repeated phone calls and email messages for comment for this article.
Lan Jenson, CEO of Adaptable
Security, a non-profit organization
dedicated to protecting society from
cybercriminals, says there needs to
be a compromise between those who
want IT regulation and those that believe regulation simply stifles innovation and competition. Furthermore,
in the absence of specific regulations,
Jenson believes there should be a
concerted effort to help smaller and
new market entrants address the root
problem of data security and privacy.
Several non-profits are working to address the issue, including:
˲Jenson’s Adaptable Security,
which provides pro bono or at-cost
consulting services;
˲ the Global Cyber Alliance, which
offers free cybersecurity toolkits for
SMBs, and
˲ the National Cyber Security Alliance, which offers free informational
webinars, is trying to help smaller organizations provide better data security for their users.
Regardless, coming to agreement
on what should be regulated, which authority should be responsible for writing and enforcing the regulations, and
how penalties should be meted out is
likely to be challenging, according to
David Weinberger, a senior researcher
at Harvard University’s Berkman Klein
Center for Internet & Society, and author of Everyday Chaos: Technology,
Complexity, and How We’re Thriving in a
New World of Possibility. “I can certainly
see regulators stepping in, one way or
another,” Weinberger says.
However, the details of how federal
regulation of data privacy and security
will be applied are unlikely to be re-
solved in the near term, largely due to
multiple competing interests on both
sides of the political aisle, explains
Grimmelmann.
“I expect this is something we’ll still
be grappling with 10 years from now,”
Grimmelmann says. “If this were a simple left/right political issue, you would
expect that when you have Republicans
in control, they would pass legislation
that they agree on, but they don’t. You
have some Republicans who are highly
libertarian about technology, and some
who are very skeptical about tech. You
have some Democrats who are very
friendly with technology, and others
who are very skeptical about big tech
and its effect on the democracy. And as
a result, you don’t get a simple coalition
in Washington that’s going to say, ‘OK,
you’re in power now, you’re going to
impose our preferred privacy and other
tech regulations’.”
Further Reading
Adaptable Security
https://adaptablesecurity.org/
California Consumer Privacy Act
https://www.caprivacy.org/
Cybersecurity Information Sharing Act
https://www.congress.gov/bill/
114th-congress/senate-bill/754
Cybersecurity Enhancement Act of 2014
https://www.congress.gov/bill/
113th-congress/senate-bill/1353/text
Federal Exchange Data Breach
Notification Act of 2015
https://www.congress.gov/bill/
114th-congress/house-bill/555
General Data Protection Regulation
https://eugdpr.org/
Global Cyber Alliance
https://www.globalcyberalliance.org/
National Cybersecurity Protection
Advancement Act of 2015
https://www.congress.gov/bill/
114th-congress/house-bill/1731
National Cyber Security Alliance
https://staysafeonline.org/
Telecommunications Act of 1996
https://transition.fcc.gov/Reports/
tcom1996.pdf
Mark Zuckerberg: The Internet needs new
rules. Let’s start in these four areas, The
Washington Post, March 30, 2019
https://wapo.st/2R3hYlg
Keith Kirkpatrick is principal of 4K Research &
Consulting, LLC, based in Lynbrook, NY, USA.
© 2019 ACM 0001-0782/19/12 $15.00
eral Data Protection Regulation
(GDPR), which regulates the handling
and privacy of the data of individual
citizens of the EU and the European
Economic Area (EEA), and also addresses the export of personal data
outside the EU and EEA regions. Because multinational companies operate both within the EU and beyond it,
some companies are applying GDPR
rules across all of their customer
base, thereby providing indirect regulatory control to areas such as the
U.S., which does not have a national
regulatory framework covering data
privacy or security.
“Many companies at this point
would be fine complying with GDPR,
with similar rules worldwide, and
many companies, in fact, have done
that,” says James Grimmelmann, a
professor of law at Cornell Tech and
Cornell Law School. However, given
the restrictive nature of some of the
components of GDPR, such as the
requirement that individuals can request erasure of personal data related
to them on any one of a number of
grounds within 30 days of its publication, certain business models may not
be compatible with GDPR.
“It may be that the kind of ad net-
works that Facebook and Google use
simply can’t operate under GDPR,”
Grimmelmann says, adding, “it will
take a few years to find out whether
that’s the case or not.”
While efforts to protect individu-
als’ privacy and personal data in the
U.S. are under way, much of the work
being done is at the local or regional
level, rather than the federal level. For
example, the California Consumer
Privacy Act was signed by then-gover-
nor Jerry Brown last year and is set to
go into effect in January. The Act con-
veys three main rights to consumers
in California: the right to know what
information is being collected about
them; the ability to tell a business
not to share or sell their personal in-
formation; and the right to have data
protections put in place by companies
that collect and store personal data. It
should be noted, however, that Cali-
fornians for Consumer Privacy, the
group that initial spurred the legisla-
tion, does not appear to be pushing
for similar nationwide regulation, and
no one from the group responded to
The details of how
federal regulation
of data privacy
and security will be
supplied are unlikely
to be resolved
in the near term.