If you believe that Congress does best when it does least, then 2013 was an outstanding year – at least as far as privacy and data protection are concerned. Out of the dozen or so privacy or cyber security bills introduced in the 113th Congress, only four passed one house and none made it into law.
If, on the other hand, you think that the country really needs to update aspects of its privacy and cyber security laws to protect consumers, national security and critical commercial infrastructure, as well as reach decisions on the right balance between commercial and government surveillance and civil liberties, then there is a lot of work left to accomplish in 2014. The likelihood of meeting those goals is not bright. Like 2013, the coming legislative year is likely to involve many committee hearings and modest, if any, action in either the Senate or House.
House members introduced nine bills focused on aspects of cyber security. Of those, the four that saw floor action were H.R. 1163 (amendments to update the Federal Information Security Management Act), H.R. 967 (encouraging and providing funding for IT research and development); H.R. 756 (another cyber security R&D act); and H.R. 624 (the Cyber Intelligence Sharing and Protection Act or CISPA, which amends the rules by which government and industry may share information about cyber attacks and provides liability coverage to companies that provide data to the government). All four were referred to Senate committees, and none saw action in the Senate.
Of the four, the FISMA amendments bill has the best prospects for passage. It passed the House on a 416-0 vote. This is the kind of tweaking of the bureaucratic rules governing data security in federal agencies that does not engender significant industry or civil liberties opposition, so it is a safe area in which to legislate in the upcoming election year.
CISPA would work the most significant changes in cyber security and cyber attack defense procedures and requirements, including the imposition of new requirements on industry to cooperate and provide information to federal agencies in the event they experience a cyber attack. It is one of the most contentious cyber security bills currently under consideration. It is the subject of a veto threat, industries are concerned about the costs and the ability to maintain the confidentiality about their vulnerabilities to attack, and civil liberties advocates have expressed strong concerns about exposing vast amounts of consumer data held by industry to government examination and use for purposes other than responding to a cyberthreat. Civil liberties interests reject the premise in CISPA that industry needs broad immunity protections for releases of personal information to the government to cooperate in addressing cyber attacks. With all of these issues pending, passage of CISPA without significant modification is not likely.
In the Senate, cyber security legislation did not fare any better in 2013, and the prospects for 2014 are not much different. Senate 1353, the Cybersecurity Act of 2013, calls for the National Institute of Standards and Technology (NIST) to develop a framework process to enhance industrial cyber security. The legislation never left the committee to which it was referred, but much of the substance of the bill was adopted by the President in an executive order issued in February 2013. Under the EO, NIST has been engaged in a consultation process leading to the expected publication of a “framework” document in February 2014. The other five bills introduced in the Senate: S. 1111 (the Cyber Economic Espionage Accountability Act); S. 884 (the Deter Cyber Theft Act); S. 658 (the Cyber Warrior Act of 2013); and S. 21 (the Cybersecurity and American Cyber Competitiveness Act of 2013) all have languished in committee without action.
Last week saw the introduction of a bill in the House that has the best prospects for action in 2014, H.R. 3696, was introduced on December 11 by the Chairman of the House Homeland Security Committee with support from key Democrats on the Committee. It contains many provisions from CISPA concerning sharing of cyberthreat information, and would place responsibility for coordinating the response to cyber attacks in the Department of Homeland Security. The new bill does not contain several of the liability limitations in CISPA that raised concerns. The new bill also expressly provides that it is not intended to create any new regulatory authorities, a concern that has been raised repeatedly in the NIST Framework process initiated by Executive Order last February. A more detailed examination of H.R. 3696 will be the subject of a separate post.
Several bills addressing narrow issues within the general category of privacy were introduced in 2013, including measures
- regulating drone surveillance (H.R. 637, H.R. 972 and 1262);
- prohibiting government agencies from obtaining the contents of electronic communications from communications service providers without a warrant (H.R. 983);
- creating criminal penalties for companies failing to report data security breaches involving sensitive personally identifiable information (H.R. 1121, S.1193);
- amending the Electronic Communications Privacy Act (ECPA) to prohibit the provider of electronic communications services to the public from divulging the contents of stored communications to the government without warrant or subpoena and requires the timely notification of the customer (H.R. 1847);
- prohibiting employers from requiring employees or applicants to provide the employer with passwords to the individual’s own computer or social networking account (H.R. 2077);
- prohibiting the retrieval of data from an automobile data recorder without the owner’s consent or a court order, except to service the vehicle (H.R. 2414);
- regulating the use and storage of data from automated license plate readers by law enforcement agencies (H.R. 2644);
- regulating the interception, sharing and uses that may be made of geolocation information obtained from mobile devices (S. 639); and
- amending the FISA and regulating the broad collection and storage of communications metadata, geolocation information, and contents of electronic communications on U.S. citizens and in the U.S. (S. 1151; S. 1467; H.R. 3367 and others).
One can reconstruct the headlines of the day by reference to the bill numbers. They are each a reaction to a disclosure of practices by government and commercial businesses that received media attention during the year. None of this legislation moved beyond referral to a committee throughout 2013. There little prospect in 2014, absent some revelation that ignites strong public reaction, for any greater legislative attention to be paid to a broad privacy initiative.