By now, companies that collect, process, and store the personal data of consumers are used to a fast pace of state privacy and cybersecurity legal activity. This year, companies should also expect increased activity from federal regulators.
In the past month, two significant proposals were announced that may have significant implications for some companies if the proposals become effective. On April 7, two federal lawmakers unveiled the American Privacy Rights Act (APRA), a national data privacy bill that would likely undercut the patchwork of state privacy laws. On March 27, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) proposed a rule that requires certain businesses to report cyberattacks within 72 hours.
These proposals are subject to change, but companies across a spectrum of industries should keep an eye out for increased movement from federal regulators. Here’s a look at each proposal.
American Privacy Rights Act
To date, the United States takes a sectoral approach to data privacy regulating health data, financial data, and children’s data under various laws. This sectoral approach can be contrasted with the European Union’s General Data Protection Regulation (GDPR), which takes a one-size fits all approach to personal data, although the GDPR differentiates between personal data and sensitive personal data. Examples of sensitive data include a person’s religious beliefs, trade-union membership, biometric data, and health-related data.
The sectoral approach had created a regulatory vacuum with respect to that personal data which falls outside of the sectoral silos. Increasingly in the past five or so years, states have taken action to fill this gap by passing omnibus, comprehensive privacy laws. While states may be laboratories of democracy, they also have become labyrinths of compliance complexity. States started to take diverging approaches to data privacy, offering residents differing rights over their data and other regulatory deviations and inconsistencies.
The APRA seeks to provide consumers in states without a privacy law with rights over their data and to harmonize the state patchwork of privacy laws to ease the compliance burden placed on businesses. Similar to its predecessor from 2022, the American Data Privacy Protection Act (ADPPA), the APRA, in its current form, faces similar obstacles that may prevent passage.
The APRA is centered around the concept of data minimization, which generally requires businesses to only collect and process the personal data needed to provide the services that business provides. Mirroring many state laws, the APRA affords a number of consumer rights, including the right to opt-out of certain data transfers, targeted advertising, and certain processes that involved automated decision making.
Given the APRA may undergo significant amendments, if it moves forward at all, we believe clients should remain focused on building their privacy programs to comply with state privacy laws and monitor the APRA’s likelihood of passage. Clients should understand the approach the APRA takes to regulating data privacy as state legislatures are likely to consider, and pass, laws that mirror this model.
Wide-Sweeping Proposal on Cybersecurity Reporting
CISA, in its recently proposed rulemaking regarding cybersecurity incident reporting, is moving towards a streamlined reporting requirement for entities that fall within the definition of critical infrastructure. Critical infrastructure in the U.S. experienced significant spikes in both physical attacks and cyberattacks. The proposal is aimed at bolstering America’s cyber resilience, the agency said, by identifying patterns in real time, filling information gaps, and informing others who may be affected by a similar attack.
CISA is requiring entities to report "substantial" cyber incidents. These "significant" incidents are those which lead to a loss of confidentiality, integrity, or availability of the entity’s operational systems, processes, and or data. A "substantial" incident also includes situations where an entity can no longer engage in regular business operations.
CISA’s proposal is notable in that it requires covered entities to report a cyber incident to the agency within 72 hours of that entity having a reasonable belief that an incident has occurred. Additionally, covered entities have 24 hours to report that a ransom payment was made in response to a ransomware attack.
The trend-spotting goal of the proposal applies to entities "in a critical infrastructure sector." The agency lays out 16 sectors that range from financial services, health care, energy, and utility, among others. Each sector has its own plan that describes the cybersecurity and physical risks it faces.
CISA estimates there will be approximately 316,000 covered entities potentially affected by the proposed rule. The majority would be considered small entities, the agency stated in its proposal. Small entities include small businesses, not-for-profits, and governmental jurisdictions with populations of fewer than 50,000, according to the proposal.
CISA is seeking public comment through June 3 and CISA expects the final rule to publish in late 2025.
Final Takeaway
Both the CISA proposal on cyber incidents and the proposed comprehensive draft legislation on a federal data privacy act offer plenty for companies to digest in the coming months. Whether these rules and requirements change, companies need to stay aware of how each impacts their business and what’s required from a reporting standpoint.
Companies that have a map in place when it comes to data breaches and incidents will know who they need to notify and when. Otherwise, businesses will be left scrambling to catch up during what can be an extremely high-pressure situation.
For more information, please contact us or your regular Parker Poe contact. You can also subscribe to our latest alerts and insights here.