent trial lawyer in the Senate. So guys, this is your chance to get something on the ground that we all can live with and that we can work on over the years. Interestingly enough, as the bill came forward, we heard almost nothing from data privacy advocates. A few folks showed up at the final full committee hearing to express their concerns, but even Consumer Reports said, this is a pretty good start. It's a pretty good bill. Not perfect, but this is pretty good.

Bill Tolson:

Well, I noticed actually in doing research that Bloomberg Law basically stated in an article that the VCDPA is significantly more succinct than the California Consumer Privacy Act. The Bloomberg legal experts believe that it's brevity and clarity may result in your bill becoming a model for preacher privacy legislation, which I think is very high praise.

Senator Dave Marsden:

Yeah. I think it was. Colorado based theirs on ours. There're some differences.

Bill Tolson:

Yeah.

Senator Dave Marsden:

But there again, no pride of authorship here. We took a lot of it from the state of Washington who had had an unsuccessful attempt. Unfortunately, the state of Washington had trial lawyers and key positions in their legislature, including I believe, the speaker, if I remember correctly. And so they wanted a private right of action, which would've killed the bill in Virginia.

Bill Tolson:

Yeah. That representative Elkins told me the same thing that he had worked very closely with the Washington State folks in taking major parts of their bill. And one of the reasons... I brought up the question about many of these bills, even the Connecticut bill and the New York State bill and others, follow each other pretty closely. And he said, "Well," he said, "That's really a good thing, because we don't want to have 50 wildly different privacy bills that organizations across the country need to figure out how to follow. If Washington State, for example, had good layout then why not keep it so that it's easier for companies. Because, tell me if I'm wrong, but I don't believe I am, companies obviously in other states, collecting data on Virginia citizens are still subject to the bill as well, right?

Senator Dave Marsden:

Well, yeah, under certain circumstances, certainly they are because with the internet, you are doing business in Virginia. But it was a real, real step forward because for the first time people have the ability to tell somebody that they don't want their data used in targeted advertising, they have an opportunity to correct their data, change their data, have it deleted. Those are significant things. And of course now once the bill's in place, there are a lot of folks who have upped the ante, if you will, on their disagreement with the bill, because it didn't go far enough.

Senator Dave Marsden:

And the argument in response to that is pretty simple. It says, hey, where else in the United States right now, other than in California's somewhat convoluted law, where else do people have any rights? We've created those in Virginia. Could we have gone further? Of course. But we sure didn't hear from you folks when we were writing this bill. And when we were talking about this bill, I got very, very little input that said that we can't and shouldn't do this. Mostly we heard from controllers and processors how to tweak the things to make it work.

Senator Dave Marsden:

I'll give you one example of something that we did that was somewhat unique to certain states and United States who have what are called electric cooperatives. You ever heard of those, Bill?

Bill Tolson:

Yeah, yeah.

Senator Dave Marsden:

We have electric cooperatives who are nonprofits, but they have under their umbrella for-profit companies that provide services to their customers. And since we had exempted certain categories of nonprofits, including electric cooperatives, we had to say that their subsidiaries also were exempt from the law. So it was a very interesting process. I had a wonderful team of people who were lawyers and data privacy experts and what have you to guide me through this. And I'm just very pleased with the result that we got.

Bill Tolson:

It sounds like you didn't get a whole lot of pushback from industry, right? From individual companies. Which I originally would've thought they don't like this idea of these kinds of rules, but as you were talking a couple of minutes ago about kind of... I've had this remark from companies as well to basically say, we didn't want to be out in the dark with no direction because then you have lawyers coming after you like crazy, having something on paper that we can say, yes, we are in compliance with this kind of takes their risk down quite a bit. Correct?

Senator Dave Marsden:

I believe it does. Yes. And people want to say, hey, look, we know this is coming, let's guide the process. We've fielded dozens and dozens of calls with suggestions and what have you, and we were very open to amend the bill. And we did in many instances. And we're still in the process of doing that. I have a bill this year that will be updating the data privacy act, which we've given folks plenty of time to adjust to it. Doesn't go into-

Bill Tolson:

Effect.

