Why it matters
From the President to Senators to Representatives, everyone in Washington, D.C. appears to be focused on privacy-related issues. Continuing his focus on cybersecurity, President Barack Obama signed an executive order intended to promote information sharing in the private sector about cyber threats just a few days after Sen. Tom Carper (D-Del.) introduced the Cyber Threat Sharing Act of 2015. Industry response to the order was cautiously optimistic. President and CEO of the American Bankers Association Frank Keating said the order “will help the business community and government agencies share critical threat information more effectively,” adding that lawmakers must craft a measure that “gives businesses legal certainty that they have a safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyber attacks.” The President also presented a discussion draft of his Consumer Privacy Bill of Rights to lukewarm reaction; Sen. Robert Menendez (D-N.J.) responded with his version, the Commercial Privacy Rights Act, which encompassed data security regulations, a data breach notification provision, and additional protections for children’s privacy. A House bill, the Data Security and Breach Notification Act, soon joined the party. Clearly, privacy and data security remains a hot topic for both the President and Congress. With so many proposals floating around the Capitol, the chances of passing a particular piece of legislation remain unclear.
Over the last few weeks, President Barack Obama has made cybersecurity issues a key focus. While attending the White House’s Summit on Cybersecurity and Consumer Protection held at Stanford University, he signed an executive order encouraging information sharing and increased cooperation between private entities and the government. “There’s only one way to defend American from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners,” President Obama said.
Under the auspices of the order, the Secretary of the Department of Homeland Security (DHS) “shall strongly encourage” the development and formation of Information Sharing and Analysis Organizations, or ISAOs, organized by sector, region, or in response to emerging threats or vulnerabilities.
The “Promoting Private Sector Cybersecurity Information Sharing” order is intended “to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”
ISAOs may include members from both the public and private sectors and exist as for-profit or nonprofit entities. Overseeing the ISAOs: The National Cybersecurity and Communications Integration Center (NCCIC) of DHS, which “shall engage in continuous, collaborative, and inclusive coordination” with the groups with regard to information sharing.
DHS would also be tasked with selecting a private entity to establish “a common set of voluntary standards or guidelines for the creation and functioning” of ISAOs under the order, in consultation with other federal agencies and through an open and competitive process. The standards themselves “shall further the goal of creating robust information sharing related to cybersecurity risks and incidents,” according to the order, “to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information.”
Those entities that self-certify the ISAO’s best practices are provided with liability protection for sharing cyber threat information with the ISAO.
Lawmakers have also climbed aboard the cybersecurity bandwagon, with Sen. Tom Carper (D-Del.) introducing S. 456, the Cyber Threat Sharing Act of 2015. Similar to the President’s information sharing proposal, the bill would direct the DHS to select a private entity to identify best practices for ISAOs.
Importantly for businesses, the proposed law would provide liability protections to entities that voluntarily share lawfully obtained indicators with either the NCCIC or an ISAO that has self-certified it has adopted the best practices identified by the DHS-selected private entity. Information shared could not be used as evidence in a regulatory action against the company and privacy protections included in the measure would require businesses to attempt to minimize identifying information using anonymization and the destruction of data.
On a separate front in the battle over privacy, the President also released his long-promised Consumer Privacy Bill of Rights, intended to provide baseline privacy protections for consumers in the commercial context.
Pursuant to the measure, covered entities would be required to provide consumers with concise and easy to understand notice about privacy and security practices as well as “reasonable means to control the processing of personal data about them in proportion to the privacy risk to the individual and consistent with context.”
The proposal would require companies that process personal data “in a manner that is not reasonable in light of context” to conduct a privacy risk analysis and take reasonable steps to mitigate any identified privacy risks—at a minimum, providing in-context notice about the “unreasonable” personal data practices as well as “a mechanism for control that is reasonably designed to permit individuals to exercise choice to reduce such privacy risk.”
In addition, companies would be required to delete or de-identify personal data within a reasonable time after the purposes for which the personal data were first collected are fulfilled and establish information security controls in line with accepted practices.
