Transportation Cybersecurity and Privacy Under Biden
President-Elect Joe Biden and Vice President-Elect Kamala Harris will be inaugurated on Jan. 20, 2021, ushering in a new set of regulatory and legislative priorities during the next four years. Chief among the Biden Administration's priorities will be responding to the coronavirus pandemic, which could involve an infrastructure package to stimulate the economy and that is ripe for the inclusion of cybersecurity-related reforms. However, passing legislation in the 117th Congress – in which Democrats will likely hold slim majorities in the House and Senate – will require bipartisan support.
Cybersecurity is traditionally a bipartisan issue and may be one such area where lawmakers and the Biden Administration can find common ground, particularly involving issues that relate to transportation and infrastructure. Privacy, by contrast, has been a more partisan issue over the last few years, but Congress' continued negotiations over a comprehensive privacy bill could also impact the transportation industry. Separately, the new administration will likely utilize regulatory reforms and enforcement to enhance cybersecurity and privacy protections. Following are some of the cybersecurity and privacy-related reforms and efforts that could advance under the Biden Administration.
Expansion of 5G
President-Elect Biden's campaign platform included deployment of fifth-generation (5G) mobile networking to enable faster and more reliable telecommunications, but with this comes increased cyber threats and risk on the transportation sector. Thus, legislation could include new requirements on vendors and standards for hardware and software developers to ensure that hackers cannot exploit existing or new security vulnerabilities. The Cyberspace Solarium Commission (CSC), which released 82 recommendations in its March 2020 report, "A Warning from Tomorrow," is focused on 5G security and will likely continue pushing legislation in 2021 that addresses these issues. Of those recommendations, 26 became law in the FY 2021 National Defense Authorization Act (NDAA), indicating that the report's recommendations are supported by Republicans and Democrats alike. Some of the remaining and relevant provisions could be included in a stimulus infrastructure package, similar to the 2009 American Recovery and Reinvestment Act, which then-Vice President Biden helped negotiate for the Obama Administration to address the fallout from the Great Recession.
Designation of Critical Infrastructure
Also in an infrastructure package, Congress could aim to establish corporate accountability standards and a process for responding to attacks that occur on critical infrastructure, such as transportation, as well as standards for remediating or mitigating cyber risks. Such a provision could carry new audits and notification requirements for the transportation sector when a security incident occurs. Notably, protecting critical infrastructure – a cornerstone of the CSC report – will be a priority for the Biden Administration given the recently publicized and extensive cyberattack on federal government agencies by suspected Russian hackers. The attack underscores existing concerns regarding the risks posed by consolidation of key software vendors for corporate America and the federal government, and sometimes both, such that a single vulnerability has the potential to cause a ripple effect beyond what has been historically possible.
Expect the Biden Administration and Congress to focus on creating public-private partnerships to coordinate on cyber issues. Administratively, this could include an expansion of the Cybersecurity and Infrastructure Security Agency's (CISA) authority, as well as increased resources in and outreach to the private sector. For example, in the recent cyberattack on federal agencies, CISA has taken a leading role in releasing warnings and directives, and in coordinating with the private sector. The Biden Administration appears likely to mirror the approach of the Obama Administration, especially with regard to greater involvement in cybersecurity to bolster high levels of coordination. Legislatively, this may include new programs that incentivize public-private cooperation and include safe harbors for the private sector in return for coordination with the government.
New National Cyber Director
Under the newly adopted FY 2021 NDAA, a National Cyber Director will be established within the Executive Office of the President. This reform was originally recommended in the CSC report. Given the recent cyberattack on federal agencies, the role of the Cyber Director is of utmost import. The Director will serve as the President's principal advisor on cybersecurity issues, as well as lead national-level coordination of cybersecurity strategy and policy within the government and with the private sector. The Director could impact the transportation industry in terms of cyber response and coordination, depending on the person who fills the position and the role they undertake in coordinating with federal, state, local, tribal and territorial governments and the private sector.
Cybersecurity Guidance on Vehicles
Currently, the U.S. Department of Transportation's National Highway Traffic Safety Administration (NHTSA) is working to update its cybersecurity guidance on vehicles, "Cybersecurity Best Practices for the Safety of Modern Vehicles". The guidance is currently being reviewed by the White House Office of Management and Budget's (OMB) Office of Information and Regulatory Affairs (OIRA). Once the interagency review is complete, NHTSA will request public comment and the request will be published in the Federal Register. Transportation stakeholders, and particularly original equipment manufacturers in the automotive industry who are investing in increased technology connectivity in vehicles and autonomous vehicle manufacturers, will likely be impacted by the guidance. The implementation of this guidance is likely to be the responsibility of the Biden Administration, and specifically Pete Buttigieg, President-Elect Biden's nominee for Transportation Secretary and the former mayor of South Bend, Indiana.