Senator Dave Marsden:

Yeah, until January 1st of 2023. So it's still got a little bit less than a year to go before it goes live, and we're going to be tweaking it this year.

Bill Tolson:

So yeah, that was one of my questions. You had already alluded to that, that much, and not exactly like California, but they came out a year later with the CPRA, which added additional requirements and focus and added an enforcement department, all kinds of neat stuff, but it sounds like you're going to be adding to the bill or making a new bill with, as you receive more feedback and stuff, more targeted types of focus for potential rights and those kinds of things. I noticed that you have the five basic rights that obviously Colorado and I think Washington did, and that was included in Minnesota's as well. The right to access personal data, the right to correct incorrect data, the right to delete it, the right to be forgotten that people around the GDPR are talk about, the right to obtain a copy. And then the right to opt out of processing of personal data for the purpose of advertising, which gets into the idea of, I don't want my data to be used using machine learning or AI. Right?

Senator Dave Marsden:

Yeah. It's one of these things where if I look up something about sailboats, next thing you know, I'm besieged with ads on sailboats. Now that might not bother me and what have you, but other times I might be looking something up just for informational purposes and I'm not interested in getting a 100 ads on it for the next six weeks.

Bill Tolson:

Yeah. It's a little creepy. Yeah.

Senator Dave Marsden:

It is, yeah. They can track you. We put over $500,000 in the budget this year, in the governor's budget to beef up the Attorney General's Office to enforce this. And here's something that I think that a lot of folks have missed who are on the data privacy rights side of the issue, which is a noble thing and we want people's rights to be protected, but with the Attorney General, it doesn't matter if you're wealthy or have access to an attorney or even know how to find an attorney. If you had a private right of action, that favors people who have resources and means and what have you, and leaves the little guy out of the equation. Whereas, having the Attorney General enforce it means that everyone has access to protections that the Attorney General can can put in place.

Senator Dave Marsden:

And one of the important things, too, about the bill is, especially here in it in its early years, is that businesses have an opportunity to correct any mistakes that they've made and what have you, you have a right to fix it, if you will, so that you don't continue to do things. Because some of the problems that businesses are going to have are built into their systems, into the programming, how their systems operate. And so we've got to give them time to say, whoops, sorry, didn't mean that, we got 30 days or whatever, I can't remember what was in the bill, to fix it takes it and have a little bit of grace and forgiveness in this whole thing as we move it on down the road.

Bill Tolson:

Well, that makes a lot of sense speak because businesses or organizations can't respond overnight on these things because there is a lot of technology involved, which is another subject I wanted to get into a little bit later. But you mentioned the private right of action, which I understand could be a problem. And you and your co-authors wanted to get a bill passed, not just presented and have it shot down. So there are things. One of the things that that California called out in their original TPA was the idea of presumed damages. Have you run across that?

Senator Dave Marsden:

I'd heard about it, but I'm certainly not an expert. I guess that's sort of what in legal terms is similar to res ipsa loquitur, which means that this thing happened to you, it is obviously so egregious, somebody has to be at fault.

Bill Tolson:

Yeah.

Senator Dave Marsden:

It's that kind of thing. So you presume that if your data has been used that it is on its face damaging. It's like what we do in Virginia with firefighters, if you get certain kinds of cancers, it's presumed that it's related to your job.

Bill Tolson:

Right. Right. No, I mean, and that ties closely to California's private right of action. With presumed damages, the fact that if an organization had a breach, I mean somebody got access, but there's no way to tell if my data was taken or somebody else's data was taken or everybody else's data was taken, I believe, and I've had lawyers tell me in California, the fact that a successful breach occurred means that people like me can assume that there will be damages, and that's when the fines start being levied.

Senator Dave Marsden:

Yeah. And-

Bill Tolson:

And the lawsuits start flying.

Senator Dave Marsden:

That is just not going to fly in the state of Virginia. I mean, we're the number one state to do business in in the Commonwealth for like three years in a row. And we're also, we've improved our standing with labor from as a best place to work from like 49 to 23.

