Earlier this week, an information-sharing bill and a data breach bill passed through committee votes in the House, setting the stage for potentially significant legislative action on key cybersecurity issues in the near future.  On Tuesday, the House Homeland Security Committee approved the National Cybersecurity Protection Advancement Act by a unanimous voice vote, following a markup session featuring debates over amendments regarding the bill’s liability protections and the possibility of a sunset provision.  Yesterday, the House Energy & Commerce Committee held a markup session for the Data Security and Breach Notification Act, eventually approving the bill by a party-line vote of 29-20.  Although the information-sharing bill is scheduled to head to the House floor for a vote next week, representatives from both parties stated that the data breach bill may need additional changes before it is brought before the full House for a vote.

The information-sharing bill, one of two recently passed out of committees in the House, would create liability protections for companies that share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.  During a markup session on Monday, the representatives agreed to an amendment from Rep. John Ratcliffe (R-Texas) to prevent information shared under the bill from being used for “engag[ing] in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information.”  The amendment was intended as a nod to privacy advocates who have raised concerns that the bill  would create an additional source of information for the National Security Agency’s intelligence programs.  The committee rejected a proposed amendment from Rep. Cedric Richmond (D-Louisiana) that would have removed the bill’s liability protections for entities that receive cyber threat information but fail to act on it, as other representatives noted that the bill needed broad liability protections to incentivize sharing.  However, the committee did pass an amendment that removed the phrase “in good faith” from the bill’s liability protection language out of concern over the term’s ambiguity and the difficulty courts might face in interpreting it.  The removal of this language, which was present in the bill’s liability protections for sharing cyber threat indicators or defensive measure or conducting network awareness, would require these activities to be done in strict accordance with the bill’s provisions, not just in a “good faith” attempt to comply with the bill’s provisions.

Continue Reading House Committees Approve Information Sharing and Data Breach Notice Bills, Setting Stage for Floor Vote

As part of our continuing coverage of the Congressional Privacy Bill, we provide below a deeper examination and explanation of Title II of the bill, the Do Not Track Kids Act of 2015.  The Do Not Track Kids Act of 2015 amends the Children’s Online Privacy Protection Act (“COPPA”) by making its protections more expansive and robust.  Specifically, the bill extends COPPA’s protections to teenagers, expands the scope of the entities subject to COPPA’s provisions, and imposes new obligations on those entities.

COPPA currently requires websites and online services that knowingly collect information from children under the age of 13 or that are targeted toward children under the age of 13 to make certain disclosures and obtain parental consent before collecting and using personally identifiable information obtained from children.
Continue Reading Congressional Privacy Bill: Do Not Track Kids Act of 2015

By Caleb Skeath

As we reported last this week, the Congressional Privacy Bill (S. 547/H.R. 1053) contains provisions that would establish a national data breach notice law, along with the Commercial Privacy Rights Act of 2015 and the Do Not Track Kids Act of 2015.  Following our analysis of the Commercial Privacy Rights Act, we have analyzed the bill’s data breach provisions below.  These provisions would allow for up to 60-days for individual notifications following discovery of a breach, and the bill’s definition of “personally identifiable information” (PII) is significantly broader than any anologous definition within the current state data breach notification laws.  Continue reading for an in-depth analysis of the data breach provisions, and stay tuned for forthcoming analysis of the Do Not Track Kids Act of 2015.
Continue Reading Congressional Privacy Bill: Data Breach Notice Provisions

By Caleb Skeath

As we reported yesterday, the Congressional Privacy Bill has been released, following the release of the White House’s proposal for a privacy bill in late February.  The bill contains the Commercial Privacy Rights Act of 2015, the Congressional counterpart to the White House’s proposal, along with data breach notification provisions and the “Do Not Track Kids Act of 2015,” which proposes substantial revisions to the Children’s Online Privacy Protection Act (COPPA).  As with the White House proposal, the Privacy Rights Act would implement a comprehensive regime of substantive privacy requirements.  Our analysis of the Commercial Privacy Rights Act is below, and we will separately post further analysis of the data breach provisions as well as the Do Not Track Kids Act.
Continue Reading Congressional Privacy Bill: Commercial Privacy Rights Act of 2015

The U.S. Senate Committee on Commerce, Science, and Transportation held a hearing on February 11, 2015, entitled The Connected World: Examining the Internet of Things.  The panelists included Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology; Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center; Lance Donny, CEO of OnFarm; Douglas Davis, Vice President and General Manager of Intel’s Internet of Things Group, and Michael Abbott, General Partner at Kleiner Perkins Caufield & Byers.