Comprehensive Privacy Legislation
The 116th Congress held promise for federal privacy legislation. Senate Commerce Committee Chairman Roger Wicker (R-Miss.) introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act) (S. 4626), and Ranking Member Maria Cantwell (D-Wash.) introduced the Consumer Online Privacy Rights Act (COPRA) (S. 2968). These legislative proposals have many provisions in common, such as establishing new privacy rights for consumers, but enforcement provisions remain a sticking point. Thus, the focus on federal privacy legislation could return in 2021. Efficiently controlling the spread of the COVID-19 virus has involved and will continue to involve tracking and tracing cases, which require data collection and processing activities that raise potential privacy risks. These risks have captured the attention of federal lawmakers, and could even lead to requirements for both public and private entities that collect and process individual's data. A data privacy law could also include provisions regulating data security, data breach notification, biometric data and artificial intelligence.
Privacy Advocates in the Biden Administration
The Biden Administration is likely to bring a renewed focus on privacy and enforcement due in part to Vice-President Elect Harris' leadership on these issues while she served as California's Attorney General. In that role, she was at the forefront of enforcing state privacy and consumer protection laws against businesses, as well as issuing cybersecurity guidance that is still influential today.
Cabinet picks and senior staff for the Biden Administration are also perceived as having the necessary appetite and experience to support a consumer privacy agenda. For example, California's current Attorney General Xavier Becerra, who was selected by the President-Elect to be the Secretary of the U.S. Department of Health and Human Services (HHS), has led the implementation and enforcement of the California Consumer Privacy Act (CCPA). Becerra's expected departure could disrupt the still-new enforcement agenda of the CCPA, appointments for the state's new administrative agency charged with overseeing privacy, and the implementation of the California Privacy Rights Act (CPRA), a newly approved ballot measure that goes into effect on Jan. 1, 2023. Moreover, President-Elect Biden named as his deputy chief of staff Bruce Reed, who helped craft the CCPA and has called for reform of Section 230 of the Communications Decency Act, which provides liability protection to online platforms.
Increased Regulatory Enforcement and Congressional Oversight
Should the trend of nominating privacy advocates in senior roles in the Biden Administration continue, expect a significant uptick in enforcement measures. The Federal Trade Commission (FTC) has recently ramped up its reviews of major technology companies, ordering such companies to explain how they collect and use personal data, and such reviews are expected to continue in 2021. Moreover, the FTC and 48 attorneys general filed separate lawsuits in federal court on Dec. 16, 2020, accusing two tech giants of antitrust violations, and nearly 40 states filed an antitrust lawsuit on Dec. 17, 2020. Given states' recent commitment to scrutinizing tech giants, the federal government could cede control of these issues during the administrative transition in Washington, D.C. Alternatively, these state actions could spur an assertion of authority on antitrust and privacy concerns about "Big Tech" at the federal level. Congress will also continue to conduct oversight on "Big Tech" companies, as Republicans and Democrats have signaled commitments to addressing antitrust and privacy concerns that they have with such companies.
Although significant changes in cybersecurity and privacy may not occur immediately, the Biden Administration and the 117th Congress are likely to adopt meaningful reforms that could impact the transportation industry. A stimulus infrastructure package represents the most attractive vehicle for cybersecurity-related transportation reforms, including widespread broadband deployment and increased public-private partnerships. Should you have any questions about these potential reforms or seek to engage on these issues, please contact the authors.
20 Posts in 20 Days Leading to Inauguration Day on Jan. 20
Holland & Knight's Transportation & Infrastructure Industry Sector Group is prepared to assist industry clients in adapting to the anticipated changes by the new administration. Our team is writing new blog posts each day leading up to President-Elect Joe Biden's inauguration, with insights as to likely impacts on the various segments of the industry, including Aviation, Construction, Maritime, Freight Rail, Motor Carriers, Transit and Autonomous Transportation. Bookmark our Election Impacts on Transportation & Infrastructure resource page to follow along.