Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas.  The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.

Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves.   Continue Reading Happy New Year – Cybersecurity Information Sharing Act

As cyber week continues in Washington, Federal Communications Commission Chairman Tom Wheeler traveled to the west coast to speak about cybersecurity at the RSA Conference in San Francisco.  Wheeler noted that the FCC has several charges to protect against cyber-attacks and similar threats, including the agency’s responsibility to protect the safety of communications networks generally, as well as its responsibility to protect the privacy of consumer data collected by communications providers.

Wheeler centered his remarks on information sharing and accountability by the private sector.  He suggested that the communications industry’s approach to 911 calls – a combination of industry best practices and rules requiring that network outages be reported to the government – could serve as a model for cybersecurity information sharing.  Cyber-attacks should be subject to similar reporting requirements.

He praised the work of the National Institute of Standards and Technology for its Critical Infrastructure Framework, and the FCC’s cybersecurity advisory committee, the Communications Security, Reliability and Interoperability Council (“CSRIC”) for its recommendations, released last month, to assist and encourage communications providers with implementing NIST’s voluntary framework.  He focused specifically on one of CSRIC’s accountability proposals – that members of the communications sector periodically meet with the FCC to discuss their companies’ cyber-risk management efforts.  He acknowledged that the FCC’s goal is not to micromanage implementation of the NIST framework by communications companies, but instead to learn whether the framework and companies’ efforts are actually working to mitigate risk.  He stated that the meetings will not be framed as depositions and sensitive information shared would be protected from public disclosure, but that many of the details regarding the meetings still need to be worked out.  The FCC is seeking comment on this and the other CSRIC recommendations until June 26, 2015.

And, back in Washington, the House of Representatives passed the Protecting Cyber Networks Act on a 307-116 vote over the concerns of civil liberties groups.  Read more:

Wired 

PC World

New York Times

On Wednesday, the House Homeland Security Committee passed a substitute bill for H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013.  The committee substitute bill was broadly supported by both parties.  As it presently stands, H.R. 3696 delegates to the Department of Homeland Security  the responsibility for civilian cybersecurity research and development, incident detection and response, and facilitating the exchange of cyberthreat information between government and the private sector.  It calls for the establishment of industry sector coordinating councils under a so-called public-private partnership model.  In response to requests from industry, it expands the tort liability immunity provisions of the SAFETY Act by adding cybersecurity technologies to the anti-terrorism technologies covered by that statute.

Of concern to privacy advocates is the inclusion of a provision that appears to immunize private electronic communications services from liability for selling information about their customers’ communications to the government.  Under the bill, DHS is authorized to enter into contracts or other agreements to obtain “the assistance of private entities that provide electronic communication services, remote computing services, or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic . . . . No cause of action shall exist against private entities for assistance provided to the Secretary in accordance with this subsection.”

 

 

The Senate Commerce Committee released this morning its majority staff report, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, on the practices data brokers use to collect and sell personal information of consumers and how those practices affect the privacy of hundreds of millions of Americans.  The Committee held a hearing on the substance of the report this afternoon.

The Committee, chaired by Senator John D. Rockefeller IV, examined  representatives of the Federal Trade Commission, the data brokering industry and privacy advocates on the industry practices itemized in the staff report.  The staff report and a report published by the Government Accountability Office earlier this year, Information Resellers:  Consumer Privacy Framework Needs to Reflect Changes in the Technology and Marketplace, both highlight the absence of any general federal statute that gives consumers the right to know what information is collected and shared about them and for what purposes.

The Committee staff report finds data brokers collect massive amounts of detailed health, financial, political and consumption information on hundreds of millions of consumers, and use this information to assemble packages of contact information for consumers that fit specific profiles, which are then sold to advertisers.  The growth of this industry is illustrated by the fact that one data broker reported to the staff that it has multi-sourced data on more than 700 million individuals worldwide.  Another reported that its database includes almost every U.S. household, while a third claimed that it has data points for more than 80% of all U.S. consumer email addresses.

During the Senate hearing this afternoon, Senator Rockefeller stated that the staff investigation is continuing.  He said that the Committee he is putting several of the largest data brokers “on notice” that the Committee intends pursue answers to its questions about their practices, implying that he would use the Committee’s subpoena power if necessary.

Not much……perhaps we should send them a box of coal.    So, we look ahead…..

Written by Jonathan T. Cain, CIPP/G

If you believe that Congress does best when it does least, then 2013 was an outstanding year – at least as far as privacy and data protection are concerned.  Out of the dozen or so privacy or cyber security bills introduced in the 113th Congress, only four passed one house and none made it into law.

