Senate

Subscribe to Senate

On Wednesday, the Senate Commerce Committee held a hearing on “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.”  With recent high-profile breaches, and White House officials just this week telling industry executives that federal authorities notified more than 3,000 companies of cyber attacks last year, data security continues to attract the attention of lawmakers.  Specifically, the hearing follows data-breach legislation introduced in January by Chairman John D. Rockefeller IV (D-WV), which parallels at least four other similar bills recently proposed in the Senate.  Last month, several congressional committees held hearings on the topic of cyber security and data breach, dedicating almost an entire week to the issue.

Ahead of the hearing, Chairman Rockefeller released a majority staff report analyzing the Target data breach by applying the widely used “intrusion kill chain” analytic framework.  The kill-chain doctrine illustrates how cyber threats, viewed as a progressive campaign involving a number of distinct intrusion points, can be combated by disrupting different phases of the attack chain.  Appearing in the Senate for the second time this year after discussing his company’s data breach with the Judiciary Committee last month, Target’s Chief Financial Officer John Mulligan testified at the hearing.  The single panel also included witnesses from the government and public and private sectors, including the Federal Trade Commission, Visa, and the University of Maryland, which recently suffered two data breaches. 

While Mr. Mulligan spent some time discussing the particulars of Target’s data breach and response efforts, the hearing primarily addressed industry-wide prevention and enforcement possibilities.  Committee members examined the following principal points.

Continue Reading Senate Commerce Committee Discusses Data Breaches

In advanced of a July 25 Senate Commerce Committee hearing on “The Partnership Between NIST and the Private Sector: Improving Cybersecurity,” Chairman Jay Rockefeller (D-WV) and Ranking Member John Thune (R-SD) introduced the “Cybersecurity Act of 2013” (S. 1353).

The bill avoids controversial topics such as information sharing and regulation of critical infrastructure cybersecurity and specifically states that it does not confer regulatory authority on federal, state, tribal, or local governments.

The bill focuses instead on several key issues.  First, it extends the mandate Executive Order 13,636 gave to the National Institute for Standards and Technology (“NIST”) to develop cybersecurity standards. NIST is currently working to develop standards pursuant to the Executive Order, and the bill directs NIST to develop, on an ongoing basis, voluntary, industry-led standards and best practices to reduce risk to critical infrastructure.  In developing the standards, NIST is instructed to coordinate “closely and continuously” with the private sector, incorporate existing voluntary best practices and international standards, prevent duplication of and conflict with existing  regulatory requirements, and ensure that its standards are technology-neutral.  The bill further specifies that information provided to NIST for standards-development cannot be used for regulatory purposes.

Continue Reading Senators Rockefeller and Thune Introduce “Cybersecurity Act of 2013”

A group of senators announced on Wednesday that they would renew their push for federal legislation to limit the ability of federal authorities to compel journalists to reveal information about or obtained from confidential sources, after the U.S. Department of Justice announced it would tighten its own standards for when to seek such information.

The bill, the Free Flow of Information Act of 2013, is an updated version of a reporters’ shield bill that was considered in 2009. Sen. Charles Schumer (D-NY) reintroduced the bill in mid-May of this year, co-sponsored by Sen. Lindsey Graham (R-SC). The Obama administration asked Schumer to reintroduce the bill after the U.S. Justice Department disclosed that it had obtained call records for more than 20 telephone extensions of Associated Press journalists.

The bill generally would prevent federal authorities from compelling journalists to identify confidential sources or reveal information obtained under a promise of confidentiality, unless a court determines that the government has exhausted all reasonable alternative sources of the information and the government’s need for the information outweighs the public interest in the free flow of information.

Continue Reading Senators, Justice Department Voice Support for Expanding Journalists’ Protections

By Emily Borgen

Legislation was reintroduced in the Senate last week that would allow Internet users to opt out of certain forms of online tracking.  The bill [PDF] was previously introduced in 2011.

The “Do-Not-Track Online Act of 2013,” introduced on February 27 by Senators Rockefeller (D-W.Va.) and Blumenthal (D-Conn.), would require the Federal Trade

Today, the Senate Judiciary Committee passed the much-discussed update to the Electronic Communications Privacy Act of 1986 and the Video Privacy Protection of 1988 (“VPPA”).  The Committee adopted Senator Leahy’s manager’s amendment (which we discussed here), with a minor modification proposed by Senators Cornyn and Lee. 

Senator Feinstein also offered an amendment to the

On Thursday, the Senate Judiciary Committee reportedly will vote on Sen. Patrick Leahy’s bill that would amend the Electronic Communications Privacy Act (ECPA) and the Video Privacy Protection Act (VPPA).  The bill would amend the VPPA by clarifying that a consumer may consent to the disclosure of her video viewing information “though an electronic means

Last Friday, Rep. Zoe Lofgren (D-CA) introduced the ECPA 2.0 Act, H.R. 6529, which would strengthen the legal standards for law enforcement to gain access to electronic communications and location information.  The Electronic Communications Privacy Act (ECPA) is more than 25 years old and is widely seen as needing modernization to address changes in digital storage, the cloud, and location-based services.  As we’ve previously noted, government access to location information is an ongoing issue for legislators, courts, and government officials.  

Continue Reading Rep. Lofgren Introduces Legislation to Update ECPA

In the wake of the Senate’s failure to pass comprehensive cybersecurity legislation in August and amid continued discussion about the possibility of a cybersecurity executive order, Senator Jay Rockefeller has sought information directly from Fortune 500 companies. 

Senator Rockefeller has urged President Obama to issue a cybersecurity executive order, but in a letter

On July 19, 2012, Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Jay Rockefeller (D-WV), Dianne Feinstein (D-CA), and Tom Carper (D-DE) introduced a revised version of the Cybersecurity Act of 2012 (“CSA2012”), which they initially introduced in February. The revision includes elements drawn from efforts by Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) to reconcile the CSA2012 with the Republican-sponsored SECURE IT Act (S. 3342).

The new CSA2012 (S. 3414) takes a different approach than the original version to cybersecurity of critical infrastructure. The original bill would have given the Department of Homeland Security (“DHS”) authority to designate “systems or assets” as covered critical infrastructure and to require owners and operators of designated critical infrastructure to meet cybersecurity performance requirements, established by DHS. The new CSA2012, on the other hand, would rely on voluntary private sector compliance with cybersecurity standards. As Senator Lieberman explained, the revised bill relies on “carrots instead of sticks.”

Continue Reading Senators Introduce Revised Cybersecurity Act of 2012