If you believe that Congress does best when it does least, then 2013 was an outstanding year – at least as far as privacy and data protection are concerned. Out of the dozen or so privacy or cyber security bills introduced in the 113th Congress, only four passed one house and none made it into law.
If, on the other hand, you think that the country really needs to update aspects of its privacy and cyber security laws to protect consumers, national security and critical commercial infrastructure, as well as reach decisions on the right balance between commercial and government surveillance and civil liberties, then there is a lot of work left to accomplish in 2014. The likelihood of meeting those goals is not bright. Like 2013, the coming legislative year is likely to involve many committee hearings and modest, if any, action in either the Senate or House.
House members introduced nine bills focused on aspects of cyber security. Of those, the four that saw floor action were H.R. 1163 (amendments to update the Federal Information Security Management Act), H.R. 967 (encouraging and providing funding for IT research and development); H.R. 756 (another cyber security R&D act); and H.R. 624 (the Cyber Intelligence Sharing and Protection Act or CISPA, which amends the rules by which government and industry may share information about cyber attacks and provides liability coverage to companies that provide data to the government). All four were referred to Senate committees, and none saw action in the Senate.
Of the four, the FISMA amendments bill has the best prospects for passage. It passed the House on a 416-0 vote. This is the kind of tweaking of the bureaucratic rules governing data security in federal agencies that does not engender significant industry or civil liberties opposition, so it is a safe area in which to legislate in the upcoming election year.
CISPA would work the most significant changes in cyber security and cyber attack defense procedures and requirements, including the imposition of new requirements on industry to cooperate and provide information to federal agencies in the event they experience a cyber attack. It is one of the most contentious cyber security bills currently under consideration. It is the subject of a veto threat, industries are concerned about the costs and the ability to maintain the confidentiality about their vulnerabilities to attack, and civil liberties advocates have expressed strong concerns about exposing vast amounts of consumer data held by industry to government examination and use for purposes other than responding to a cyberthreat. Civil liberties interests reject the premise in CISPA that industry needs broad immunity protections for releases of personal information to the government to cooperate in addressing cyber attacks. With all of these issues pending, passage of CISPA without significant modification is not likely.
In the Senate, cyber security legislation did not fare any better in 2013, and the prospects for 2014 are not much different. Senate 1353, the Cybersecurity Act of 2013, calls for the National Institute of Standards and Technology (NIST) to develop a framework process to enhance industrial cyber security. The legislation never left the committee to which it was referred, but much of the substance of the bill was adopted by the President in an executive order issued in February 2013. Under the EO, NIST has been engaged in a consultation process leading to the expected publication of a “framework” document in February 2014. The other five bills introduced in the Senate: S. 1111 (the Cyber Economic Espionage Accountability Act); S. 884 (the Deter Cyber Theft Act); S. 658 (the Cyber Warrior Act of 2013); and S. 21 (the Cybersecurity and American Cyber Competitiveness Act of 2013) all have languished in committee without action.
Last week saw the introduction of a bill in the House that has the best prospects for action in 2014, H.R. 3696, was introduced on December 11 by the Chairman of the House Homeland Security Committee with support from key Democrats on the Committee. It contains many provisions from CISPA concerning sharing of cyberthreat information, and would place responsibility for coordinating the response to cyber attacks in the Department of Homeland Security. The new bill does not contain several of the liability limitations in CISPA that raised concerns. The new bill also expressly provides that it is not intended to create any new regulatory authorities, a concern that has been raised repeatedly in the NIST Framework process initiated by Executive Order last February. A more detailed examination of H.R. 3696 will be the subject of a separate post.
