Privacy and Security

Consumers expect, and should expect, to trust the tech sector to protect their data.  One of TechNet’s top priorities is ensuring that governments focus on policies that harness market incentives to drive effective risk management and do not exacerbate harms to victims of criminal hacks.

Priority Issues

Privacy

Many policymakers and interest groups introduce and sponsor legislation targeted at consumer privacy and an individual’s right to access and control their personally identifiable information.  TechNet understands our member companies place a high priority on consumer privacy.  The technology industry is committed to privacy protections and securing consumer data, as transparency and the responsible use of data are pillars of the tech sector.  TechNet will advocate for a federal privacy standard that brings uniformity to all Americans regardless of where they live, encourages innovation, and ensures that consumers’ privacy and security are protected.

In absence of a federal standard, lawmakers should look to legislation already passed in other states to create a unified standard and ensure interoperability.  The state program supports the following principles:

• Any consumer privacy bill should be oriented around building consumers’ trust and fostering innovation and competitiveness.
• Consumer consent, where applicable, should focus on sensitive personal information and the data of minors. Should consent be part of a state framework, it should recognize the limitations of software, hardware, and data and not be overly burdensome or prescriptive to the consumer or technology provider.  It should also be flexible and convenient for all users regardless of socioeconomic or disability status.
• New privacy laws should provide strong safeguards to consumers while also allowing the industry to continue to innovate. New laws should be based upon a uniform set of standards to avoid imposing a patchwork of policies across jurisdictions.
• Specific requirements on data processing, including collection, use, disclosure, security, or retention, should be commensurate with the sensitivity of the data.
• Enforcement by a state’s attorney general is preferred, and private rights of action and other tools to encourage litigation must be avoided. A right to cure should be provided, and monetary judgments should be tied to actual harms linked to violations.
• Outright bans, prohibitions, or moratoriums on specific technologies should be avoided.
• State privacy laws should not apply to information already regulated by existing federal privacy laws.
• Privacy laws should not limit consumer access to free, advertising-supported services.
• Legislation should not force data controllers to share consumer data with third parties.
• Privacy laws should not treat data transfers across commonly owned affiliates as third-party transfers.

Key Privacy Stats:

• Failure to pass a federal privacy law would cost our economy more than $1 trillion over 10 years, with more than $200 billion being paid by small businesses.  (ITIF, 2022)
• The enactment of the California Consumer Privacy Act (CCPA) in 2020 has resulted in nearly 200 lawsuits involving companies that sell to customers in California despite being located elsewhere.  (ITIF, 2022)
• The California Consumer Privacy Act created a $78 billion annual economic burden on the U.S. economy.  (ITIF, 2022)
• The average privacy spend of small businesses (250-499 employees) is $800,000.  (Cisco, 2020)

 

Cybersecurity

Cybersecurity continues to be one of the most significant challenges facing public and private entities in the modern digital economy.  The technology industry invests significant resources to protect public safety, guard our operations from interruption and intrusion, and prevent the loss of capital and intellectual property.  Due to the nature of state statutes and local ordinances, legislation and regulation addressing cybersecurity issues can lead to the misallocation of limited resources through mandates that are overly prescriptive or technology-specific.  These actions can hamper innovation and make impacted information systems easier targets for cyber criminals.  Instead, we must protect and promote the ability of the private sector to be fast and agile in detection, prevention, mitigation, and response to ever-changing threats.

The state program supports the following principles:

• Cohesive and adaptable national guidelines for security based on widely accepted standards are preferable to individual state or local mandates to provide consistent, clear standards for companies to follow.
• Policymakers should encourage good cyber hygiene, modern technology, leading industry practices, and high-skilled cyber workers. Specifically, market-based incentives or safe harbors should be used to encourage companies to actively manage risks in accordance with widely accepted industry standards and best practices.
• Encryption is a fundamental technology necessary to protect the security of critical systems and sensitive information. Governments should not demand changes that require backdoors, weaken encryption, or erode other reasonable security measures.
• A comprehensive, risk-based cybersecurity strategy should increase the security and resilience of all networks and end-user devices and prepare for and mitigate cyberattacks through the coordination of industry and government.
• Cybersecurity policies should focus on enhancing the confidentiality, integrity, and availability of information networks and end-user devices utilizing national and internationally recognized standards and data and provide for legal safe harbors to incentivize government and businesses to take steps to ensure that there are policies and procedures in place to protect against network intrusions.
• Security is an ongoing process aimed at managing risks that requires sustained and ongoing investments in people, processes, and technology.
• The internet is global and requires laws, policies, and regulations to reflect the global nature of the market.
• Securing internet-connected devices requires flexible security features appropriate to the nature and function of the device to prevent unauthorized remote access.
• Governments should maintain industry-leading cybersecurity practices and not require businesses to share data that it cannot keep safe and secure from threats.
• Requirements to report cyberthreat intelligence information to the government should be voluntary and include protections that ensure reported information is exempt from Freedom of Information Act requests, cannot be used as the basis for regulatory or enforcement actions, and may not be introduced as evidence in any court proceeding.
• Cybersecurity incident reporting should be compatible with existing federal standards and only require reporting once a covered entity is reasonably certain that a covered incident has occurred. Requirements linked to suspected or threatened incidents will result in excessive costs for businesses and governments without yielding actional information.  Additionally, reporting requirements should not include trade secrets or intellectual property, as that will increase risk for companies.

