House of Representatives

On February 4, 2021, the House Energy and Commerce’s Subcommittee on Consumer Protection and Commerce held a hearing entitled, “Safeguarding American Consumers: Fighting Scams and Fraud During the Pandemic.”  The hearing focused on the FTC’s ability to obtain equitable monetary relief under Section 13(b) of the FTC Act – an issue that is currently being considered by the Supreme Court in AMG Capital Management LLC v. Federal Trade Commission.

To gain a better understanding of the deceptive marketing campaigns seeking to exploit the ongoing public health crisis and the challenges the FTC faces in fighting fraud, the Subcommittee invited Bonnie Patten, Executive Director of TruthInAdvertising.org; Jessica Rich, former Bureau of Consumer Protection Director and Distinguished Fellow of the Institute for Technology Law & Policy at Georgetown Law School; William E. Kovacic, former FTC Chairman and Global Competition Professor of Law at George Washington University Law School; and Traci Ponto, Spokane COPS Crime Victim Advocate at Spokane Community Oriented Policy Services.
Continue Reading Hearing on Consumer Protection During the Pandemic Focuses on FTC’s Equitable Monetary Authority

On January 9, the House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act by voice vote.  The Act directs the Secretary of the U.S. Department of Homeland Security (“DHS”) to prepare a report describing the policies and procedures that DHS developed to coordinate the cyber vulnerability disclosures.  Under the Homeland Security Act of 2002 and the Cybersecurity Information Sharing Act of 2015 (“CISA”), DHS is responsible for working with industry to develop DHS policies and procedures for coordinating the disclosure of cyber vulnerabilities.
Continue Reading House Passes Cyber Vulnerability Disclosure Reporting Act

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.
Continue Reading New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

Today, Rep. Jackie Speier (D-Calif.) introduced legislation that would criminalize the non-consensual distribution of sexually explicit images, commonly referred to as “revenge porn.”

The Internet Privacy Protection Act would make it a federal crime for individuals to knowingly distribute sexually explicit images or video of a person without or with a “reckless disregard” for their

On April 27, the House of Representative unanimously passed the Email Privacy Act.  As previously reported, the proposed changes would strengthen the privacy protections for email and other cloud-storage services by closing a loophole that allowed law enforcement to access older data without obtaining a warrant.

However, while there is widespread support to require

In a unanimous vote, the House Judiciary Committee approved the Email Privacy Act, a long-awaited update to the 30-year-old Electronic Communications Privacy Act (ECPA).  The proposed changes would strengthen the privacy protections for email and other cloud-storage services by closing a loophole that allowed law enforcement to access older data without obtaining a warrant. 

Following the announcement of the President’s Cybersecurity National Action Plan (CNAP), an initiative designed to “enhance cybersecurity capabilities within the Federal Government and across the country,” the White House has released a fact sheet outlining the different components of the CNAP.  The announcement of the CNAP follows the President’s request for $19 billion in funding for cybersecurity initiatives in fiscal year 2017, an increase of 35% over the previous year’s request.  The CNAP includes a mixture of near-term measures and long-term objectives, with the ultimate goal of enhancing the federal government’s cybersecurity posture while encouraging private citizens and businesses to do the same.  Some of the most significant aspects of the CNAP, discussed further below, include:

  • The launch of a cybersecurity awareness campaign to promote the use of multi-factor authentication;
  • A “systematic” review by the White House to identify areas where the federal government can reduce the use of Social Security Numbers as individual identifiers;
  • Plans for the development of a Cybersecurity Assurance Program to test and certify connected devices against certain security standards;
  • The creation of a Chief Information Security Officer (CISO) position within the federal government, coupled with a $3.1 billion initiative to modernize federal agencies’ IT systems and applications;
  • The establishment of a commission of private sector cybersecurity experts to offer recommendations on cybersecurity initiatives; and
  • The establishment of a Federal Privacy Council, composed of representatives from various key federal agencies, to coordinate guidelines for the federal government’s collection and storage of data.

Continue Reading White House’s Cybersecurity National Action Plan (CNAP) Includes Cybersecurity Awareness Campaign, Creation of Federal Privacy Council

Earlier this week, an information-sharing bill and a data breach bill passed through committee votes in the House, setting the stage for potentially significant legislative action on key cybersecurity issues in the near future.  On Tuesday, the House Homeland Security Committee approved the National Cybersecurity Protection Advancement Act by a unanimous voice vote, following a markup session featuring debates over amendments regarding the bill’s liability protections and the possibility of a sunset provision.  Yesterday, the House Energy & Commerce Committee held a markup session for the Data Security and Breach Notification Act, eventually approving the bill by a party-line vote of 29-20.  Although the information-sharing bill is scheduled to head to the House floor for a vote next week, representatives from both parties stated that the data breach bill may need additional changes before it is brought before the full House for a vote.

The information-sharing bill, one of two recently passed out of committees in the House, would create liability protections for companies that share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.  During a markup session on Monday, the representatives agreed to an amendment from Rep. John Ratcliffe (R-Texas) to prevent information shared under the bill from being used for “engag[ing] in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information.”  The amendment was intended as a nod to privacy advocates who have raised concerns that the bill  would create an additional source of information for the National Security Agency’s intelligence programs.  The committee rejected a proposed amendment from Rep. Cedric Richmond (D-Louisiana) that would have removed the bill’s liability protections for entities that receive cyber threat information but fail to act on it, as other representatives noted that the bill needed broad liability protections to incentivize sharing.  However, the committee did pass an amendment that removed the phrase “in good faith” from the bill’s liability protection language out of concern over the term’s ambiguity and the difficulty courts might face in interpreting it.  The removal of this language, which was present in the bill’s liability protections for sharing cyber threat indicators or defensive measure or conducting network awareness, would require these activities to be done in strict accordance with the bill’s provisions, not just in a “good faith” attempt to comply with the bill’s provisions.Continue Reading House Committees Approve Information Sharing and Data Breach Notice Bills, Setting Stage for Floor Vote