“With Republicans taking over, we might finally see data security and breach notification legislation get across the finish line,” said Ingis. “There is actually already pretty widespread agreement on the need for the legislation, but the conflict comes from some wanting to add on very restrictive items having to do with topics like data brokers and online tracking.”
For data breach notification, Congress is expected to pass a low breach notification threshold preempting expansive state law reporting requirements. Meanwhile, data security legislation is expected codify generally accepted best practices without creating broad obligations. “It's unlikely there will be much room for rule-making [by regulators] with Republicans in charge, given their concerns about wanting to not enact expansive requirements or added rule-making,” said Ingis.
Noting that proposed legislation likely will not have everything Democrats want, Ingis said it would be hard for the president to pass up the opportunity to set baseline privacy principles. “There’s a difference between a president vetoing a law and senators in a committee pushing to add provisions,” he added. “Unless a bill is in exact opposition to his objectives, the president is not really in a position to veto it just because he wishes it did more.”