Bill Tolson:

Wow.

Senator Dave Marsden:

So we made a lot of progress under Democratic control here in Virginia over the past couple of years. And that's not the case now. We have a Republican governor, Attorney General, lieutenant governor, and the House of Delegates. The Senate is still in the Democratic hands, but you may see a bill on private right of action or something to, like you just talked about, the presumed damage.

Bill Tolson:

Presumed damages. Yeah.

Senator Dave Marsden:

I doubt seriously whether any of that's going to get through the Senate.

Bill Tolson:

Yeah, no, I would assume that companies would, organizations would really push back on that. By the way, the other novel provision that has shown up, this wasn't even in California, this was in a New York bill, I think last year or maybe the year before, the New York Privacy Act called out the idea of processors and collectors having to act as a data fiduciary. I've only seen it in the New York bill. The New York bill did not get passed into law, and that's probably one of the big reasons, because if you can't collect data in a managed way for marketing and sales and stuff like that, why would you collect it at all if you had to act as a data fiduciary? It just would be, I think it would be a mess in court for a long time to come. So obviously I don't think that would ever show up in a Virginia follow on bill.

Senator Dave Marsden:

No. The road to hell is always paved with good intentions, and that's probably well intended, but...

Bill Tolson:

Yeah, yeah.

Senator Dave Marsden:

We need to, and are in Virginia moving on with our second phase of things, we're going to make a... If I can get into this at this time?

Bill Tolson:

Sure. Oh, yes. Yes please.

Senator Dave Marsden:

Talk about some of the changes we're making this year. One of the issues is, think about this for a moment, you're a company who purchases a lot of data and a consumer communicates with you and says, I want my data deleted. I don't want you to have my data. I don't want it released for any other purposes.

Bill Tolson:

Right.

Senator Dave Marsden:

And you say fine, and you release it. Well, three months later, you purchase another set of data and that person's name happens to be on it. Do you have the right to automatically delete that data? Or do you have to wait for somebody to take an affirmative action to get rid of it? We're taking a look at that. It creates some complications. It puts a little bit of a loophole in the bill, but at the same time, it certainly on its face would make sense. Correct?

Bill Tolson:

Oh yeah, yeah.

Senator Dave Marsden:

I don't want you to have my data, and if you keep reacquiring it, I want you to get rid of it. But for somebody to have to take another action, because it's going to be very frustrating to say, hey, those people have my data again, and I didn't... I told them to get rid of it. Well, they've reacquired it. So we're dealing with that. We're also dealing with the fact that, we excluded in the data privacy act, any public databases, and the voter election files in the Commonwealth of Virginia are certainly a governmental database and is exempt. But what happens is, is that political parties take those databases and then they download them, and then they adulterate them, if you will, with information like this person is a strong Republican, this person is a strong Democrat, this person is an independent, we have no information on this person and what have you. So in other words, we take that data and we change it and then it's no longer a government database.

Bill Tolson:

Oh.

Senator Dave Marsden:

It is a political database with unique information that is not on the government base. So we need to create an exemption there so that we can operate the political machinery of the United... or at least the Commonwealth of Virginia in an effective way so that people know how to communicate with people based on information that's been given to a political party.

Bill Tolson:

Right. Does your bill include a requirement for specific consent to be given for data collection?

Senator Dave Marsden:

No. That's an opt in versus an opt out. Basically we have an opt out system. In other words, you have to make a request to take yourself out of the system or to fix something in the system. It isn't a question of, you can just go to a place and say, I don't want anybody using my data anywhere, anytime, any place. Boom. I'm opting out. And opt in means that you have to take an affirmative action to either change or have your data eliminated. And we do not have that kind of a system. And there are people who want that.

Bill Tolson:

Yeah. I mean, in Colorado, as well as the GDPR, the European GDPR. When we put something up on our website, I write a white paper or something and somebody goes in to download it and they got got to give their name and email and what company they work for, those kinds of things, but us collecting that kind of personal data, we have to have a remark there somewhere on the form that says, by downloading this, you're giving consent for your data to be used for a specific purpose. It's not kind of the wild width where we're going to use it or sell it or do all those kinds of things. But I think having that kind of specific consent, based on actions, you're getting something for free. That's like all the argument with Facebook and Meta, you got access to an application and by downloading it, you're giving consent.

