Is the US Getting Closer to a National Cybersecurity Law?

From the moment Europe's leaders began discussing the law that would eventually become the GDPR, it seemed almost inevitable that the United States would some day pass a national cybersecurity law of its own. After all, as the center of the world economy, America presents the largest attack surface for anyone looking to steal consumer data, trade secrets, or other sensitive information.

America's GDPR may still be years in the future, but the country appears to be taking another step in that direction. Recent comments from Senator Mark Warner and other high-profile politicians, in the wake of the recently-uncovered breaches at Marriott and the National Republican Congressional Committee, suggest that there may be growing support in D.C. for a national solution.

As Senator Warner put it, "It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses."

That's a clear enough signal, and as Vice Chair of the Senate Intelligence Committee, Senator Warner is in a position to influence government policy, as least where threats to national security and the country's political system are concerned. It remains to be seen whether he and other like-minded politicians can build a consensus for moving cybersecurity legislation forward.

Whether it happens in 2019 or a few years down the road, at some point the country will almost certainly adopt a national cybersecurity law, and by now the basic principles of that law are fairly easy to predict. Given that many American companies are already subject to the provisions of the GDPR, the US will likely base its own law on the European version, creating new protections for consumers and heavy penalties for companies that leave sensitive data unprotected.

Of course, companies that wait until they're legally required to protect their sensitive data will find themselves a step behind. The sooner an organization takes action to lock down its consumer records, intellectual property, and financial data, the less likely it is to hear its own name repeated in Washington as an example of what not to do.

PKWARE’s Smartcrypt is a data-centric security platform that automatically finds and protects files containing sensitive data. With Smartcrypt, you can meet your compliance obligations and keep data safe from internal and external threats.