Following the Guardian’s recent exposé on Whisper’s consumer-privacy practices, alleging that the social-media app that supposedly allows people “to anonymously share [their] thoughts with the world . . . in a community built around trust and honesty,” in fact tracks the geolocation of users who opted out of such data collection, Chairman of the Senate
On October 20, 2014, a bipartisan group of senators sent a letter to U.S. Senate Committee on Commerce, Science, & Transportation Chairman John D. Rockefeller IV (D-W.Va.) and Ranking Member John Thune (R-S.D.), requesting that the Committee schedule a “general oversight and information-gathering hearing” on digitally connected technologies before the end of 2014.
The letter, penned by Sens. Kelly Ayotte (R-N.H.), Cory A. Booker (D-N.J.), Deb Fischer (R-Neb.), and Brian Schatz (D-Hi), stated that the connected devices industry is expected to generate global revenues of $8.9 trillion by 2020, and that its importance would soon be felt by millions of Americans with the “proliferation of connected products” and “the upcoming holiday season.” The industry, however, raises a number of important policy questions in the areas of “consumer protection, security, privacy, technical standards, spectrum capacity, manufacturing, regulatory certainty, and public-sector applications,” the letter said.…
Continue Reading Senators Request Hearing on Connected Devices
On Wednesday, the Senate Commerce Committee held a hearing on “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.” With recent high-profile breaches, and White House officials just this week telling industry executives that federal authorities notified more than 3,000 companies of cyber attacks last year, data security continues to attract the attention of lawmakers. Specifically, the hearing follows data-breach legislation introduced in January by Chairman John D. Rockefeller IV (D-WV), which parallels at least four other similar bills recently proposed in the Senate. Last month, several congressional committees held hearings on the topic of cyber security and data breach, dedicating almost an entire week to the issue.
Ahead of the hearing, Chairman Rockefeller released a majority staff report analyzing the Target data breach by applying the widely used “intrusion kill chain” analytic framework. The kill-chain doctrine illustrates how cyber threats, viewed as a progressive campaign involving a number of distinct intrusion points, can be combated by disrupting different phases of the attack chain. Appearing in the Senate for the second time this year after discussing his company’s data breach with the Judiciary Committee last month, Target’s Chief Financial Officer John Mulligan testified at the hearing. The single panel also included witnesses from the government and public and private sectors, including the Federal Trade Commission, Visa, and the University of Maryland, which recently suffered two data breaches.
While Mr. Mulligan spent some time discussing the particulars of Target’s data breach and response efforts, the hearing primarily addressed industry-wide prevention and enforcement possibilities. Committee members examined the following principal points.
Continuing a spate of recent legislative activity, the Senate Commerce Committee is bringing the hot topic of data breach back to the Hill. This Wednesday, the Commerce Committee will hold a hearing entitled, “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.” According to the Committee, recent data breaches at Target, Neiman Marcus, White Lodging, Snapchat, and the University of Maryland have illustrated the need to improve protections of consumer data. The hearing will examine the risks that breaches create for consumers, the lack of a federal data-security law, and several data-security bills currently pending that would establish such a federal standard. The following witnesses are scheduled to testify:
- Edith Ramirez, Chairwoman of the Federal Trade Commission
- John J. Mulligan, Vice President and Chief Financial Officer of Target
- Dr. Wallace D. Loh, President of the University of Maryland
- David Wagner, President of Entrust
- Peter J. Beshar, Executive Vice President and General Counsel of Marsh & McLennan
- Ellen Richey, Chief Enterprise Risk Officer at Visa
Last Wednesday, Senators John D. Rockefeller IV (D-WV) and Ed Markey (D-MA) introduced the Data Broker Accountability and Transparency Act, which primarily would require greater transparency from data brokers about consumer information they collect and sell. At a Senate Commerce Committee hearing held on the data broker industry in December, Rockefeller expressed concern that data brokers operate “behind a veil of secrecy” and with “very little scrutiny and oversight” in a multibillion-dollar industry that handles large quantities of personal information. A majority staff report released in advance of the hearing found, for example, that some data brokers sell information to other companies that identifies financially vulnerable consumers or individuals with serious health disabilities. In most cases, however, there is no mechanism for consumers to control or correct this information. In its March 2012 report, the Federal Trade Commission called on Congress and businesses alike to increase the transparency of and control over the practices of data brokers, specifically recommending targeted access-rights legislation and industry self-regulation by data brokers and their first-party buyers.
