Following the Guardian’s recent exposé on Whisper’s consumer-privacy practices, alleging that the social-media app that supposedly allows people “to anonymously share [their] thoughts with the world . . . in a community built around trust and honesty,” in fact tracks the geolocation of users who opted out of such data collection, Chairman of the Senate
On October 20, 2014, a bipartisan group of senators sent a letter to U.S. Senate Committee on Commerce, Science, & Transportation Chairman John D. Rockefeller IV (D-W.Va.) and Ranking Member John Thune (R-S.D.), requesting that the Committee schedule a “general oversight and information-gathering hearing” on digitally connected technologies before the end of 2014.
The letter, penned by Sens. Kelly Ayotte (R-N.H.), Cory A. Booker (D-N.J.), Deb Fischer (R-Neb.), and Brian Schatz (D-Hi), stated that the connected devices industry is expected to generate global revenues of $8.9 trillion by 2020, and that its importance would soon be felt by millions of Americans with the “proliferation of connected products” and “the upcoming holiday season.” The industry, however, raises a number of important policy questions in the areas of “consumer protection, security, privacy, technical standards, spectrum capacity, manufacturing, regulatory certainty, and public-sector applications,” the letter said.…
Continue Reading Senators Request Hearing on Connected Devices
On Wednesday, the Senate Commerce Committee held a hearing on “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.” With recent high-profile breaches, and White House officials just this week telling industry executives that federal authorities notified more than 3,000 companies of cyber attacks last year, data security continues to attract the attention of lawmakers. Specifically, the hearing follows data-breach legislation introduced in January by Chairman John D. Rockefeller IV (D-WV), which parallels at least four other similar bills recently proposed in the Senate. Last month, several congressional committees held hearings on the topic of cyber security and data breach, dedicating almost an entire week to the issue.
Ahead of the hearing, Chairman Rockefeller released a majority staff report analyzing the Target data breach by applying the widely used “intrusion kill chain” analytic framework. The kill-chain doctrine illustrates how cyber threats, viewed as a progressive campaign involving a number of distinct intrusion points, can be combated by disrupting different phases of the attack chain. Appearing in the Senate for the second time this year after discussing his company’s data breach with the Judiciary Committee last month, Target’s Chief Financial Officer John Mulligan testified at the hearing. The single panel also included witnesses from the government and public and private sectors, including the Federal Trade Commission, Visa, and the University of Maryland, which recently suffered two data breaches.
While Mr. Mulligan spent some time discussing the particulars of Target’s data breach and response efforts, the hearing primarily addressed industry-wide prevention and enforcement possibilities. Committee members examined the following principal points.
Continuing a spate of recent legislative activity, the Senate Commerce Committee is bringing the hot topic of data breach back to the Hill. This Wednesday, the Commerce Committee will hold a hearing entitled, “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.” According to the Committee, recent data breaches at Target, Neiman Marcus, White Lodging, Snapchat, and the University of Maryland have illustrated the need to improve protections of consumer data. The hearing will examine the risks that breaches create for consumers, the lack of a federal data-security law, and several data-security bills currently pending that would establish such a federal standard. The following witnesses are scheduled to testify:
- Edith Ramirez, Chairwoman of the Federal Trade Commission
- John J. Mulligan, Vice President and Chief Financial Officer of Target
- Dr. Wallace D. Loh, President of the University of Maryland
- David Wagner, President of Entrust
- Peter J. Beshar, Executive Vice President and General Counsel of Marsh & McLennan
- Ellen Richey, Chief Enterprise Risk Officer at Visa
In advanced of a July 25 Senate Commerce Committee hearing on “The Partnership Between NIST and the Private Sector: Improving Cybersecurity,” Chairman Jay Rockefeller (D-WV) and Ranking Member John Thune (R-SD) introduced the “Cybersecurity Act of 2013” (S. 1353).
The bill avoids controversial topics such as information sharing and regulation of critical infrastructure cybersecurity and specifically states that it does not confer regulatory authority on federal, state, tribal, or local governments.
The bill focuses instead on several key issues. First, it extends the mandate Executive Order 13,636 gave to the National Institute for Standards and Technology (“NIST”) to develop cybersecurity standards. NIST is currently working to develop standards pursuant to the Executive Order, and the bill directs NIST to develop, on an ongoing basis, voluntary, industry-led standards and best practices to reduce risk to critical infrastructure. In developing the standards, NIST is instructed to coordinate “closely and continuously” with the private sector, incorporate existing voluntary best practices and international standards, prevent duplication of and conflict with existing regulatory requirements, and ensure that its standards are technology-neutral. The bill further specifies that information provided to NIST for standards-development cannot be used for regulatory purposes.
Yesterday, industry and government panelists participated in a conference sponsored by the Congressional Internet Caucus Advisory Committee that included a panel discussion on “Plumbing the Policy Implications of Data Analytics and Defining Big Data,” The Year’s Most Overused Term.”
According to press reports, Federal Trade Commission Senior Policy Adviser and panelist Paul Ohm acknowledged that big data may have potential benefits to public health and research, but also noted that the benefits of big data “tend to get overblown.” Mr. Ohm stated that, “when there is an expense to privacy, I think we should have discussions about whether the benefits [of big data] outweigh the costs.”
Erik Jones, Deputy General Counsel of the Senate Commerce Committee, told participants that the Committee is investigating the collection of big data for use by companies to market to consumers. He pointed specifically to last year’s inquiry by Commerce Committee Chairman, John D. Rockefeller IV (D-WV) into the activities of nine data brokers. According to press reports, Mr. Jones stated that the Committee is “not suggesting that there’s something inherently wrong” with the use of big data for marketing purposes, but indicated that the Committee wants to learn more about what information is being collected and how that information is used.
Mr. Ohm also expressed concern generally about whether supposedly anonymous data can be linked to real people in a world of “big data.”
By Ryan Mowery
In a hearing held by the Senate Commerce Committee last Thursday, a representative from the advertising industry vigorously defended its self-regulatory regime for online behavioral advertising. Other witnesses were less sanguine about the efficacy of self-regulation, while Committee Chairman Sen. John D. Rockefeller (D-WV) decried the current state of consumer privacy protection in the U.S. and urged adoption of “Do Not Track” legislation.
Today, the Senate Committee on Commerce, Science, and Transportation held a hearing to seek the views of the Federal Trade Commission and the Administration on privacy issues. Discussion at the hearing, entitled “The Need for Privacy Protections: Perspectives from the Administration and the Federal Trade Commission,” focused in significant part on the privacy reports recently released by the FTC and the Administration.
Committee Chairman John D. (Jay) Rockefeller IV (D-WV) introduced the hearing by calling for “strong legal protections” and “simple and easy to understand rules” about information collection. He called for “strong, consumer-focused” privacy legislation this year, though conceded that no consensus about such legislation exists yet. Senator John Kerry (D-MA) also voiced support for privacy legislation. In contrast, Senator Pat Toomey (R-PA) expressed skepticism about new legislation, calling for a detailed cost/benefit analysis and identification of a specific market failure prior to any new regulation.
Following up on its “Face Facts” workshop that brought together a variety of stakeholders to discuss the privacy issues relating to commercial uses of facial recognition technology, the FTC has announced that it is seeking public comment on the issues raised at the workshop. According to the Commission, these issues include:
- What are the current