Federal Law Should Protect Data Privacy Whistleblowers
The recent explosion of state data privacy laws demonstrates the need for comprehensive federal data privacy regulation, which must include protection for whistleblowers.
The federal government should establish a uniform, comprehensive data privacy regulatory regime. American federalism is a remarkable system, but data privacy is not amenable to experimentation in the laboratories of democracy. Business in the digital age inevitably involves interstate commerce and sensitive personal data. Until Congress passes comprehensive data privacy legislation, business in the United States will be forced to grapple with the intricacies of distinct regulatory regimes. The inconsistency increases the cost of compliance. For the unwary, especially small businesses, that cost could be catastrophic.
Data privacy regulation is needed. Privacy has long been a cherished aspect of American society. The U.S. Supreme Court has discussed privacy’s place in our law for nearly a hundred years. The digital age has brought with it new and grave threats to Americans’ privacy. Efforts to amass and exploit our personal information has grown commensurate to the ability to gather, store, and transmit it. The law should protect our valuable, sensitive data from misuse.
While Congress remained silent, state legislatures filled the gap. Before 2018, not a single state had a comprehensive data privacy law on the books. California’s Consumer Privacy Act – signed into law in June 2018 and effective as of the beginning of this year – was the first of its kind. Now, multiple other states have followed suit and have introduced or are considering comprehensive data privacy legislation.
Relying on state legislation unnecessarily increases the cost of compliance. Businesses must assess and monitor all state data privacy requirements and weigh whether the access to a state’s residents is worth the compliance cost. Among the markets where a business remains active, the state with the most stringent requirements will largely set the standards for compliance. Thus, a single state will define data privacy standards business operations throughout the U.S. In addition, minor variations among the state laws and ongoing monitoring will increase compliance costs without improving data privacy protections.
Prior to any state data privacy law, the U.S. government was already ceding data privacy regulation in many cases to the EU. U.S. firms doing business in Europe had to comply with the law through either specialized contractual provisions or participation in the voluntary Privacy Shield regulatory regime.
The U.S. government should leverage its existing experience and bureaucracy and harmonize data privacy requirements. Once a company opts into Privacy Shield to satisfy GDPR, the rules become mandatory and are enforced by the FTC. Yet although the federal government is already regulating data privacy, companies and their customers remain subject to a hodgepodge of requirements selected by the company and determined by the states and the EU.
Federal data privacy legislation must protect data privacy whistleblowers. Somewhat surprisingly, the proposed and enacted state laws generally lack broad protections for data privacy whistleblowers. It is well established that whistleblowers play a vital role in identifying and correcting non-compliance and that legal protection from retaliation fosters the reporting of issues. Those general observations have played out concerning cybersecurity whistleblowers.
Employers should welcome data privacy whistleblower protection because they benefit when they learn of non-compliance early on from internal whistleblowers who may remain silent if they fear of retaliation. To be sure, most of the state laws have weak public enforcement provisions. However, some of those laws provide for private rights of action. Those private actions are quite amenable to class actions. Indeed, in January 2020, Facebook settled a class action suit in Illinois for $550 million. Though based on a 2008 law, that lawsuit provides a template for potential class actions under the new state laws with private rights of action. Likewise, public corporations that fail to disclose such violations could be facing another hit vis-à-vis shareholder litigation. Moreover, companies subject to GDPR face a penalty of up to 4% annual worldwide revenue for a violation. In short, data privacy violations could be business ending, and so companies would benefit from learning of potential problems as early as possible to prevent or mitigate potential violations. Information security workers on the ground can identify and report problems that may spare their employers disastrous liability, but they need strong legal protections to feel empowered to come forward for the good of the organization without fear of retaliation, unlawful termination, or being scapegoated.
Likewise, the public should demand that Congress protect data privacy whistleblowers. I have written previously about how existing federal laws protect many cybersecurity whistleblowers. The statutory patchwork, however, is far from ideal. Indeed, within the past year, I have encountered a handful of cases where courageous information security professionals disclosed critical cybersecurity threats and had no recourse when they were subsequently terminated by their employers. They had no way to hold these companies accountable for their reckless actions, no incentive to display similar courage in subsequent positions, and no reason to believe that the system that left them abandoned for doing the right thing and trying to protect the public is anything but broken.
In conclusion, I applaud the states for stepping up to do what they can. However, the federal government must end its abdication of this critical area and enact legislation that establishes a national regime for data privacy and provides a much-needed anti-retaliation provision for cybersecurity whistleblowers. Until then, the United States will be stuck in the past without adequate protections for consumers, small businesses, and courageous cybersecurity whistleblowers who risk their jobs and reputations to protect the general population’s private information.