While the hearing covered a variety of Internet of Things (IoT) related topics, an overarching theme the Senators contemplated was how to strike the appropriate balance between encouraging IoT innovation and protecting privacy and data security.  The opening statements of Chairman John Thune (R-SD) and Ranking Member Bill Nelson (D-FL) laid out the basic concerns underlying each side of this consideration.  Chairman Thune suggested the Committee “tread carefully and thoughtfully before stepping in with a ‘government knows best’ mentality that could halt innovation and growth” while Ranking Member Nelson called talk of overregulating a red herring and stressed that the “promise of the Internet of Things must be balanced with real concerns of privacy and the security of our networks.”  But concern about overregulation cut across party lines.  Senator Corey Booker (D-NJ), for instance, noted that government efforts in the IoT space should not “inhibit a leap in humanity.”
Continue Reading Senate Holds Internet of Things Hearing

By Caleb Skeath

Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives.  The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as well as provisions requiring notification to affected individuals in the event of a data breach.  Meanwhile, Sens. Dianne Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR), and Bill Nelson (D-FL) introduced a similar bill, the Data Security and Breach Notification Act (S. 177) this week the Senate.  The Senate bill is also a re-introduction of a previous bill, which would provide FTC-enforced security standards and individual breach notifications.

Although the text of the DATA Act has not yet been released, a release from the bill’s sponsors stated that the bill will be “substantially similar” to prior versions.  According to the release, the bill will define “personal information” to include an individual’s name in connection with (1) a Social Security number, (2) a driver’s license, passport, or other government-issued identification number, or (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account.  Commercial entities that own or process personal information would be required to implement effective information security procedures and policies to safeguard that information.  Following a breach, entities would have to notify the affected individuals, in addition to the FTC.  The FTC and state attorney generals would enforce the provisions of the bill, which would allow for civil penalties of up to $5 million for violations.  The bill’s sponsors have announced a public briefing on the bill on February 6, during which they will provide more information about the bill’s provisions.
Continue Reading Data Breach Notification Bills Introduced in House and Senate

By Caleb Skeath

Earlier this week, the Senate Committee on Homeland Security and Governmental Affairs held its first hearing of the new Congress, entitled “Protecting America from Cyber Attacks: The Importance of Information Sharing.”  The hearing focused in large part on the White House’s recent information sharing proposal, which would protect private entities from

This week, the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to discuss the Location Privacy Protection Act of 2014, a bill reintroduced in March by Senator Al Franken (D-MN).  Most concerned with the potential for misuse and abuse of location data for purposes of stalking and perpetrating domestic violence, Senator Franken, who chairs the Subcommittee on Privacy, made clear at the hearing his view that, “Stalking apps must be shut down.”  Franken clarified, however, that his bill is not only intended to protect victims of stalking, but provides basic privacy safeguards for sensitive location information pertaining to all consumers.  Most critically, Senator Franken suggested that because location data lacks sufficient legislative protection, some of the most popular apps used widely by average consumers have been found to disclose users’ precise location to third parties without obtaining user permission.  Further, he noted that in light of stalking apps that are deceptively labeled as something else, such as “parental monitoring,” it is necessary to create a law with basic rules for any service that collects location information.

The witnesses representing law enforcement, federal agencies, and consumer-advocacy and anti-domestic violence groups gave testimony sharing Senator Franken’s concerns, and also suggested that industry self-regulation in this area so far has not been consistent or transparent.  Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection, for example, noted that broadly speaking, while many industry groups and individual companies purport to adopt the opt-in model as a best practice, enforcement has shown that the standard is in fact not complied with on a regular basis. 

In response, witnesses representing industry largely rejected the notion that legislation like Senator Franken’s is needed at this time.  Expressing particular worry that laws and regulations are inflexible and can quickly become outdated in the face of rapidly evolving technologies, Lou Mastria, Executive Director of the Digital Advertising Association (“DAA”), testified that innovation is better served by self-regulation, which can adapt to new business models because it is more “nimble” than government regulation, as subcommittee ranking member Senator Jeff Flake (R-AZ) phrased it.  Mr. Mastria pointed to the DAA’s Self-Regulatory Principles as an effective framework for self-regulation.  Sally Greenberg, Executive Director of the National Consumers League, however, contested the usefulness of DAA’s code, calling it weak, “full of holes,” and “late to the game,” especially in the face of her view that there is “monumental evidence that self-regulation is not working.”

Continue Reading Senate Subcommittee Examines “Stalking Apps” Bill