Bill Tolson:

I think, the laws are moving toward, no, you got to give specific consent, not the fact that I inadvertently downloaded your application, but that you asked me that you're giving consent. Correct? And those kinds of things. And I think that's eventually where we will move. But you had mentioned the feds needing to create something. And I know, this last year, 2021, New York Senator Gillibrand, and Kansas Senator Moran had both introduced bills that are relatively close to the kind of bills that you've written and Colorado's written and things like that. Have you had any discussions with, at the federal level, with, number one, gee, we really need a state or a federal bill that potentially would supersede all the state bills to make it easier for everybody involved and what would be required in that federal bill?

Senator Dave Marsden:

I can hardly think of a time where any federal legislator has deigned to ask a state legislator for assistance or guidance.

Bill Tolson:

Oh.

Senator Dave Marsden:

They have their own experts and their own staff. You know I have a legislative... Last year, I had a legislative assistant. That was it. I rely on working with other members of the business community and what have you as my experts to get things done. Thank you very much. We'll use what you've produced in the state. I don't think I've ever seen a situation where they come down and ask you to come up to the hill and help them.

Bill Tolson:

Yeah. That's disappointing, but not surprising. I mean, it's a shame, but that's... Boy, that really is, I think a problem. But you've stated a couple of times, and this is not surprising, that you work with outside organizations, with companies and stuff to draw on their expertise as well, and to get their opinions on things, but you don't want to put out a bill that nobody can meet, right? Or that costs them so much money that forces all their prices up, right? I think there are some privacy advocates that are unhappy with that. That's not realistic. They don't want those greedy businesses having any input, but that's what makes the world go around, is business. So you got to make sure that you're meeting them.

Senator Dave Marsden:

Yeah. Especially in state government with our limited staffs. And we're part-time. We make 18,000 a year in Virginia. We go to Richmond for two months, one year, and then six months the following year, or six weeks the following year, we have just about the shortest sessions in the country. And we rely on relationships that we have with experts in the business world, the nonprofit world, everybody very often dislikes lobbyists, except if it's a lobbyist for money.

Bill Tolson:

Yeah.

Senator Dave Marsden:

Those ones are okay. I had somebody tell me one time that with lobbyists, he says, "How come you're always going to social events and dinner with lobbyists?" And I said, "Look, we have to learn who to trust. They have to know us. We have to know them. We're going to be relying on them because there are hundreds and hundreds of issues that we just don't have time to become experts in. And we don't have staffs to go through all that stuff. And so we do what human beings have done since we crawled out of the ocean, is that we get together and we break bread and we learned about each other and we learned to trust, or we learned to beware."

Bill Tolson:

Yes.

Senator Dave Marsden:

And a person who asked me this question, we were having a breakfast, and an IHOP with a group of folks that I used to work with in a previous lifetime, we'd get together a few times a year. And I said, well, and we do it over dinner because it's the same reason we're not doing this at the library. It is, we're having a reunion here and we're doing it over... grabbing something to eat. It's what human beings do. That's what people have to understand. And when people say that, I bet I could map your life, Bill, or Greg's or anybody on the call, and I would find six or seven people in Richmond who represent things you care about. And then be people representing things you don't like. That's America. That's our system. Everybody gets a chance to be heard.

Senator Dave Marsden:

I'm just very, very proud that in Virginia, we've taken a leadership role here and gotten this done. And people in Virginia have protections that are understandable and are going to go into a place next year. And other than California's effort, which is laudable, but, I think, troubled in some ways.

Bill Tolson:

Yes.

Senator Dave Marsden:

Is that we've done something important for the country in taking the lead, and even in Congress, they're paying attention. So what happens from here on out, I'm just worried about Virginia, but I hope we become a template for the rest of the country and that some good comes from all of this.

