During Joe Biden’s tenure as president, the United States has dedicated much needed attention on cyber and cyber-related technological issues with national security implications that have languished for far too long in the background.  To its credit, the Biden Administration has updated the United States’ National Security Strategy and National Cybersecurity Strategy, as well as the Department of Defense’s (DoD) 2023 Cyber Strategy.  Additionally, the Biden Administration has been particularly attentive to such issues as bolstering the nation’s cybersecurity, improving the cybersecurity for critical infrastructure, software liability reform, harmonizing cyber regulations, strengthening supply chain security, and artificial intelligence.  Indeed, the series of national level concentration on these issues has been a positive development in acknowledging how cyber is tightly intertwined with all facets of society to include public and private interests.

While it is promising to see that these areas are being addressed at the highest levels of government, there is still one glaring omission that has yet to be treated with the same level of seriousness by the Executive Office – data privacy.  The United States has various laws at both the state and federal levels that address different aspects of data privacy.  Healthcare’s HIPAA Privacy Rule and the financial sector’s Gramm-Leach-Bliley Act are two such examples.  Yet despite some sector specific legislation in place, the United States fails to have a comprehensive national law like Europe’s General Data Protection Regulation (GDPR) – that protects individuals and their sensitive data and ensure that the organizations that collect, process, and store such data do it in a responsible and accountable manner.

For the United States, it would seem at first blush that such protections should be a no-brainer especially given that its Bill of Rights, one of the three cornerstone founding documents (along with the Declaration of Independence and The Constitution), legally established guaranteed civil rights and liberties to the individual.  Fast forward to today’s interconnected environment, it would be logical to assume that such fundamental rights and protections would extend to the digital space with similar safeguards in place.  This has taken on immense importance as the sensitive personal and financial data of citizens are vulnerable to an array of threats ranging from threat actors intent on stealing and exploiting such data to organizations failing to ensure that their systems and networks are properly set up and secured to prevent such malfeasance.

According to a report by the Identity Theft Research Center, 2022 had the second highest number of data compromises in the United States in a single year.  Per the report, there were more than 1,800 reported breaches impacting approximately 422 million individuals whose sensitive personally identifiable information (PII) was exposed to unknown threat actors. To provide some perspective, over the same time period there were around 4,100 data breaches that occurred  worldwide, putting nearly 22 billion records at risk.  Based on such statistics it is no surprise that the United States has consistently ranked in the to five countries victimized by data breaches.  This translates into tremendous opportunity for threat actors seeking to exploit such information for a variety of nefarious purposes.  Sadly, efforts like Data Privacy Day, an international event designed to drive awareness and promote privacy and data protection, is just not sufficient to ameliorate the current data privacy void in the United States.

The culture and mindset of data privacy needs a substantial readjustment in the United States, and it needs to start at the top.  If a government’s main job is to ensure the security of its citizens, then the U.S. government needs to extend this principle to the digital space where citizens’ economic and physical security has been continuously compromised by such rampant data theft.  And though people have benefitted from online interaction with businesses and government, this evolution has created more opportunities for them to be targeted on either end of an online transaction.  The fact that there has been no government leadership in this area is disconcerting given how there have been enough data breaches in the United States that four out of five Americans have had their private information exposed at least once.  Worse, a 2023 Pew Research Center report found that the public does not understand what companies do with their data with most believing that they had little to no control with what either companies or the government did with their data.  Such a lack of transparency and accountability is not consistent with the principles on which the government was founded.

According to a 2023 Cisco privacy report, 66% of those individuals surveyed viewed laws such as GDPR favorably, indicating that there is an appetite for laws that put the consumer first, with the majority believing that the government should be spearheading national level efforts.  And while many countries have some semblance of data privacy legislation, very few including the United States have comprehensive robust data privacy legislation like the GDPR.  If the need to protect citizen information is being clamored for by the U.S. public that largely isn’t satisfied with the federal government’s efforts so far, why has the United States still failed to put forth a comprehensive blueprint to protect its citizens data?

A couple of reasons may account for this.  One is that the government is still trying to let industries set their own guidelines.  But this creates a patchwork of different standards whose waters are still further muddied by any specific state requirements in which industries operate.  This doesn’t make sense given that a substantial amount of online activity crosses states, no less countries.  Another reason may have to do with the perception that the government is more focused on being able to collect citizen information than protect it.  Whether it be the Snowden leaks, revelations of illegal surveillance,  FBI FISA abuses, or an Office of the Director of National Intelligence report on how the government purchases private data, the U.S. government appeared to have engaged in the same activities akin to more authoritarian states than a democratic republic.  

While the U.S. government may not want to compel industry privacy standards, it can certainly lay down the security baseline by which industries must adhere to and structure additional standards around to include how information is collected, stored, protected, as well as the individuals’ rights with respect to their information.  This is imperative to demonstrate to the American public that their interests come first.  That will be instrumental in starting to win back the confidence and support of people, especially in a day where cyber exploitation and data theft have become commonplace.  With one in four Americans saying they won’t do business with a company that’s been breached, the message to the private sector should be loud and clear, as well.

It goes without saying that citizens have a responsibility to make sure that they are doing everything in their power to protect their own information.  But once they entrust another entity with their information, the onus of responsibility inherently shifts.  Regardless of if they are in the public or private sector, an organization suffering breaches and providing a year’s worth of credit monitoring is a poor way to tell customers that its sorry for the inconvenience.

The individual trumping commercial and government interests would be a refreshing turn of events.  And given the climate in the United States, a much needed one as well.