Developments in Privacy and Cybersecurity Legislation | White & Case LLP International Law Firm, Global Law Practice
Developments in Privacy and Cybersecurity Legislation

Developments in Privacy and Cybersecurity Legislation

White & Case Technology Newsflash

On January 13, 2015, the Obama Administration presented to Congress an updated legislative proposal to improve American cybersecurity and data privacy protection.[1] The proposal was presented in the wake of "[t]he dramatic increase in cyber intrusions and the recent destructive and coercive attack on Sony Pictures Entertainment."[2] As an update to the Administration's 2011 cybersecurity legislative proposals, which we discussed in our previous post, the 2015 proposals refocus efforts to encourage Congress to pass data privacy and cybersecurity reforms to increase information sharing and streamline data breach notification laws. Namely, the proposals seek to: (1) enhance cybersecurity threat information sharing within the private sector and with the Federal Government; (2) establish a single standard to protect individuals by requiring businesses to notify them if their personal information is compromised; and (3) strengthen the ability of law enforcement to investigate and prosecute cybercrimes.[3]

Enabling Cybersecurity Information Sharing
The Administration's proposal seeks to enable cybersecurity information sharing within the private sector and between private and government entities. To protect information systems and allow for more efficient responses to attacks, the proposal encourages private sector entities to share cyber threat information with the Department of Homeland Security's National Cybersecurity and Communications Integration Center ("NCCIC").[4] Those who disclose or receive cyber threat information pursuant to the information sharing proposal would be required to take reasonable efforts to minimize disclosure identifying specific persons or information reasonably believed to be unrelated to the threat and to safeguard such information from unauthorized access or disclosure.[5] The proposal also provides for the creation and operation of private-sector Information Sharing and Analysis Organizations ("ISAOs") to facilitate the sharing of cyber threat information.[6] Section 106 of the proposal on information sharing further provides targeted, limited liability protection for those entities disclosing or receiving cyber threat information in accordance with the terms of the proposal.[7]

Law Enforcement Provisions
The Administration's Law Enforcement Provisions proposal seeks to introduce new penalties for cyber criminals and make more statutory mechanisms available for prosecution. The proposal would allow the Attorney General to prosecute and enjoin the use of botnets,[8] and proposes enhancing law enforcement authority and penalties related to the sale of spyware used for cyber theft.[9] Notably, the proposal would add offenses committed in violation of the Computer Fraud and Abuse Act ("CFAA")[10] to the list of racketeering activities in the Racketeering Influenced and Corrupt Organizations Act ("RICO"),[11] which would allow RICO to be used to prosecute cybercrimes.[12] Further, the proposal would modify provisions of the CFAA to purportedly clarify the scope of conduct that would violate the statute and exclude certain violations based on exceeding the scope of authorized access to a computer.[13] The proposed amendments would also enhance the potential penalties for CFAA violations in the hopes of providing more of a deterrent effect.[14] As discussed in previous postings, the CFAA is a statute that has been scrutinized frequently in recent years with respect to its scope and inconsistent application and we would therefore expect a significant amount of debate concerning its amendment. The Administration's proposed Personal Data Breach Notification & Protection Act, discussed below, also provides for the criminalization of trafficking in certain stolen U.S. financial information outside of the U.S.[15]

National Data Breach Reporting
In the proposed Personal Data Breach Notification & Protect Act, the Administration also updated what it proposed in the 2011 Personal Data Privacy and Security Act in an effort to streamline the existing patchwork of state laws that contain security breach reporting requirements into one federal statute. The proposal would apply to all "sensitive personally identifiable information," which is broadly defined and includes items such as unique biometric data "or any other unique physical representation".[16] The proposal would require companies that use sensitive personally identifiable information about more than 10,000 individuals during any twelve month period to notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired in connection with a security breach within thirty days, unless there is no reasonable risk of harm or fraud to such individual.[17] The Administration's proposal also sets forth requirements for proper notice methods, content of notices and limited exemptions from the notice requirements.[18] Compliance with the requirements of the proposed data breach reporting provisions would be enforced by the Federal Trade Commission (FTC), in consultation with the Federal Communications Commission (FCC) and the Attorney General, as well as State Attorneys General, where appropriate.[19] The proposal, if introduced and adopted as legislation, would pre-empt similar state laws and provide some national uniformity concerning this issue.

Future Legislation
In the wake of the recent cyber-attack on Sony Pictures Entertainment, the protection of private and business information has come to the forefront of American security concerns. We can therefore expect an evolution in legislation and domestic policy within the near future. Companies should pay close attention to these developments, as they may have widespread and significant impact on commercial practices going forward. While prior federal legislative efforts in this area have failed to result in the passage of new laws, the current national debate seems to demand that something be done. It will be interesting to see which portions of these proposals are introduced and passed into law. If nothing else, these latest proposals are a reminder that now is a good time for companies to assess their cybersecurity protection and to test what they would do in the event of a data security breach.