Enforcement powers are granted to the Federal Trade Commission (FTC) (with the potential for up to $25 million in civil penalties under certain circumstances) but the agency was not granted rule-making authority. Instead, industries would develop their own codes of conduct enforced by the agency and covered entities that comply with the code would be provided with a safe harbor.
The proposal managed to unite those on both sides of the privacy debate in general unhappiness, with claims that it both went too far and didn’t do enough. Even the FTC expressed reservations, with a spokesperson for the agency calling it “a good starting point for further discussion.”
Within a week, Sen. Robert Menendez (D-N.J.) responded with the Commercial Privacy Rights Act of 2015.
The bill—which features general privacy protections as well as specific provisions for children and a section on data breach notification—applies to entities under the FTC’s supervision, 501(c) non-profits, and common carriers under the Communications Act, that “collect, use, transfer, or store” covered information of more than 5,000 individuals during a consecutive 12-month period would be subject to the Act’s requirements.
“Covered information” is more narrowly defined in the Act than the White House proposal as “personally identifiable information” and “unique identifier information,” as well as an individual’s name, e-mail address, physical address, telephone number, Social Security number, and biometric data. Other data—like precise geographic location—is covered when paired with one of the types of personal information.
The bill makes “unauthorized use” of such information potentially actionable, defining the term as use of covered information for any purpose not authorized by the individual.
Rulemaking authority would be granted to the FTC to establish recognized security practices (proportional to the size and type of the entity) consistent with industry norms and existing FTC guidance. Covered entities would be responsible for implementing such practices and the bill mandates privacy by design throughout the data life cycle.
Transparency is key under the bill, with the FTC also tasked with establishing rules for the collection, use, transfer, and storage of covered information. If a covered entity made material changes to any relevant information policies, it would be required to provide prior notice. The measure incorporates the principle of data minimization, limiting retention of information to the necessary time period. Consumers would be granted the right to access their covered information and a procedure for correcting any errors.
Importantly, the Act not only features a safe harbor for self-regulatory programs but also exempts entities to the extent they are subject to provisions of enumerated federal laws like the Gramm-Leach-Bliley Act, the Fair Debt Collection Practices Act, and the Fair Credit Reporting Act, among others.
Enforcement would be led by the FTC pursuant to Section 5 of the Federal Trade Commission Act, with supplementary enforcement by state attorneys general. No private right of action was provided in the bill. Civil damages would be available for up to $33,000 per day or per individual with a maximum of a $6 million penalty.
The bill would also strengthen children’s privacy protections under the Children’s Online Privacy Protection Act and features a data breach notification provision that sets forth the circumstances under which a covered entity must provide notice to consumers, the FTC, third parties, service providers, and credit reporting agencies of a data security failure. Exemptions exist if the company concludes “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”
In the House, Reps. Peter Welch (D-Vt.) and Marsha Blackburn (R-Tenn.) introduced the Data Security and Breach Notification Act, the latest proposal in the long line of privacy legislation.
The bill covers entities that “acquire, maintain, store, sell or otherwise use personal information in electronic form” to maintain “reasonable security measures and practices” as appropriate for the size and complexity of the business. A breach would trigger “a reasonable and prompt investigation” to determine the risk that identity theft, economic loss, economic harm, or financial harm could result to consumers.
If the investigation finds in the affirmative, the company has 30 days to notify consumers.
The Act would preempt all state and federal data security laws currently in place, with enforcement power granted to state attorneys general (with the ability to recover up to $2.5 million per violation) as well as the FTC. No private cause of action was created and companies already subject to federal data security and notification regimes would be exempt.
To read President Obama’s remarks at Stanford University, click here.
To read the President’s executive order, click here.
To read the Cyber Threat Sharing Act of 2015, click here.
To read the proposed Consumer Privacy Bill of Rights of 2015, click here.
To read the Commercial Privacy Rights Act of 2015, click here.
To read the Data Security and Breach Notification Act, click here.