Data, software, applications, and tech hardware continue to drive not just the technology industry, but also the entire global economy. How to keep this data and these systems safe and secure is a top priority of the industry. Public entities can be good partners in these efforts, and can also benefit greatly from a collaboration with private industry on how to keep government data secure. Two of TechNet’s top priorities are to ensure that state and local governments do not make the challenges in this area more difficult and to prevent the scapegoating of industry participants who are being criminally attacked on a routine basis.
This continues to be one of the biggest challenges facing public and private entities in the modern economy. Because of the nature of state statutes and local ordinances, legislation addressing cybersecurity issues can potentially make matters worse by mandating or “sanctioning” static technology. These actions can hamper innovation and make impacted systems easier targets for cyber criminals.
TechNet's state program supports the following principles:
- Cybersecurity should be a risk-based strategy that increases security and resiliency in cyberspace.
- Policymakers should encourage good cyber hygiene, modern technology, and high-skilled cyber workers. Specifically, market-based incentives should be used to encourage companies to actively manage risks in accordance with industry standards and practices.
- Any effort to address cybersecurity should also recognize the significant concerns many U.S. companies and trading partners have with reports of government surveillance activity.
- A comprehensive risk-based cybersecurity strategy should increase the security and resiliency of all networks, and should prepare for and mitigate cyber attacks through the coordination of industry and government.
- TechNet will resist efforts to weaken or undermine encryption services or provide keys to governmental organizations in the name of national security or cybersecurity.
A topic related to cybersecurity, data breach policy focuses on the responsibility and requirements following what is almost always a criminal attack on a public or private entity that has successfully accessed or otherwise compromised consumer data. Public policy in this area should focus on consumer harm and productive, cooperative efforts to reduce the number and impact of data breaches, and should not lose the context that sophisticated criminal enterprises are generally the causes of most significant breaches.
TechNet's state program supports the following principles:
- A single national standard focused on protecting people from financial harm is preferred because it would provide companies and customers with consistent, actionable notice of a data breach.
- Notice requirements that are not related to any prospective harm only burden companies and confuse customers with frivolous notifications.
- Data rendered unusable by encryption, redaction, or any other security method or technology should be considered out of the scope of data breach policy.
- Data breach policy should only impact an entity if their network or system has been breached. Entities should not be held responsible or be required to rectify breaches outside of their control or responsibility.
- The statutory definition of personally identifiable information should be limited to information that, if compromised, could lead to identity theft or other financial harm and should not be expanded without specific and thoughtful deliberation into other data areas such as biometrics and geo-location.
- Hacking and cyber attacks should trigger significant criminal penalties and public safety entities should be provided the appropriate level of resources to help deter, identify, track and punish this criminal behavior established via federal statutes so that there is a cohesive, national framework. Proposals to update statutes should take into account the definition and scope of “hacking” and similar offenses to help ensure that helpful or innocuous activities are not unfairly criminalized.
- Private rights of action, civil penalties, and other tools to encourage litigation, if any, should be extremely limited and focused on intentional or grossly negligent behavior related to the data breach.
- Data breach notification procedures should be aligned with the form and manner of the collection and retention of the accessed data. Consumers are increasingly demanding and utilizing electronic forms of communications. Especially in those cases where the interaction with the consumer was completely digital, companies should be allowed to utilize modern communication tools to increase the effectiveness and efficiency of data breach notices.
The rules governing the handling of digital accounts and assets after the death of the account holder has become a hot topic in state legislatures over the last few years. Millions of citizens struggle with complicated estate matters every year; therefore, TechNet supports clear guidance for the family, heirs, and beneficiaries regarding these accounts. TechNet's preferred approach is modeled in the Privacy Expectation Afterlife and Choices Act and contains the following important policy objectives:
- Harmonize federal and state legal requirements.
- Recognize the important privacy rights of not only the decedent, but also the rights of third parties who have interacted with the decedent, by only releasing communications content with the clear consent of the account holder.
- Limit authority of the estate representative to that which is necessary to administer the estate.
- Provide easy, appropriate access to non-sensitive information.
- Minimize cost, burden, and conflict for the estate and the account providers.
Digital Civil Rights
Digital data and communications deserve the same level of protection as traditional means of communication, correspondence, and personal information storage. TechNet does not support legislative efforts that would compel or permit platforms to voluntarily disclose the personal information of its users without consent or legal process, and specifically supports efforts to require a warrant from government entities seeking digital data.