Bill Tolson:

I think Bloomberg did, again, fall back, I can go back to that, they said your bill is extremely succinct. And I believe it's like eight pages long, correct? Something like that. And compared to some of the other bills, the draft bills and California's bills and stuff like that, I mean, they overcook it. And I think you keeping it so succinct makes it easier for businesses to be able to interpret and be in compliance with it.

Senator Dave Marsden:

Yeah. Simplicity is often the best way to go. The problem with simplicity is that people can always come up with anecdotal situations. Well, what about this? And what about this? And what would happen here and what would happen there if somebody did at this and somebody did that? That's how you end up with the California law. We will work this out. It'll be worked out through the Attorney General and they'll exercise discretion. They'll exercise the authority we've given them in the bill, which my bill this year will clarify to some extent what their roles and responsibilities are, but we're off to a great start. I'm excited about potential here for the future. This thing will be tweaked long after I'm out of the legislature.

Bill Tolson:

Yeah. Man, hopefully it continues that way. I mean, that would be great. Before we run out of time, Senator, I want to ask something that I've asked several others. It revolves around the actual security requirements for personally identifiable information. And I know a lot of the same languages used in many of the bills. A controller shall establish, implement and maintain reasonable administrative, technical and physical data security. Do you think that in the future we'll eventually get to a more prescriptive requirement? For example, all personally identifiable information must be stored in an encrypted format, or something like that.

Senator Dave Marsden:

Usually the history of landmark legislation like this is that, and because it started out as a fairly succinct piece of legislation, the tendency is to add more prescriptive measures over the years. We're doing a few of them this year. At some point in time you got to know when to say no, because remember, and I don't have a percentage here, but can you imagine how much of the American economy depends on the ability of people who have data to reach out to people to move goods and services and for people to purchase things. And I mean, to shut that down in the name of privacy would be pretty insane. We would have to go back to newspaper advertising and magazines and things would be chopping down forests to create all the paper that we need.

Senator Dave Marsden:

We have an internet future. It's still in the relatively early stages. It's only been what, 20, 25 years we've been engaged in this. We're going through the Facebook fights right now, and I'm sure there'll be fights about data privacy in the future. And things may get more prescriptive. But what we've done is something that I think just about everyone I've talked to, and I've done podcasts and seminars and work groups and newspaper journalistic interviews and what have you, everybody, I think generally has felt by the tone of the questioning I'm getting, there may be some issues here and what have you, but this was a daggone good start to-

Bill Tolson:

Oh, absolutely.

Senator Dave Marsden:

... getting people [crosstalk 00:32:08].

Bill Tolson:

I mean, you really, your state obviously took a major leadership position along with you championing it. And I understand the need to be somewhat kind of flexible in some of the prescriptive requirements. It used to be, not too long ago, it used to be that, for example, with encryption, you say, all data at rest or in transit must be encrypted. That required a lot of computer power to be encrypting and decrypting data all the time. And now, that's really not the case anymore. And I think one of the things that causes this question even to come up is those organizations that are lazy when it comes to data protection, you used to read stories all the time in the Wall Street Journal and in other papers where some low level admin assistant would download a customer database with all of their private information in it, put it on their computer to do work at home on the weekend on it, they put it in their trunk and their car gets stolen. And all of a sudden a million data subjects' personal information is out there. It wasn't encrypted or anything like that.

Bill Tolson:

Those kinds of stupid mistakes is one of the reasons why we're looking at privacy legislation now, but also the misuse of information, but just protecting that data, taking the basic steps. In fact, again, I was talking to representative Elkins in Minnesota on the podcast about this, and he said, yes, he believes, in all the states he talks to about this, he believes that the prescriptive kind of requirements, like you just said, are going kind of grow over time as a better understanding and better technology comes out there.

Senator Dave Marsden:

Yeah. I tell you, that was what I relied on, my partner on this bill, Delegate Cliff Hayes, who is more a professional in the IT world. And he was just a steadfast partner and someone I relied on for guidance. We had both decided very earlier on that we were going to make minimal changes, only when we really had to, because we had to get something through and we couldn't go down that prescriptive role. Because we were bombarded with people who wanted to do that, and still are. There are people we've told no.

