United States of America: Announced American Data Privacy and Protection Act discussion draft including cybersecurity measures

On 3 June 2022, bipartisan members of the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation released a discussion draft of the American Data Privacy and Protection Act, a data privacy and security framework with bipartisan legislative support. The draft contains rules regarding data security and protection. Specifically, it requires entities collecting, processing or transferring data to implement reasonable data security practices which protect covered data against unauthorised use and acquisition. Whether such practices are reasonable depends on a number of factors, such as the size and complexity of the covered entity, the nature of data collection, the sensitivity of data being collected, and the state of security technology. The draft also sets up specific requirements for security practices, including vulnerability assessments, preventive and corrective action, evaluation, information retention and disposal, training, and designation of employees responsible for security practices. Furthermore, the draft outlines specific requirements for “large data holders” regarding the assessment of privacy risks and reporting to the authorities. Finally, the draft law specifies that it will not preempt the federal and state laws that regulate the data breach notifications or the criminal or civil laws regarding cyberstalking or cyberbullying.