STATE Policy Agenda


OF  10

Privacy and Security

Data, software, applications, broadband networks, and tech hardware continue to drive not just the technology industry, but also the entire global economy.  How to keep this data and these systems safe and secure is a top priority of private industry.  Government entities can be good partners in these efforts, and can also benefit greatly from direct collaboration with private industry on how to collect, use, and store data responsibly.  One of TechNet’s top priorities is ensuring that state and local governments focus on policies that harness market incentives to drive effective risk management and do not exacerbate harms to victims of criminal hacks.


Cybersecurity continues to be one of the most significant challenges facing public and private entities in the modern digital economy.  Due to the nature of state statutes and local ordinances, legislation and regulation addressing cybersecurity issues can lead to the misallocation of limited resources through mandates that are overly prescriptive or technology-specific.  These actions can hamper innovation and make impacted information systems easier targets for cyber criminals.

The state program supports the following principles:

  • Cohesive and adaptable guidance is preferable to individual state or local mandates to provide consistent, clear standards for companies to follow.
  • Policymakers should encourage good cyber hygiene, modern technology, leading industry practices, and high-skilled cyber workers.  Specifically, market-based incentives should be used to encourage companies to actively manage risks in accordance with widely accepted industry standards and best practices.
  • Encryption is a foundational technology necessary to protect the security of critical systems and sensitive information.
  • A comprehensive risk-based cybersecurity strategy should increase the security and resiliency of all networks, and should prepare for and mitigate cyberattacks through the coordination of industry and government.
  • Cybersecurity policies should focus on enhancing the confidentiality, integrity, and availability of information networks and data.
  • Security is an ongoing process that requires sustained and ongoing investments in people, processes, and technology aimed at managing risks.
  • The internet is global and requires laws, policies, and regulations to reflect the global nature of the market.

Data Breach

Data breach policy focuses on the responsibility and requirements following what is almost always a criminal attack on a public or private entity that has successfully accessed or otherwise compromised consumer and proprietary business data.  Public policy in this area should be risk-based and focus on the likelihood of actual harm to consumers.

The state program supports the following principles:

  • A single national standard focused on protecting people from substantial harm is preferred because it would provide companies and customers with consistent, actionable notice of a data breach.
  • Notice requirements that are not related to any prospective harm only burden companies and confuse customers with notifications that are not actionable.
  • Data rendered unusable by encryption, redaction, or any other security method or technology should be considered out of the scope of data breach policy because the risks of harm are not cognizable.
  • Data breach policy should only impact an entity if their network or system has been breached.  Reporting requirements that relate to unsuccessful attempts are not risk-based and will waste limited resources.  Entities should not be held responsible for, or be required to rectify, breaches outside of their control or responsibility.
  • The statutory definition of personally identifiable information should be limited to information that, if compromised, could lead to identity theft or other substantial harm.
  • Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and punish this criminal behavior.
  • Private rights of action, civil penalties, and other tools to encourage litigation will reduce the effectiveness of a data breach standard without providing substantive breach protections.


Many policymakers and interest groups introduce and sponsor legislation targeted at consumer privacy.  TechNet understands that our member companies already place a high priority on consumer privacy, and that the appropriate incentives to protect privacy and operate in a transparent and straightforward manner already exist in federal and state laws.

The state program supports the following principles:

  • Consent processes should take into account the limitations of specific devices and not be burdensome to the consumer or technology provider.
  • Specific requirements on data collection, use, or retention should be avoided or narrowly focused on highly sensitive or proprietary information.
  • Privacy laws should be tailored to limit only specific practices tied to specific harms.
  • Private rights of action, civil penalties, and other tools to encourage litigation should be avoided.  If adopted, they should be tightly focused on intentional or grossly negligent behavior related to disclosures.
805 15th Street,  NW Suite 708 Washington, DC 20005
(202) 650-5100
Privacy Policy