New White House Cybersecurity Framework and DATA Act: Good Intentions, But Still Fall Short

The National Institute of Standards and Technology has released the much awaited Framework for Improving Critical Infrastructure Cybersecurity, a document meant to serve as guidance for organizations to create cybersecurity frameworks that can prevent cyberattacks and data being compromised, such as the incidents experienced by a myriad of large retailers, like Target, over the last several months.

The guidance arrives at a time when both the executive and legislative branches are debating the United States' next steps in data privacy, with John D. (Jay) Rockefeller IV (D-WV) and Senator Edward Markey (D-MA) introducing the The Data Broker Accountability and Transparency Act of 2014 (DATA Act) on the same day as the administration released its cybersecurity guidelines. While both efforts are steps in the right direction, what the efforts are missing is a more heavy-handed approach to enforceability against organizations who fail to take data protection seriously.

The DATA Act would give consumers some necessary rights vis-à-vis data brokers, such as the right to opt out and the right to correct data inaccuracies. Data inaccuracies have led to consumers receiving mail addressed to a deceased daughter or addressed with names that are offensive, creating harmful and invasive situations for their recipients.

The cybersecurity framework simply lacks teeth, another effort of the administration to endorse guidelines without the power of any enforceability. President Obama specifically framed cybersecurity as a "shared challenge." While the United States government has its own agenda and concerns when it comes to cybersecurity, the promulgation of another set of voluntary standards arrives at a time when major players in the big data and social media spaces fail to comply with what should be baseline privacy compliance, such as clear privacy policies, adherence to international data frameworks such as the U.S.-EU Safe Harbor program or having internal systems in place to actively allow consumers to communicate concerns around their information privacy.

Even with the recent high profile cyber attacks and data woes being experienced by large operators, the incentive to institutionalize privacy for many companies remains low. For companies controlling and processing massive amounts of data, investment in infrastructure, whether technical or legal, comes low on the list of priorities in terms of time and financial investment. While cybersecurity and privacy are certainly "shared challenges" as the government itself has not taken the appropriate steps to rectify its own privacy violations, such as those involving the massive surveillance practices undertaken by the NSA, the government must take leadership in creating enforceable measures for the private sector and other organizations that will prevent the casual manner in which many companies still treat data.