Several bills addressing narrow issues within the general category of privacy were introduced in 2013, including measures
· regulating drone surveillance (H.R. 637, H.R. 972 and 1262);
· prohibiting government agencies from obtaining the contents of electronic communications from communications service providers without a warrant (H.R. 983);
· creating criminal penalties for companies failing to report data security breaches involving sensitive personally identifiable information (H.R. 1121, S.1193);
· amending the Electronic Communications Privacy Act (ECPA) to prohibit the provider of electronic communications services to the public from divulging the contents of stored communications to the government without warrant or subpoena and requires the timely notification of the customer (H.R. 1847);
· prohibiting employers from requiring employees or applicants to provide the employer with passwords to the individual’s own computer or social networking account (H.R. 2077);
· prohibiting the retrieval of data from an automobile data recorder without the owner’s consent or a court order, except to service the vehicle (H.R. 2414);
· regulating the use and storage of data from automated license plate readers by law enforcement agencies (H.R. 2644);
· regulating the interception, sharing and uses that may be made of geolocation information obtained from mobile devices (S. 639); and
· amending the FISA and regulating the broad collection and storage of communications metadata, geolocation information, and contents of electronic communications on U.S. citizens and in the U.S. (S. 1151; S. 1467; H.R. 3367 and others).
One can reconstruct the headlines of the day by reference to the bill numbers. They are each a reaction to a disclosure of practices by government and commercial businesses that received media attention during the year. None of this legislation moved beyond referral to a committee throughout 2013. There little prospect in 2014, absent some revelation that ignites strong public reaction, for any greater legislative attention to be paid to a broad privacy initiativeLast December, the FTC gave to us the long awaited (or maybe not so much by covered entities!) final amendments to the 14-year old Children’s Online Privacy Protection Act (COPPA) Rule (the “COPPA Rule,” and as amended, the “Amended COPPA Rule”). Published in the Federal Register on January 17th of this year and effective as of July 1st, the Amended COPPA Rule puts in place additional children’s privacy protections and imposes significant compliance obligations on websites and online services (including mobile applications) that collect personal information (including by passively tracking personal information through persistent identifiers and not just active collection) from children under 13. The Amended COPPA Rule also extends to plug-ins and online advertising services with “actual knowledge” that they are collecting personal information from children under 13. You can access our prior blog posts on the Amended COPPA Rule as well as our compliance guide with the Amended Rule here.
Since July 1, the FTC has been busy educating businesses and consumers on the Amended COPPA Rule and reviewing applications and public comments on verifiable parental consent methods submitted under the Voluntary Commission Approval Process provision of the Amended COPPA Rule and a safe harbor program submitted under the “safe harbor” provision of the Amended COPPA Rule. You can access our blog posts on the various applications here. As of this date, the Commission has not approved the applications submitted this year.
Looking Forward to 2014
If you are covered by COPPA, one your top resolutions for 2014 should be to make sure that your compliance house is in order. In 2013 the FTC was busy making children’s privacy rules and reviewing applications submitted under the Amended COPPA Rule and we expect that in 2014 the Commission will be busy monitoring compliance and enforcing these rules. Penalties for violations of the Amended COPPA Rule can be steep and go up to $16,000 per violation. Stay tuned for news on FTC children’s privacy enforcement actions!
In 2014, we will also be monitoring the “Do Not Track Kids Act of 2013” (S. 1700 and H.R. 3481, the “Bill”) introduced in the House and Senate on November 14th by Sens. Ed Markey (D-Massachusetts) and Mark Kirk (R-Illinois) and Reps. Joe Barton (R-Texas) and Bobby Rush (D-Illinois). Senator Markey and Representative Barton introduced a similar bill in 2011, the “Do Not Track Kids Act Of 2011” (H.R. 1895), which did not pass.
The Bill has been endorsed by the American Academy of Pediatrics as well as by child advocacy and privacy groups such as the Center for Digital Democracy, Center for Science in the Public Interest, Communication Workers of America, Consumer Watchdog, and Consumer Union.
In a nutshell, the Bill (1) restricts the collection, use, and disclosure of personal information from children under 13 (“children”) and from minors over the age of 12 and under the age of 16 (“minors”) by websites, online applications, mobile applications, and online services, (2) prohibits behavioral advertising to children and minors, and (3) requires covered entities to establish a mechanism that permits the deletion of personal information of children and minors when requested. The Bill would also expand COPPA’s coverage and the FTC’s enforcement authority to telecommunication carriers and broadband Internet access services (as defined in the FCC’s Net Neutrality Order).
Last but not least, as mentioned in our prior blog post on privacy developments in California, we will be tracking preparations for California’s S.B. 568, which addresses the collection and deletion of information posted online by minors under the age of 18 and will be effective January 1, 2015.