The Act represents not only a response to the FTC, but also the culmination of Sen. Rockefeller’s efforts of the last two years to create accountability and access to what he calls a “booming shadow industry.” The bill defines “data broker” as any “commercial entity that collects, assembles, or maintains personal information concerning an individual . . . in order to sell the information or provide third party access to the information” and imposes the following requirements.
Yesterday, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing entitled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?” Committee members expressed interest in bringing about greater transparency to what information is collected by data brokers and how it is used at the hearing, which consisted of a single panel of witnesses from the FTC’s Bureau of Consumer Protection, the World Privacy Forum, Experian, and the Direct Marketing Association.
In advance of the hearing, Chairman John D. Rockefeller IV (D-WV) released a majority staff report summarizing the Commerce Committee’s investigation into how data brokers collect, compile, and sell consumer information. The staff report notes that data brokers serve a beneficial function in enabling companies to provide customers with products and services specific to their interests and needs, but that certain data brokers “operate with minimal transparency” and that consumer profiling can raise “unintended privacy issues.” For this proposition, the staff report cited media reports that a major retailer had developed a pregnancy prediction model to enable the company to target marketing towards expectant mothers.
According to the Committee’s staff report, a perceived lack of transparency may present further concerns when data broker information “end[s] up in the hands of predatory businesses seeking to identify vulnerable consumers, or when marketers use consumers’ data to engage in differential pricing.”
Senate Commerce Committee members generally echoed these concerns at yesterday’s hearing. For example:
Tomorrow the U.S. Senate Committee on Commerce, Science, and Transportation will hold a hearing entitled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?” According to Chairman John D. Rockefeller IV (D-WV), the Committee will “examine the data broker industry and how industry practices may impact consumers.” The following witnesses are scheduled to testify:
- Jessica Rich, Director of the FTC’s Bureau of Consumer Protection
- Pam Dixon, Executive Director of the World Privacy Forum
- Dr. Joseph Turow, Professor at the Annenberg School for Communication
- Tony Hadley, Senior Vice President of Government Affairs and Public Policy at Experian
- Jerry Cerasale, Senior Vice President of Government Affairs and Public Policy for the Direct Marketing Association
The hearing is part of a more than year-long effort by Chairman Rockefeller to investigate the data broker industry. In October 2012, Chairman Rockefeller launched an investigation into the business practices of data brokers in order to examine how data brokers collect, compile, and sell consumer information for marketing purposes. Since September, Chairman Rockefeller has expanded his investigation by sending additional inquiries to various websites and other companies that collect personal information from both online and offline sources and then sell the data to other businesses.
In advanced of a July 25 Senate Commerce Committee hearing on “The Partnership Between NIST and the Private Sector: Improving Cybersecurity,” Chairman Jay Rockefeller (D-WV) and Ranking Member John Thune (R-SD) introduced the “Cybersecurity Act of 2013” (S. 1353).
The bill avoids controversial topics such as information sharing and regulation of critical infrastructure cybersecurity and specifically states that it does not confer regulatory authority on federal, state, tribal, or local governments.
The bill focuses instead on several key issues. First, it extends the mandate Executive Order 13,636 gave to the National Institute for Standards and Technology (“NIST”) to develop cybersecurity standards. NIST is currently working to develop standards pursuant to the Executive Order, and the bill directs NIST to develop, on an ongoing basis, voluntary, industry-led standards and best practices to reduce risk to critical infrastructure. In developing the standards, NIST is instructed to coordinate “closely and continuously” with the private sector, incorporate existing voluntary best practices and international standards, prevent duplication of and conflict with existing regulatory requirements, and ensure that its standards are technology-neutral. The bill further specifies that information provided to NIST for standards-development cannot be used for regulatory purposes.
By Emily Borgen
Legislation was reintroduced in the Senate last week that would allow Internet users to opt out of certain forms of online tracking. The bill [PDF] was previously introduced in 2011.
The “Do-Not-Track Online Act of 2013,” introduced on February 27 by Senators Rockefeller (D-W.Va.) and Blumenthal (D-Conn.), would require the Federal Trade…
In the wake of the Senate’s failure to pass comprehensive cybersecurity legislation in August and amid continued discussion about the possibility of a cybersecurity executive order, Senator Jay Rockefeller has sought information directly from Fortune 500 companies.