A new report from The Century Foundation, a progressive think-tank, urges state law enforcement officials to take action on data privacy regulations in the absence of any substantial movement in that direction by the Federal government.
“In this federal vacuum, the states have become—and foreseeably will remain—the primary venue for regulating cybersecurity and consumer privacy in the United States,” writes author Jonathan Mayer.
Mayer suggests that inaction in both Congress and state legislatures should lead state attorneys general (AGs) to strengthen data security and privacy enforcement. He argues that AGs can use unfair competition laws in that effort, and notes they have broader enforcement and monetary penalty powers than the Federal Trade Commission (FTC).
“The simple act of circulating a memorandum to line-level attorneys directing that they should be on the lookout for data security and privacy cases, and that they should vigorously enforce state law in those cases, can have a dramatic effect on the scale and sophistication of regulatory activity,” writes Mayer. He notes that larger states, such as California and New York, have established units within AG offices that handle technology and data privacy matters. Finally, Mayer recommends that state AGs adopt the Federal chief technology officer (CTO) model to bring in more technical expertise on these issues.
Mayer also suggests that states take action to implement cybersecurity safeguards for critical infrastructure by adding conditions to state contracts and using regulatory agencies in that effort. Governors and mayors “could insist on a range of baseline requirements, such as data breach notification, routine security auditing by independent experts, encryption for data at rest and in transit, strong authentication, and routine updates,” he writes.
Mayer points to current Department of Defense and General Services Administration regulations as examples that states can emulate.