In the fifth and final installment of a series on top-of-mind cyber-security and data privacy concerns, five senior compliance practitioners outline why they are in favor of U.S. federal data privacy legislation. 

Are you in favor of federal data privacy legislation? Please explain.

Meet the executives


Andrew Beagley


Chief Risk Officer

Years in compliance: 30




Kortney Nordrum 


Regulatory Counsel & CCO


Years in compliance: 7




Laurie Roberts


Founder and President

Cheatham Roberts Consulting

(Formerly Managing Director and CCO of Civitas Capital Group)

Years in compliance: 26+ 



KC Turan


SVP, Chief Risk, Compliance & Ethics Officer

UPMC Health & Insurance Services

Years in compliance: 20+



Steve Vincze


President & CEO

TRESTLE Compliance

Years in compliance: 25+



DISCLAIMER: The views reflected by the practitioners quoted are theirs alone and do not represent the views of their companies.

ANDREW BEAGLEY: We are in favor legislation that protects consumers’ privacy and supports technology innovation. The discussion provides great opportunity to bring together multiple points of view and learn from the implementation of similar legislation in other regions. In principle, the benefits of a single set of federal data privacy standards have appeal. As the discussion continues, regardless of when and what final regulation may look like, many organizations are starting to prepare by making sure they are utilizing new technology to manage and monitor the collection, storage, processing, and transfer of consumers’ data. This will stand everyone in good stead as these are bound to be key components of a future federal approach.


KORTNEY NORDRUM: I am! I like order and predictability, and a federal data privacy regulation would create a consistent standard for how companies treat consumer/personal information. It would also allow for greater transparency to consumers generally about how their data and information is tracked, collected, used, and shared or sold. As the owner of the privacy program for a company that collects consumer information, it would streamline our processes and allow for a single standard for U.S. residents, rather than the current state-by-state based rules. Finally, I support a federal regulation because I believe having a single, federal standard will allow consumers to more fully understand, and adequately protect, their privacy and data rights.

LAURIE ROBERTS: Yes, I am in favor of federal data privacy legislation. The 2018 Cost of Data Breach Study conducted by the Ponemon Institute revealed a data breach of 1 million records cost a company an average of $40 million; with 50 million records breached, the estimated average cost is $350 million (not including any costs associated with legal settlements). The cost to organizations is so high organizations need a consistent set of standards that all can follow rather than one for each of the 50 states. Countless fraudulent emails are sent each day. Organizations need the support of federal data privacy legislation.


KC TURAN: Yes. We’ve discussed federal privacy legislation for 20-plus years. We’re getting closer, and this now has strong consensus support. While industry-specific federal privacy laws (e.g., HIPAA, GLB, FCRA) have generally worked for their respective industries, we need greater cross-industry harmonization while allowing for reasonable latitude. It’s presently distributed and unwieldy, and the states are forced to fill the void, resulting in varying standards and complexities. Maintaining appropriate cross-border data flows will likewise require a thoughtful omnibus privacy law that optimally balances consumer protection with technological innovation. HIPAA, arguably an early precursor to the GDPR, essentially provides a blueprint construct. It’s time we developed an omnibus federal framework. 


STEVE VINCZE: I am. As U.S. citizens and as U.S. businesses, we should feel safe and secure that regardless of any particular state jurisdiction where we may reside or do business that our data and privacy and our associated responsibilities to safeguard and protect the data and privacy of others meet certain, clear national standards and requirements. Any such legislation, however, should provide sufficient flexibility for states to tailor these standards and requirements to meet unique, more challenging circumstances. By implementing national legislation, we should reduce or eliminate the need for each individual state to issue its own legislation, thereby reducing the potential costs and complexity of compliance while speeding up the process of implementing useful national standards and safeguards that protect individual citizens and businesses alike. Both domestically and internationally, the United States needs to catch up legally with the lightning pace of technological and societal change that the COVID-19 pandemic has accelerated. We all have become dependent on electronic information transfer. When we are dependent on anything, we become vulnerable and potential targets for illicit activity. We need to provide greater national security in data privacy while keeping administrative and economic compliance costs reasonable and affordable, thereby creating net positive value to our society. In the end, as with any compliance measure, it boils down to building security and trust in the system you depend on so that you can conduct your personal or professional transactions with confidence. Prosperity depends on economies that function in societies that ensure relative peace, security, and legal/governance predictability, enabling entrepreneurs and businesses to take risks, make investments, and create value. In this new COVID/Zoom/virtual world, we require new federal legislation to addresses these real, concrete data security risks that, if left unaddressed, could leave us all more vulnerable to cyber-threats. Weakness invites aggression. Peace through strength works. Let’s apply that sound principle to cyber-security.