This week, as part of a strategic effort to build momentum toward next week’s State of the Union address to Congress, President Barack Obama announced legislative proposals and executive actions to improve cybersecurity. The Obama Administration’s broad array of policy proposals could have a significant impact on how companies and other entities across all sectors of the economy collect and monetize customer data, share threat information, and notify consumers in the event of a data breach. If a company or similar entity stores customer data, the breadth of the proposed initiatives means that they are highly likely to affect such an organization.
We expect contentious debate on several provisions that will set privacy advocates in opposition to industry groups. While draft text of the information sharing, data breach notification, and criminal penalty bills has been released, the White House did not consult with key Congressional committee chairmen in developing their proposals, so we expect significant changes as the bills move through the legislative process.
Promoting Cybersecurity Information Sharing: This proposed legislation would encourage the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and, in exchange, companies would be granted targeted liability protections. The Obama Administration’s proposal would also require private entities to comply with certain privacy restrictions such as removing personally identifiable information (PII) and taking measures to protect any personal information that must be shared in order to qualify for liability protection. Previous proposals to require the private sector to “scrub” PII before sharing have been opposed by industry groups but are strongly supported by privacy advocates. Liability protections would also be provided only when companies share information with the NCCIC and not with any other government agency such as the Federal Bureau of Investigation or the National Security Administration. Many technology and telecommunications companies are wary of the Department of Homeland Security’s competence and have historically advocated for liability protections to be included when sharing information with the intelligence community.
The proposal would also require the DHS and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government.
Personal Data Notification and Protection Act: This proposal would require all corporations to notify consumers within 30 days if their personal information had been exposed in a data breach, preempting the current patchwork of 46 different state laws governing the timeframe and manner by which consumers are notified.
Consideration of this bill will be particularly contentious, creating a difficult road to enactment. National breach notification laws have been proposed in every Congress since 2005 but previous attempts to move a bill through committee, most recently in 2011, lost support before passage. Clients should expect intense efforts by privacy advocates to decrease the notification time and limit the exceptions to notification that industry is already seeking.
Consumer Privacy Bill of Rights: The Obama Administration will propose a bill that would create “some basic, baseline” protections to govern the collection of data. It is unclear what principles will be included in this legislation but within 45 days the Administration will release the legislative proposal.
Student Digital Privacy Act: This legislation would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school. The bill, modeled on a similar law in California, would update existing privacy laws, including the Family Educational Rights and Privacy Act (FERPA).
Modernizing Criminal Penalties: This legislation would allow for the prosecution of the sale of botnets (networks used to send spam email or participate in distributed denial-of-service attacks), would criminalize the overseas sale of stolen US financial information, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit identity theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. The proposal will also update the Racketeering Influenced and Corrupt Organizations Act (RICO), so that it applies to cybercrimes, clarify the penalties for computer crimes, and will modernize the Computer Fraud and Abuse Act (CFAA) by ensuring that insignificant conduct does not fall within the scope of the statute.
Cyber Executive Order: The White House will announce an Executive Order (EO) in the next few weeks for the purpose of developing an operational framework for the private sector to develop best practices and increase industry involvement in information sharing organizations. Specifically, the EO would task the DHS to develop a request for proposal and award a contract to fund a private sector entity or consortium, which will then develop best practices and guidelines for the private sector to follow. Funding will come entirely from the DHS but the guidelines are intended to be developed by the private sector.
Pledge to Protect Student Data: The Student Digital Privacy Act (SDPA) proposal was accompanied by an announcement that the Obama Administration has secured pledges from 75 companies, including Apple and Microsoft, to provide parents and teachers with protections against the misuse of their data. Many leading educational technology companies did not sign the student privacy pledge, which indicates a lack of industry consensus and future trouble in passing the SDPA.
Improving Access to Credit Reports: President Obama also announced a commitment by JPMorganChase and Bank of America, in partnership with Fair Isaac Corporation (FICO), to provide credit scores for free to their consumer card customers. The United States Automobile Association (USAA) and the State Employees’ Credit Union (SECU) will also offer free credit scores to their members, and Ally Financial will make credit scores available to their auto loan customers.
Broadband Access: President Obama is traveling today to Cedar Falls, Iowa to detail new steps to increase access to high-speed Internet. Details of this proposal have not been released.
Model Terms of Service for Educators: The Department of Education and its Privacy Technical Assurance Center announced a forthcoming model terms of service, as well as teacher training assistance, to help ensure educational data is used appropriately and in accordance with the educational mission.
Voluntary Code of Conduct for Smart Grid Customer Data Privacy: The Department of Energy (DOE) and the Federal Smart Grid Task Force (FSGTF) released a new Voluntary Code of Conduct (VCC) for utilities and third parties aimed at protecting electricity customer data, including energy usage information.
White House Summit: On February 13, 2015, the White House will host a Summit on Cybersecurity and Consumer Protection at Stanford University with leaders from the White House and across the federal government; CEOs from a wide range of industries, including the financial services industry, technology, and communications companies; computer security companies and the retail industry; as well as law enforcement officials, consumer advocates, technical experts, and students.
Grants to Historically Black Colleges for Cybersecurity Education: On January 15, 2015, Vice President Joe Biden will travel to Norfolk, Virginia to announce that the DOE will provide $25 million in grants over the next five years to support a cybersecurity education consortium consisting of 13 Historically Black Colleges and Universities (HBCUs) and two national labs.