Trump Commerce Pick Ross Lacks in Cybersecurity, Privacy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

President-elect Donald Trump’s trade-focused Commerce Department secretary pick Wilbur Ross heads into his Jan. 18 nomination hearing without a clear data privacy and cybersecurity policy stance.

Ross, an investor worth $2.9 billion according to Bloomberg data, has been silent on how he would handle oversight of Commerce cybersecurity and international data transfer matters. Companies rely on Commerce programs for cybersecurity guidance and the ability to transfer consumer, human resources and other personal data out of the European Union.

Ross’ confirmation hearing before the Senate Commerce, Science and Transportation Committee comes two weeks after President Barack Obama’s administration released exit memos highlighting national security, cybersecurity and commercial cross-border transfer issues that will face the Trump administration, including at Commerce.

A Senate staffer told Bloomberg BNA on background Jan. 17 that Sen. Richard Blumenthal (D-Conn.), a committee member, is expected to ask questions regarding Ross’ cybersecurity stance. That would be in line with how Senate Democrats on other committees have questioned Trump appointees about their views on cybersecurity issues.

If confirmed by the Senate, Ross would oversee critical cybersecurity, data privacy and data transfer programs, including the National Institute of Standards and Technology’s cybersecurity framework and the European Union-U.S. Privacy Shield data transfer mechanism.

Ross “appears to have no direct experience or expertise in cybersecurity or privacy,” Edward J. McAndrew, privacy and data security partner at Ballard Spahr LLP in Philadelphia, told Bloomberg BNA Jan. 17. Although the lack of experience may impact Ross’ efficiency, there’s “no reason to believe that the new Administration will change course” on the NIST framework or Privacy Shield, he said.

The Department of Commerce had no comment on the confirmation hearings or on Trump’s appointments. Representatives for Trump’s transition team didn’t respond to Bloomberg BNA requests for comment.

Data Privacy Deregulation?

Ross’ lack of a clear policy stance may cause concerns for companies that rely on Commerce and NIST for cybersecurity guidance documents and other publications.

Vanessa Henri, legal counsel at information technology consulting company Above Security in Montreal, told Bloomberg BNA Jan. 17 that it is “worrying” that Trump wants Ross to lead “efforts to reduce burdensome regulations pertaining to cybersecurity.” Although U.S. federal cybersecurity harmonization may be beneficial, internet of things (IoT) and other pervading issues call for increased—not decreased— regulation, she said.

Data privacy deregulation “would create instability and endangers new initiatives such as intelligence sharing, which is critical to foster public-private partnerships,” Henri said.

Commerce has cited NIST’s Framework for Improving Critical Infrastructure Cybersecurity as a central development in setting baseline cybersecurity standards for the private sector. Whether Ross would pull back funding for NIST or other policy maneuvers that would handicap the group remains unclear.

McAndrew said that NIST should “continue to continue to play an increasingly important role in cybersecurity guidance in both the public and private sectors.” However, Ross’ lack of cybersecurity expertise may harm how effective NIST is in “building effective public-private relationships and partnerships on cybersecurity issues,” he said.

Henri said that NIST’s guidelines are fundamental for businesses that rely on the guidance documents. For example, a recent NIST publication on IoT “stresses how a fundamental cultural change to the current business model is needed,” she said.

Ross, or whomever is confirmed as the next Commerce secretary, “will have to act as a catalyst for such organizational and cultural changes,” Henri said.

Trade Issues

The EU-U.S. Privacy Shield, which allows U.S. companies that self-certify to Commerce their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S., is a crucial mechanism to support the more than $260 billion in trade in services between the U.S. and EU, according to the Obama exit memo on Commerce.

The Privacy Shield was finalized in July 2016 as a replacement for the U.S.-EU Safe Harbor data transfer program relied on by over 4,000 U.S. companies and tens of thousands of EU business partners that was invalidated by the EU’s top court, in part, over cybersecurity concerns related to government access to transferred data.

EU officials have said that they will closely monitor Trump’s handling of the Privacy Shield. EU Justice Commissioner Vera Jourova said in November 2016 that the European Commission, the EU’s executive arm, would “closely monitor the respect of protection standards and the correct implementation” of Privacy Shield “under the new U.S. leadership.”

The exit memo also called cybersecurity in cross-border data transfers fundamental to establishing necessary corporate and consumer confidence to grow the digital economy. The Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, which establish a system for mutual interaction of privacy and security laws of the 21 member economies, are a vital component, the memo said. The U.S. and China are APEC members.

But Ross’ business dealings in China, and statements he made during the campaign, could suggest hesitancy toward working with China and related trade partners. Ross previously co-authored a report that described the world as “riddled with trade cheaters,” with China as the biggest culprit. Such statements are in line with Trump’s remarks about China during the campaign and in the run up to the inauguration.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security