Senator Dave Marsden:

But at the same time... I just had a conversation the other day with a gentleman I do business with down in Richmond who represents a certain organization who is looking for an exemption. He has a very good case. I said, "Our team has looked at this and we don't feel it's a good idea at this time, but hey, go talk to somebody and introduce a bill and let's debate it." I don't have anything where I'm going to try to prevent people from being heard. And we'll probably see some data privacy bills this year to tweak the law that we passed. And that's fine. That's the way the system works. Everybody ought to have a right to challenge the existing status quo and have it debated. And I'm sure we'll see some bills this year and that's absolutely fine.

Bill Tolson:

Well, and the other thing, I've actually talked to insurance people about this, the idea of most companies now have to buy cyber liability insurance for all kinds of reasons. And I've asked the insurance industry, wouldn't you lower premiums based on the security measures and wouldn't those security best practice security measures be encryption? Make it a monetary reason to adopt the encryption versus a legal one. I mean, if you want to lower your cyber liability insurance rates, adopt encryption.

Senator Dave Marsden:

Yeah, absolutely. And some things we need to leave to the private sector and the free enterprise system and what have you for people to make their own decisions and take their own actions without us trying to prescribe everything, because there's one truism in the world of legislating, at least in the state, is that there isn't a vote I have ever taken, and I've taken thousands and thousands of votes, that didn't hurt somebody. Even if it's just a resolution honoring somebody for some success they had, there's always somebody who's out there saying, well, what about my success? How come I'm not getting a resolution? Everything hurts somebody. And that's why we have to move slowly and cautiously and put something forward that everybody can work with. Certainly there are folks who are going to say, you just didn't go far enough and you haven't done anything, but hey, those complaints are coming from Virginians, and Virginians have the greatest protections of any other state in the country.

Bill Tolson:

Yeah. I think the way you just described it is a great way to understand it. It's, it's a process over time, because you got to take human nature into effect and all kinds of new things. One of the things I just noticed, I know we're almost out of time here, Senator, I noticed that on December 10th, the Federal Trade Commission filed an advanced notice of proposed rule making, basically around privacy and artificial intelligence. And what they're basically saying is they're proposing they start writing these privacy regulations into law at the federal level and not wait for Congress. That might be an interesting way for them to be kind of attacking this.

Senator Dave Marsden:

Yeah. There's an interesting saying when I first got... I ran a state agency back in 2001, I was acting chief deputy and acting director of Virginia's Department of Juvenile Justice. And one of my staff members said, "If you want some something enforced, put it in regulation. If you don't want it enforced, put it in the law," because very often, laws don't have anybody to enforce them.

Bill Tolson:

Yes.

Senator Dave Marsden:

But regulations always have a regulatory agency that is there with authority to enforce that regulation. So sometimes it's better to have things in a regulatory process than it is to have it sitting there in the code saying, thou shall not do this. Because that may make you feel good, but if there's nobody to go out there and force that, it's kind of hollow.

Bill Tolson:

Yeah, no, that's a great point. Well, Senator, we've reached our time here. So I think that wraps up the podcast. Want to really thank you for a really enjoyable and educational discussion on this very important subject. If anybody has any questions on the topic or would like to talk to the subject matter expert, please send an email mentioning this podcast to info, I-N-F-O, @archive360.com, and we'll get back to you just as soon as possible. You can also check back. This podcast, obviously if you're finding it either on iTunes or Spotify, will also be to the archive 360 resources page, and we're posting regular podcasts up there. And the next podcast I believe we will have potentially is the Colorado State Senator [ Mun 00:00:38:37] Dean, the co-author of the Colorado Privacy Act, as a guest. So again, really want to thank you Senator Marsden, and that's it. I really had a great time.

Senator Dave Marsden:

Oh, that's great. Happy new year and good luck with the podcast. I hope you get a lot of viewers and I hope this is part of the process of moving it down the road so that we have better data protection for everyone while still moving our economy forward through digital commerce.

Bill Tolson:

Thank you, sir.

Senator Dave Marsden:

All right. Thank you.