This week, the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to discuss the Location Privacy Protection Act of 2014, a bill reintroduced in March by Senator Al Franken (D-MN).  Most concerned with the potential for misuse and abuse of location data for purposes of stalking and perpetrating domestic violence, Senator Franken, who chairs the Subcommittee on Privacy, made clear at the hearing his view that, “Stalking apps must be shut down.”  Franken clarified, however, that his bill is not only intended to protect victims of stalking, but provides basic privacy safeguards for sensitive location information pertaining to all consumers.  Most critically, Senator Franken suggested that because location data lacks sufficient legislative protection, some of the most popular apps used widely by average consumers have been found to disclose users’ precise location to third parties without obtaining user permission.  Further, he noted that in light of stalking apps that are deceptively labeled as something else, such as “parental monitoring,” it is necessary to create a law with basic rules for any service that collects location information.

The witnesses representing law enforcement, federal agencies, and consumer-advocacy and anti-domestic violence groups gave testimony sharing Senator Franken’s concerns, and also suggested that industry self-regulation in this area so far has not been consistent or transparent.  Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection, for example, noted that broadly speaking, while many industry groups and individual companies purport to adopt the opt-in model as a best practice, enforcement has shown that the standard is in fact not complied with on a regular basis. 

In response, witnesses representing industry largely rejected the notion that legislation like Senator Franken’s is needed at this time.  Expressing particular worry that laws and regulations are inflexible and can quickly become outdated in the face of rapidly evolving technologies, Lou Mastria, Executive Director of the Digital Advertising Association (“DAA”), testified that innovation is better served by self-regulation, which can adapt to new business models because it is more “nimble” than government regulation, as subcommittee ranking member Senator Jeff Flake (R-AZ) phrased it.  Mr. Mastria pointed to the DAA’s Self-Regulatory Principles as an effective framework for self-regulation.  Sally Greenberg, Executive Director of the National Consumers League, however, contested the usefulness of DAA’s code, calling it weak, “full of holes,” and “late to the game,” especially in the face of her view that there is “monumental evidence that self-regulation is not working.”

Continue Reading Senate Subcommittee Examines “Stalking Apps” Bill

On Wednesday, the Senate Commerce Committee held a hearing on “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.”  With recent high-profile breaches, and White House officials just this week telling industry executives that federal authorities notified more than 3,000 companies of cyber attacks last year, data security continues to attract the attention of lawmakers.  Specifically, the hearing follows data-breach legislation introduced in January by Chairman John D. Rockefeller IV (D-WV), which parallels at least four other similar bills recently proposed in the Senate.  Last month, several congressional committees held hearings on the topic of cyber security and data breach, dedicating almost an entire week to the issue.

Ahead of the hearing, Chairman Rockefeller released a majority staff report analyzing the Target data breach by applying the widely used “intrusion kill chain” analytic framework.  The kill-chain doctrine illustrates how cyber threats, viewed as a progressive campaign involving a number of distinct intrusion points, can be combated by disrupting different phases of the attack chain.  Appearing in the Senate for the second time this year after discussing his company’s data breach with the Judiciary Committee last month, Target’s Chief Financial Officer John Mulligan testified at the hearing.  The single panel also included witnesses from the government and public and private sectors, including the Federal Trade Commission, Visa, and the University of Maryland, which recently suffered two data breaches. 

While Mr. Mulligan spent some time discussing the particulars of Target’s data breach and response efforts, the hearing primarily addressed industry-wide prevention and enforcement possibilities.  Committee members examined the following principal points.

Continue Reading Senate Commerce Committee Discusses Data Breaches

Data security continues to be a hot issue on Capitol Hill, and just yesterday Attorney General Eric Holder urged Congress to create a “strong, national standard” for quickly reporting data breaches to consumers.  Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice.  The following bills have been introduced over the last year:  Data Security and Breach Notification Act, Toomey (R-PA); Personal Data Privacy and Security Act, Leahy (D-VT); Data Security Act, Carper (D-DE) and Blunt (R-MO); Data Security and Breach Notification Act, Rockefeller (D-WV); and Personal Data Protection and Breach Accountability Act, Blumenthal (D-CT).

This post provides a side-by-side comparison of these five data-breach bills, which would impose varying standards and penalties.  The comparison focuses on the breach-notification requirements of each bill; it does not discuss the standards that some bills would establish for internal security protocols to safeguard stored data.

Continue Reading Comparison of Five Data-Breach Bills Currently Pending in the Senate

Data collection and security was a big topic on the Hill last week, where five congressional committees examined the issue over several days.  On the topic of data breaches specifically, the Senate Judiciary Committee held a hearing on “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime” and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled, “Protecting Consumer Information: Can Data Breaches Be Prevented?

Appearing to be particularly influenced by the recent series of high profile data breaches involving Target and Neiman Marcus, several legislators have also reintroduced a number of data-security bills to the Senate.  Last Tuesday, just ahead of the Senate Judiciary hearing, Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) reintroduced the Personal Data Protection and Breach Accountability Act (“PDPBA”).

Continue Reading Senate Bill Would Create ‘Stringent’ Penalties to Deter Data Breaches

Last Tuesday, February 4, the Senate Committee on the Judiciary held a hearing on “Privacy in the Digital Age.” Among the panelists were Executive Vice President and Chief Financial Officer of Target, John Mulligan, and Senior Vice President and Chief Information Officer of the Neiman Marcus Group, Michael Kingston. Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez joined the executives in offering testimony, along with representatives from the United States Department of Justice, the Secret Service, the Consumers Union, and the security industry.

Much of the hearing focused on so-called chip-and-PIN payment card technology. Initially raised by Mulligan—who relayed that Target was accelerating its $100 million investment to update its point-of-sale systems to support chip-enabled technology—the idea was quickly adopted by the Committee members and became a focus of discussion. The technical name for chip-and-PIN technology is “EMV,” which stands for Europay, MasterCard, and Visa, who founded EMVCo in the 1990s to develop specifications for secure payment transactions. In the payment industry, EMV refers to cards equipped with an embedded microprocessor—essentially, a small computer. With an EMV card, instead of swiping and signing, consumers insert their cards into a slot and enter a PIN for authentication.

Continue Reading Retailers Testify on Data Security at Senate Judiciary Committee Hearing, Express Support for Chip-and-PIN Technology

A number of investigations and inquiries, including a call for a hearing in Congress on December 30, 2013, have been sparked by the announcement by Target Corp. that a massive security breach of approximately 40 million of its customers’ credit and debit card accounts used at brick-and-mortar Target stores occurred between November 27 and extending through at least December 15.

The retailer stated that hackers obtained information known as “track data”: customer names as well as debit or credit card numbers and card verification values (CVVs).  Armed with track data, hackers can create counterfeit cards by encoding the information onto any card with a magnetic strip. In recent weeks, the stolen track data has been flooding underground black markets, according to Brian Krebs, writing on Krebs on Security. The data is being sold in batches of one million cards for anywhere from $20 to more than $100 per card, with cards issued by foreign banks fetching the higher prices.

Continue Reading Senators Call for Hearing on Data Security in Wake of Target Data Breach

Yesterday, the Senate Homeland Security and Government Affairs Committee’s subcommittee on Oversight of Government Management held a hearing to consider updates to the Privacy Act of 1974.  The Privacy Act of 1974 governs federal government agencies’ collection, use, and transfer of individuals’ personal information.  In general, the Act limits federal agencies’ disclosure of such information

On Thursday, July 14, 2011 two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing, and Trade and Communications and Technology) will hold a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA.”  The hearing, which is the first in a series of anticipated dialogues aimed at