House of Representatives

By Ani Gevorkian

The issues of data breach notification and data security issued received a fair amount of attention in the House this week:  On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep.  Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release of another.

The bill approved on Wednesday—the Data Security and Breach Notification Act—is sponsored by Reps. Michael Burgess (R-TX),  Marsha Blackburn (R-TN),  and Peter Welsh (D-VT).  It would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach.  It would also empower the Federal Trade Commission (“FTC”) to enforce the bill’s rules.
Continue Reading House Focuses on Data Breach Bills

By Ani Gevorkian

The Subcommittee on Commerce, Manufacturing, and Trade of the House Energy and Commerce Committee held a hearing on Tuesday entitled, “The Internet of Things: Exploring the Next Technology Frontier.” The hearing focused on the promises Internet of Things (“IoT”) technology holds, and what role Congress should play in addresses the challenges IoT presents, both with regard to privacy and data security concerns as well as technological concerns.

Panelists included Daniel Castro, Vice President of the Information Technology and Innovation Foundation; Brian van Harlingen, Chief Technology Officer of Belkin International, Inc.;  Rose Schooler, Vice President of the IoT Group and GM of the IoT Strategy and Technology Office of Intel Corporation; and, Brad Morehead, CEO of LiveWatch Security, LLC.
Continue Reading House Holds Internet of Things Hearing

As part of our continuing coverage of the Congressional Privacy Bill, we provide below a deeper examination and explanation of Title II of the bill, the Do Not Track Kids Act of 2015.  The Do Not Track Kids Act of 2015 amends the Children’s Online Privacy Protection Act (“COPPA”) by making its protections more expansive and robust.  Specifically, the bill extends COPPA’s protections to teenagers, expands the scope of the entities subject to COPPA’s provisions, and imposes new obligations on those entities.

COPPA currently requires websites and online services that knowingly collect information from children under the age of 13 or that are targeted toward children under the age of 13 to make certain disclosures and obtain parental consent before collecting and using personally identifiable information obtained from children.
Continue Reading Congressional Privacy Bill: Do Not Track Kids Act of 2015

Next Tuesday, March 24 at 11 a.m., the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing, and Trade will host a hearing entitled “The Internet of Things: Exploring the Next Technology Frontier.”  The hearing will follow an Internet of Things (“IoT”) showcase featuring Internet-connected products manufactured in members’ districts.

Congress already has begun taking

Although Senator Rand Paul (R-KY) may have received the most attention for his attendance at South by Southwest (“SXSW”) Interactive, many other members of Congress were represented this year.  Continuing our coverage of the conference, this past weekend we attended a panel on “The Future of Privacy,” featuring congressional representatives Darrell Issa (R-CA), Suzan DelBene (D-WA), and Blake Farenthold (R-TX).  All three representatives support legislation to reform the Electronic Communications Privacy Act (“ECPA”), and the panelists focused their remarks on the importance of extending warrant protections to electronic communications regardless of how long such communications are stored.

The panel began on a somewhat whimsical note with the panelists presenting photographs of themselves from the 1980s.  To drive home the point, Congressman Issa explained a great deal has changed since 1986 when ECPA was first enacted.  The panelists generally focused on the need to protect all electronic mail and other electronic communications no differently than paper records are protected.  Congressman Issa also noted that ECPA reform has an economic impact in light of the increased use of cloud services.
Continue Reading Covington at #SXSW 2015: Members of Congress Discuss Future of Privacy

By Lala Qadir

A bipartisan data security bill was unveiled last week as part of a renewed push to create standardized requirements around data breach and security issues.  Both co-sponsors of the bill, Representative Marsha Blackburn (R-TN) and Representative Peter Welch (D-VT), are members of the House Subcommittee on Commerce, Manufacturing, and Trade, and Blackburn also serves as Vice Chairman of the Energy and Commerce Committee.

Entitled the “Data Security and Breach Notification Act of 2015,” this draft legislation creates requirements on companies that collect and store personal information of individuals.  Under this bill, companies would be required to use “reasonable security measures” to protect an individual’s personal information.  The bill would also require a company to notify affected individuals as “expeditiously as possible” but no later than 30-days after the company has taken the “necessary measures to determine the scope of the breach and restore reasonable integrity, security, and confidentiality of the data system,” unless the delay is attributed to law enforcement or national security reasons.   Companies would not be obligated to provide individual notice if there was no reasonable risk that the breach of security resulted in, or would result in, identity theft, economic loss or harm, or financial fraud.   A violation of this legislation would constitute an unfair and deceptive act or practice and violations could be enforced by the Federal Trade Commission or state attorneys general.  Further, both the Federal Trade Commission and state attorneys general would be able to obtain civil penalties for violations of the data security and breach notification requirements.  However, no private right of action would be extended under the current draft.  And the draft bill would effectively preempt the current patchwork of state statutes governing data breach notification and data security.
Continue Reading Bipartisan Data Security Bill Put Forth For Review

By Caleb Skeath

As we reported last this week, the Congressional Privacy Bill (S. 547/H.R. 1053) contains provisions that would establish a national data breach notice law, along with the Commercial Privacy Rights Act of 2015 and the Do Not Track Kids Act of 2015.  Following our analysis of the Commercial Privacy Rights Act, we have analyzed the bill’s data breach provisions below.  These provisions would allow for up to 60-days for individual notifications following discovery of a breach, and the bill’s definition of “personally identifiable information” (PII) is significantly broader than any anologous definition within the current state data breach notification laws.  Continue reading for an in-depth analysis of the data breach provisions, and stay tuned for forthcoming analysis of the Do Not Track Kids Act of 2015.
Continue Reading Congressional Privacy Bill: Data Breach Notice Provisions

By Caleb Skeath

As we reported yesterday, the Congressional Privacy Bill has been released, following the release of the White House’s proposal for a privacy bill in late February.  The bill contains the Commercial Privacy Rights Act of 2015, the Congressional counterpart to the White House’s proposal, along with data breach notification provisions and the “Do Not Track Kids Act of 2015,” which proposes substantial revisions to the Children’s Online Privacy Protection Act (COPPA).  As with the White House proposal, the Privacy Rights Act would implement a comprehensive regime of substantive privacy requirements.  Our analysis of the Commercial Privacy Rights Act is below, and we will separately post further analysis of the data breach provisions as well as the Do Not Track Kids Act.
Continue Reading Congressional Privacy Bill: Commercial Privacy Rights Act of 2015

Just two days after disclosing publicly that it was “the target of a very sophisticated external cyber attack” in which the personal information of over 80 million customers was compromised, officials of Anthem Inc., the nation’s second largest health insurance company, are to brief staffers of the House Energy and Committee on the security breach.