If, on the other hand, you think that the country really needs to update aspects of its privacy and cyber security laws to protect consumers, national security and critical commercial infrastructure, as well as reach decisions on the right balance between commercial and government surveillance and civil liberties, then there is a lot of work left to accomplish in 2014.  The likelihood of meeting those goals is not bright.  Like 2013, the coming legislative year is likely to involve many committee hearings and modest, if any, action in either the Senate or House.

Cyber Security 

House members introduced nine bills focused on aspects of cyber security.  Of those, the four that saw floor action were H.R. 1163 (amendments to update the Federal Information Security Management Act), H.R. 967 (encouraging and providing funding for IT research and development); H.R. 756 (another cyber security R&D act); and H.R. 624 (the Cyber Intelligence Sharing and Protection Act or CISPA, which amends the rules by which government and industry may share information about cyber attacks and provides liability coverage to companies that provide data to the government).  All four were referred to Senate committees, and none saw action in the Senate.

Of the four, the FISMA amendments bill has the best prospects for passage.  It passed the House on a 416-0 vote.  This is the kind of tweaking of the bureaucratic rules governing data security in federal agencies that does not engender significant industry or civil liberties opposition, so it is a safe area in which to legislate in the upcoming election year.

CISPA would work the most significant changes in cyber security and cyber attack defense procedures and requirements, including the imposition of new requirements on industry to cooperate and provide information to federal agencies in the event they experience a cyber attack.  It is one of the most contentious cyber security bills currently under consideration.  It is the subject of a veto threat, industries are concerned about the costs and the ability to maintain the confidentiality about their vulnerabilities to attack, and civil liberties advocates have expressed strong concerns about exposing vast amounts of consumer data held by industry to government examination and use for purposes other than responding to a cyberthreat.  Civil liberties interests reject the premise in CISPA that industry needs broad immunity protections for releases of personal information to the government to cooperate in addressing cyber attacks.  With all of these issues pending, passage of CISPA without significant modification is not likely.

In the Senate, cyber security legislation did not fare any better in 2013, and the prospects for 2014 are not much different.  Senate 1353, the Cybersecurity Act of 2013, calls for the National Institute of Standards and Technology (NIST) to develop a framework process to enhance industrial cyber security.  The legislation never left the committee to which it was referred, but much of the substance of the bill was adopted by the President in an executive order issued in February 2013.  Under the EO, NIST has been engaged in a consultation process leading to the expected publication of a “framework” document in February 2014.  The other five bills introduced in the Senate:  S. 1111 (the Cyber Economic Espionage Accountability Act); S. 884 (the Deter Cyber Theft Act); S. 658 (the Cyber Warrior Act of 2013); and S. 21 (the Cybersecurity and American Cyber Competitiveness Act of 2013) all have languished in committee without action.

Last week saw the introduction of a bill in the House that has the best prospects for action in 2014, H.R. 3696, was introduced on December 11 by the Chairman of the House Homeland Security Committee with support from key Democrats on the Committee.  It contains many provisions from CISPA concerning sharing of cyberthreat information, and would place responsibility for coordinating the response to cyber attacks in the Department of Homeland Security.  The new bill does not contain several of the liability limitations in CISPA that raised concerns.  The new bill also expressly provides that it is not intended to create any new regulatory authorities, a concern that has been raised repeatedly in the NIST Framework process initiated by Executive Order last February.   A more detailed examination of H.R. 3696 will be the subject of a separate post.

Privacy

Several bills addressing narrow issues within the general category of privacy were introduced in 2013, including measures

  • regulating drone surveillance (H.R. 637, H.R. 972 and 1262);
  • prohibiting government agencies from obtaining the contents of electronic communications from communications service providers without a warrant (H.R. 983);
  • creating criminal penalties for companies failing to report data security breaches involving sensitive personally identifiable information (H.R. 1121, S.1193);
  • amending the Electronic Communications Privacy Act (ECPA) to prohibit the provider of electronic communications services to the public from divulging the contents of stored communications to the government without warrant or subpoena and requires the timely notification of the customer (H.R. 1847);
  • prohibiting employers from requiring employees or applicants to provide the employer with passwords to the individual’s own computer or social networking account (H.R. 2077);
  • prohibiting the retrieval of data from an automobile data recorder without the owner’s consent or a court order, except to service the vehicle (H.R. 2414);
  • regulating the use and storage of data from automated license plate readers by law enforcement agencies (H.R. 2644);
  • regulating the interception, sharing and uses that may be made of geolocation information obtained from  mobile devices (S. 639); and
  • amending the FISA and regulating the broad collection and storage of communications metadata, geolocation information, and contents of electronic communications on U.S. citizens and in the U.S. (S. 1151; S. 1467; H.R. 3367 and others).

