That’s a complex question, made more so due to the interplay between the U.S. Constitution, powers granted to the Federal Trade Commission, and the states’ police power.
The current patchwork of state and federal laws covering data privacy within the U.S. invites comparison to the GDPR. While adopting a U.S. version might seem appealing, we need to look at how existing federal legislation is influencing data privacy. For example, the Health Insurance Portability and Accountability Act (HIPAA) is designed to protect a class of personal information—personal health information. Despite the sensitivity of the data and covering legislation, there is no guarantee of adequate security, as evidenced by the June 4 SEC disclosure by LabCorp of a breach impacting 7.7 million of its customers.
A situation like this exists in part due to legislative focus being on processes and penalties without clear criteria covering when data can be appropriately collected, how it should be secured, what data retention is considered appropriate, how it might be transferred to third parties, and how individuals can effectively audit the entire lifecycle of any data provided.
Effectively, in its focus on process and penalties, HIPAA defers implementation decisions, allowing individual health care providers to determine an appropriate level of security for the underlying data, which could easily result in weaker or less costly options being selected.
—Tim Mackey, technical evangelist, Synopsys