Previous

STATE Policy Agenda

1

OF  10

Next
Privacy and Security

Data, software, applications, broadband networks, and hardware continue to drive not just the technology industry, but also the entire global economy.  Government entities can be good partners in these efforts, and can also benefit greatly from direct collaboration with private industry on how to collect, use, and store data responsibly.  Consumers expect, and should expect, to trust the tech sector to protect their data.  One of TechNet’s top priorities is ensuring that state and local governments focus on policies that harness market incentives to drive effective risk management and do not exacerbate harms to victims of criminal hacks.

Priority Issues

Cybersecurity

Cybersecurity continues to be one of the most significant challenges facing public and private entities in the modern digital economy.  The technology industry invests significant resources to protect public safety, guard our operations from interruption and intrusion, and prevent the loss of capital and intellectual property.  Due to the nature of state statutes and local ordinances, legislation and regulation addressing cybersecurity issues can lead to the misallocation of limited resources through mandates that are overly prescriptive or technology-specific.  These actions can hamper innovation and make impacted information systems easier targets for cyber criminals.  Instead we must protect and promote the ability of the private sector to be fast and agile in detection, prevention, mitigation, and response to ever-changing threats.

The state program supports the following principles:

  • Cohesive and adaptable guidance is preferable to individual state or local mandates to provide consistent, clear standards for companies to follow.
  • Policymakers should encourage good cyber hygiene, modern technology, leading industry practices, and high-skilled cyber workers.  Specifically, market-based incentives should be used to encourage companies to actively manage risks in accordance with widely accepted industry standards and best practices.
  • Encryption is a fundamental technology necessary to protect the security of critical systems and sensitive information.  Governments should not demand changes to technology that weaken encryption.
  • A comprehensive, risk-based cybersecurity strategy should increase the security and resilience of all networks, and should prepare for and mitigate cyberattacks through the coordination of industry and government.
  • Cybersecurity policies should focus on enhancing the confidentiality, integrity, and availability of information networks and data.
  • Security is an ongoing process aimed at managing risks that requires sustained and ongoing investments in people, processes, and technology.
  • The internet is global and requires laws, policies, and regulations to reflect the global nature of the market.
  • Securing widely different internet-connected devices requires flexible security features appropriate to the nature and function of the device to prevent unauthorized remote access.

Data breach

Data breach policy focuses on the responsibility and requirements following what is almost always a criminal attack on a public or private entity that has successfully accessed or otherwise compromised consumer and proprietary business data.  Public policy in this area should be risk-based and focused on the likelihood of actual harm to consumers.

The state program supports the following principles:

  • A single, national standard focused on protecting people from substantial harm is preferred because it would provide companies and customers with consistent, actionable notice of a data breach.
  • Notice requirements that are not related to any prospective harm only burden companies and confuse customers with notifications that are not actionable.
  • Data rendered unusable by encryption, redaction, or any other security method or technology should be considered out of the scope of data breach policy because the risks of harm are not cognizable.
  • Data breach policy should only impact an entity if their network or system has been breached and acquisition of personally identifiable information has occurred.  Reporting requirements that relate to unsuccessful attempts are not risk-based and will waste limited resources.  Entities should not be held responsible for, or be required to rectify, breaches outside of their control or responsibility.
  • The statutory definition of personally identifiable information should be limited to information that, if compromised, could lead to identity theft or other substantial harm.
  • Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and punish this criminal behavior.
  • Private rights of action, civil penalties, and other tools to encourage litigation will reduce the effectiveness of a data breach standard without providing substantive breach protections.
  • Policymakers should encourage good cyber hygiene, modern technology, leading industry practices, and high-skilled cyber workers.  Specifically, market-based incentives should be used to encourage companies to actively manage risks in accordance with widely accepted industry standards and best practices.

Privacy

Many policymakers and interest groups introduce and sponsor legislation targeted at consumer privacy and an individual’s right to access and control their personally identifiable information.  TechNet understands that our member companies place a high priority on consumer privacy, and that the appropriate incentives to protect privacy and operate in a transparent and straightforward manner already exist in federal and state laws.  

The state program supports the following principles:

  • Consumer consent processes should take into account the limitations of specific devices and not be overly burdensome or prescriptive to the consumer or technology provider.  
  • New privacy laws should provide strong safeguards to consumers while also allowing the industry to continue to innovate.  Additionally, new laws should be based upon a uniform set of standards to avoid imposing a patchwork of policies across jurisdictions.
  • Specific requirements on data collection, use, or retention should be narrowly focused on personally identifiable, highly sensitive, or proprietary information.
  • Privacy laws should be limited to specific practices tied to specific harms.
  • Private rights of action, civil penalties, and other tools to encourage litigation should be avoided.

Secure and Safe Repair

TechNet will oppose any legislative proposals that would require original equipment manufacturers (OEMs) to provision independent repair firms in the same manner in which they provision authorized repair providers within their networks because of the potential for troubling, unintended consequences, including serious cybersecurity, privacy, and safety risks; piracy hazards; and barriers to innovation.  Consumers, small and large businesses, public schools, hospitals, banks, and manufacturers all need reasonable assurance that those they trust to repair their connected products will do so safely, securely, and correctly.

  • OEMs and authorized repair firms are uniquely qualified to ensure the secure and safe repair of electronic products.  These firms use OEM-trained technicians and original parts that are backed by the OEMs and their partners with warranties, legally enforceable contracts, quality assurance requirements and other mechanisms that provide strong protections for consumers.

Requiring manufacturers to disclose diagnostic tools, source code, and software developed by the manufacturer at significant cost and to provide access to tightly controlled supply chains to unaffiliated, unvetted third parties may place sensitive information in the hands of malicious hackers, creating a new set of cybersecurity vulnerabilities.

PreviousNext
CONNECT WITH US
CONTACT US
805 15th Street,  NW Suite 708 Washington, DC 20005
(202) 650-5100
info@technet.org
Privacy Policy