One can reconstruct the headlines of the day by reference to the bill numbers.  They are each a reaction to a disclosure of practices by government and commercial businesses that received media attention during the year.  None of this legislation moved beyond referral to a committee throughout 2013.  There little prospect in 2014, absent some revelation that ignites strong public reaction, for any greater legislative attention to be paid to a broad privacy initiative.

 

 

 

 

With a victory in last week’s election for President Obama, there is an increased chance for an Executive Order on Cybersecurity before the end of the year.   Our colleagues at ML Strategies have published a post-election analysis of telecommunications issues, including cybersecurity and privacy and that analysis is available here – ML Strategies Legislative Alert Telecommunications in the Lame Duck and 113th Congress.

Following on the heels of Facebook’s landmark settlement with the Federal Trade Commission, a bipartisan group of members of the House of Representatives has apparently read the “new and improved” Facebook privacy policy and were not impressed.

Reps. Cliff Stearns (R-FL), Ed Markey (D-MA), Joe Barton (R-TX), and Diana DeGette (D-CO), sent a letter to Facebook CEO Mark Zuckerberg, wondering why the site’s new Data Use Policy was longer than the U.S. Constitution.

“Many of these actions [in the FTC settlement] have long since been rectified by Facebook in response to user concerns, but both the practices and user information collected by those practices give rise to questions nonetheless,” the letter said.

The letter pointed out that Facebook’s current privacy policy is almost six times as long as it was in 2005, longer than other social networks’ policies and the Constitution, not including the amendments. The representatives asked Zuckerberg to give them data regarding the percentage of Facebook users who read the full policy.  “We are concerned … that long, complex privacy policy statements make it difficult for consumers to understand how their information is being used,” the letter said.

Facebook aside, the fact is that privacy policies are getting longer and more complex and more difficult for users to comprehend as websites attempt to put every possible way that they may or “might” use information now or in the future into the policies.   The congressional inquiry may help to put a check on the”kitchen sink” approach to drafting.

Other questions that interest in the lawmakers include questions that site operators (and their advisors) should be asking with every privacy policy: how the site tracks users’ browsing habits, including what information it collects, whether the information can be used to identify an individual, and whether users can opt out of tracking, specifically asking:  “How is Facebook making it easier for users to understand their ability to opt out?” The lawmakers requested that Zuckerberg respond to the questions by Jan. 3.

Stearns and DeGette are the chairman and ranking member, respectively, of the House Energy and Commerce Committee’s subcommittee on oversight and investigations. Barton and Markey are co-chairmen of the Congressional Bipartisan Privacy Caucus.

So, when’s the last time you reviewed your company’s privacy policy?

Written by Julie Babayan

The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade has approved a data security bill by a voice vote, moving it to the full Energy and Commerce Committee for consideration.  The Secure and Fortify Electronic Data (“SAFE Data”) Act would establish national rules for securing data containing personal information, as well as requirements for notifying affected individuals in the event of a breach.  The rules would apply to any person engaged in interstate commerce who possesses data containing personal information related to that commercial activity.

Under the legislation, the Federal Trade Commission (“FTC”) would implement and enforce the regulations, and state attorneys general or other state officials would also have enforcement authority to bring civil actions.  The bill would preempt state information security and breach notification laws, but not state consumer protection laws or state trespass, contract, tort, or fraud law.

Chair of the subcommittee, Rep. Mary Bono Mack (R-CA), noted in a press release that the legislation builds on information that the subcommittee examined during recent hearings, which focused on this year’s data breaches at Sony and Epsilon.  The subcommittee also approved an amendment striking the FTC’s authority to use its Administrative Procedure Act rulemaking process to modify the bill’s definition of “personal information,” which the bill defines as an individual’s first name or initial and last name or address or phone number in combination with a social security number; a driver’s license or other similar identification number on a government document; financial account number or credit card or debit card number and any required security code.

 

We now have proposed “do-not-track” legislation in both the U.S. House of Representatives and in the U.S. Senate.

Representative Jackie Speier (D-CA) introduced the Do Not Track Me Online Act in February, and yesterday, Senator Jay Rockefeller (D-WV) introduced the “Do-Not-Track Online Act 0f 2011”.   Senator Rockefeller is the Chairman of the Senate Commerce Committee.

Senator Rockefeller’s bill directs the Federal Trade Commission to develop regulations that would basically establish standards for a universal “Do Not Track” mechanism that would enable individuals to express a desire to not be tracked online.  The bill allows for case-by-case exceptions, but only with the end user’s explicit consent.

The bill gives enforcement power to the FTC, treating violations as unfair and deceptive trade practices and (like HITECH) authorizes state attorneys general to bring civil actions for violations. It also has teeth.   The bill includes civil penalties of $16,000 per day for violations, with a maximum total liability of $15,000,000.

There will be more analysis of this proposed legislation in the days to come.   See an article in Media Post  for a good description of the advertising issues.