 

[1] - President Obama announced the proposal at the Federal Trade Commission and later commented during the State of the Union address that "[n]o foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids." President Barack Obama, State of the Union Address (Jan. 20, 2015), transcript available at http://www.cnn.com/2015/01/20/politics/state-of-the-union-2015-transcript-full-text/.
[2] - Letter Proposal from Shaun Donovan, Director of the Office of Management and Budget (Jan. 13, 2015), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cybersecurity-letters-to-congress-house-signed.pdf.
[3] - Id.
[4] - See Cybersecurity Information Sharing Proposal, Section 103 (Jan. 13, 2015), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-information-sharing-legislative-proposal.pdf. The proposal applies to "Cyber Threat Indicators," defined as information that is necessary to indicate, describe or identify delineated evidence of potential cyber threats, from which reasonable efforts have been made to remove information that can be used to identify specific persons reasonably believed to be unrelated to the cyber threat.
[5] - See id. at Sections 103 and 107.
[6] - Further, the proposal requires various government offices and sector-specific Federal agencies to select a private entity to develop a common set of best practices for ISAOs. See id. at Section 104.
[7] - Pursuant to the proposal, cyber threat indicators shared with the NCCIC would be protected from disclosure under the Freedom of Information Act and state laws requiring disclosure, and could not be used as evidence in a regulatory enforcement action against the entity disclosing the cyber threat. See id. at Section 106.
[8] - Specifically, the proposal suggests amendments to 18 U.S.C. § 1345 that would ensure the authority of courts to shut down botnets engaged in distributed denial-of-service attacks, installing unwanted software or using or obtaining information from 100 or more protected computers during a one year period.
[9] - See Updated Administration Proposal: Law Enforcement Provisions, Section 102 (Jan. 13, 2015), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tools.pdf.
[10] - 18 U.S.C. § 1030. Section 1030(a)(6) would also be amended under the proposal to allow prosecution for the trafficking (defined as transferring or disposing of to another) of a "means of access," such as a botnet.
[11] - 18 U.S.C. § 1961(1).
[12] - The proposal would add to the definition of "racketeering activity" under 18 U.S.C. § 1961(1) any "act which is indictable under . . . section 1030 (relating to fraud and related activity in connection with computers) if the act indictable under section 1030 is felonious." Updated Administration Proposal: Law Enforcement Provisions (Jan. 13, 2015), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tools.pdf.
[13] - The proposal would amend 18 U.S.C. § 1030(a)(2) to provide for the following two offenses: (a) intentionally accessing a protected computer without authorization and thereby obtaining information from such protected computer; or (b) intentionally exceeding authorized access to a protected computer and thereby obtaining information from such computer, where (i) the value of the information obtained exceeds $5,000 in value, (ii) the offense is committed in furtherance of a felony, or (iii) the protected computer is owned or operated by or on behalf of a government entity. Further, § 1030(e)(6) of the proposal would add to the definition of "exceeds authorized access," accessing a computer with authorization and to use such access to obtain or alter information in such computer for a purpose the accessor knows is not authorized by the computer owner.
[14] - Criminal penalties for offenses under 18 U.S.C. § 1030 would be enhanced to include longer imprisonment terms. See Updated Administration Proposal: Law Enforcement Provisions, Section 103 (Jan. 13, 2015), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tools.pdf (proposed amendments to 18 U.S.C. § 1030(c)).
[15] - The section-by-section analysis provides that the proposal "amends Section 1029(h) of Title 18 of the United States Code to clarify that the U.S. can prosecute anyone possessing or trafficking in credit card numbers with intent to defraud where such credit cards have been issued by a U.S. financial institution, regardless of whether the trafficker is located overseas." Section by Section Analysis, Data Breach Notification, Section 201 (Jan. 13, 2015), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-data-breach-notification-section-by-section.pdf.
[16] - The Proposed Personal Data Notification & Protection Act defines "sensitive personally identifiable information" as any information or compilation of information, in electronic or digital form that includes: (1) an individual's first name or initial and last name, combined with two of either (a) a home address or telephone number, (b) mother's maiden name, or (c) month, day, and year of birth; (2) a non-truncated social security number, driver's license number, passport number, or alien registration number or other government-issued unique identification number; (3) unique biometric data such as a finger print, voice print, retina or iris image, or any other unique physical representation; (4) a unique account identifier including a financial account number, credit or debit card number, electronic identification number, user name, or routing code; (5) a user name or electronic mail address, combined with a password or security question and answer that would permit access to an online account; or (6) any combination of (a) an individual's first name or initial and last name, (b) unique account identifier, as described above, or (c) any security code, access code, or password, or source code that could be used to generate such codes or passwords. Proposed Personal Data Notification & Protection Act Section 1(h), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-data-breach-notification.pdf.
[17] - Specifically, notification must be made without "unreasonable delay," which the proposal characterizes as a delay of more than thirty (30) days unless the business entity seeking additional time can demonstrate that such time is "reasonably necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment, restore the reasonable integrity of the data system, or provide notice to an entity designated by the Secretary of Homeland Security to receive reports and information about information security incidents, threats, and vulnerabilities when required." Id. at Section 101(c).
[18] - See generally id. Section 102-06.
[19] - Id. at Section 107-08.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2015 White & Case LLP