US Sen. Gillibrand Announces Legislation to Create a Data Protection Agency

“As pressure from regulatory compliance increases, businesses must take an increasingly integrated and well-rounded approach to information risk management.” says Steve Durbin, Managing Director of the ISF.

The Data Protection Act (DPA) would create a consumer watchdog to give Americans control and protection of their data, promote a competitive digital marketplace, and prepare the U.S. for the digital age.

Introduced by U.S. Kirsten Gillibrand, the DPA will have the authority and resources to effectively enforce data protection rules—created either by itself or congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data. The U.S. is one of the only democracies, and the only member of the Organization for Economic Co-operation and Development (OECD), without a federal data protection agency, says a press release.

The agency will address a growing data privacy crisis in America, as massive amounts of personal information—public profiles, health data, photos, past purchases, locations, search histories, and much more—is being collected, processed, and in some cases, exploited by private companies and foreign adversaries.

The press release notes that in recent years, major data breaches have occurred at banks, credit rating agencies and tech firms, such as the 2017 Equifax data breach and the 2018 Facebook data breach as well. Additionally, the Federal Trade Commission (FTC) has “failed to enforce its own orders and has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties,” adds the release.

Steve Durbin, Managing Director of the Information Security Forum, says, “As pressure from regulatory compliance increases, businesses must take an increasingly integrated and well-rounded approach to information risk management. There is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. Few jurisdictions, if any, are identical in their regulations, privacy legislation, fraud and breach prevention. Traditional data protection methods may be tough to apply or unusable when it comes to storing or harnessing data in the cloud.  Unless you are constantly monitoring the rules, and put tools in place to do so, you might not only be compromising your information, but also your corporate responsibility.”