Data Breach

Data breach policy focuses on the responsibility and requirements following what is almost always a malicious attack on a public or private entity that has successfully accessed or otherwise compromised consumer and proprietary business data.  Public policy in this area should be risk-based and focused on the likelihood of actual harm to consumers.

The state program supports the following principles:

• A single, national standard focused on protecting people from substantial harm is preferred because it would provide companies and customers with consistent, actionable notice of a data breach.
• Notice requirements that are not related to prospective harm only burden companies and confuse customers with notifications that are not actionable. These requirements should be uniform, maintain consistent thresholds for reporting, and provide a reasonable notice timeframe.
• The distinction between an account takeover and a data breach should be explicitly recognized in data breach statutes, with differentiated provisions and reporting methodologies.
• Data rendered unusable by encryption, redaction, or any other security method or technology should be considered out of the scope of data breach policy because the risks of harm are not cognizable.
• Data breach policy should only impact an entity if their network or system has been breached and acquisition of personally identifiable information has occurred. Reporting requirements that relate to unsuccessful attempts are not risk-based and will waste limited resources.  Entities should not be held responsible for, or be required to rectify, breaches outside of their control or responsibility.
• The statutory definition of personally identifiable information should be limited to information that, if compromised, could lead to identity theft or other substantial harm.
• Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and punish this criminal behavior.
• Private rights of action, civil penalties, and other tools to encourage litigation will reduce the effectiveness of a data breach standard without providing substantive breach protections.
• Policymakers should encourage good cyber hygiene, modern technology, leading industry practices, and high-skilled cyber workers.  Specifically, market-based incentives or safe harbors should be used to encourage companies to actively manage risks in accordance with widely accepted industry standards and best practices.
• Companies should have adequate time for internal or external investigations, including by law enforcement, to determine the nature of an incident and whether it constitutes a data breach.

Secure and Safe Repair

TechNet will oppose any legislative proposals that would require original equipment manufacturers (OEMs) to provision independent repair firms in the same manner in which they provision authorized repair providers within their networks because of the potential for troubling, unintended consequences, including serious cybersecurity risks, privacy risks, safety risks, piracy hazards, and barriers to innovation.  Consumers, small and large businesses, public schools, hospitals, banks, and manufacturers all need reasonable assurance that those they trust to repair their connected products will do so safely, securely, and correctly.

The state program supports the following principles:

• OEMs and authorized repair firms are uniquely qualified to ensure the secure and safe repair of electronic products.  These firms use OEM-trained technicians and original parts that are backed by the OEMs and their partners with warranties, legally enforceable contracts, quality assurance requirements, and other mechanisms that provide strong protections for consumers.
• Requiring manufacturers to disclose diagnostic tools, source code, and software developed by the manufacturer at significant cost and provide access to tightly controlled supply chains to unaffiliated, unvetted third parties would place proprietary corporate information and sensitive customer information in the hands of unknown actors, creating a new set of intellectual property rights concerns and cybersecurity vulnerabilities.

Facial Recognition Technology

Facial recognition technology can be utilized in a variety of use cases, many of which can improve security and access for individuals using services online.  Facial recognition technology can enable remote access to essential services, removing location- and mobility-based barriers to access.  In addition, different types of facial recognition technology can be used to stop fraud and protect consumers.

The state program supports the following principles:

• TechNet will oppose any legislation that prohibits or effectively prohibits the use of facial recognition technology.
• Legislation should not reduce access to non-identifiable diverse datasets necessary to train models to reduce bias.
• Policies should recognize the wide variety of use cases for technologies that detect and/or recognize faces or other parts of the human form, and policies should avoid over-regulating visual technologies that do not affect individual privacy.
• Cohesive and adaptable national guidance is preferable to individual state mandates to provide consistent, clear standards for companies to follow. 

Government Requests for Data

 Governments occasionally request data regarding consumers from data controllers.  Consumers’ privacy should not be restricted except in narrowly defined circumstances based on clearly defined laws and standards, and any restrictions should be necessary and proportionate for the relevant purpose.

The state program supports the following principles:

• Disclosure of data should require valid legal process to be served.
• Where valid legal process is not required, government requirements for the disclosure of consumer data should be for deidentified and aggregated data.
• Companies should have the right to push back on overly broad or vague requests and seek attestation about the cause for a request for disclosure.
• Disclosure requirements should not contain arbitrary or unreasonable timelines for disclosure.
• Requirements for company disclosure of data under a non-disclosure order should contain a reasonably and clearly defined expiration date for that order.

Content Moderation

 Online services enable freedom of expression for consumers, and companies have a vested interest in moderating their platforms to create a safe, welcoming online community for users.  To ensure that online services are inclusive, useful, and safe for consumers, online platforms often moderate the content created by third parties.  In order to ensure users understand the rules they are expected to follow, the industry has been at the leading edge of providing greater access and information regarding their moderation policies and practices.

The state program supports the following principles:

• Governments should not restrict or penalize online platforms’ efforts to exercise their First Amendment rights to moderate content on their private platforms.
• Governments must recognize companies’ rights to enforce their terms of service and respond to evolving threats.
• TechNet supports clear, constitutional definitions that are consistent across jurisdictions.
• TechNet supports industry efforts to provide transparency about platforms’ content moderation practices and their efforts to limit and remove harmful content.  These policies should not mandate or prioritize the policing of certain categories of content and should not undermine platforms’ efforts to moderate harmful content.