The National Security Act of A Review

Transcription

1 PENDING FEDERAL INITIATIVES TO FURTHER REGULATE DATA PRIVACY AND CYBER SECURITY As of Prepared for the June 14, 2012 ACSC Technical Exchange Meeting Assembled by Colin Zick and Michele Whitham (617) with assistance from Allison Berman

2 Pending Federal Legislation on Cyber Security: 1. Cyber Intelligence Sharing and Protection Act of 2011 (CISPA) (H.R. 3523) (Introduced 11/30/11 by Rep. Mike J. Rogers. Referred to the House Committee on Intelligence. On 4/26/12 the House passed the bill. On 5/7/12 the Senate received the bill and referred it to the Select Committee on Intelligence.) CISPA would amend the National Security Act of 1947 to incorporate cyber threat intelligence provisions. Cyber threats pertain to (1) destroying government or private networks or systems or (2) illegally obtaining or misappropriating private or government information, intellectual property, or personally identifiable information. Under the Act, The Director of National Intelligence must establish procedures whereby the intelligence community shares intelligence with certified private-sector actors and encourages the continued, voluntary exchange of information from private sector companies to the government. By voluntarily providing cyber threat information to the government, private sector companies secure certain liability protections. The federal government would be able to use cyber threat information for (1) cybersecurity matters, such as cybersecurity crimes, (2) protecting against and prosecuting crimes that pose a danger of death or serious bodily injury to individuals, or (3) protecting U.S. national security. CISPA requires protection of sensitive personal documents and imposes upon a federal agency the obligation to notify the provider or entity if it receives non-threatening cyber information. Further, the federal government can act to limit the effects of information sharing on privacy and civil liberties matters. Finally, the Act establishes federal government liability for improperly using, disclosing or protecting voluntarily shared information. CISPA passed as part of a cybersecurity package alongside three other bills (see H.R. 4257; H.R. 2096; H.R. 3834). 1 In response, the Obama administration threatens to veto the Act, arguing that voluntary information exchanges insufficiently address cyber threats; instead the White House proposes greater government oversight (see White House Cyber Security Regulatory Framework for Covered Critical Infrastructure Act). 2 Some House Democrats, the ACLU, and the Center for Democracy and Technology are among many groups criticizing the Act for meagerly protecting privacy concerns. 3 Alternatively, the Telecommunication Association (TIA), representing over 500 companies, wrote a letter of support to Congressional leaders on April 18, 2012 applauding the Act s provisions. 4 1 See House Wraps Up Cybersecurity Week Sending Pro-Business Package to Senate 11 Privacy & Sec. L. Rep. (BNA) No. 760 (May 7, 2012). 2 See id. (threatening to veto on 4/25/12). 3 See House Passes Bill to Promote Cyber-Threat Data Sharing for Government, Private Sector 11 Privacy & Sec. L. Rep. (BNA) No. 721 (April 30, 2012). 4 Letter from TIA to John Boehner, Speaker of the House of Rep. and Nancy Pelosi, Minority Leader of House of Rep. (April 18, 2012).

3 Pending Federal Legislation on Cyber Security: 2. The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011 (H.R. 3674) (Introduced 12/15/11 by Rep. Daniel E. Lungren. Referred to Committee on Homeland Security and Committees on Oversight and Government Reform, Science, Space and Technology, the Judiciary, and Intelligence. House Homeland Security Committee approved amended version on 4/18/12. No further action). PRECISE would amend the Homeland Security Act of 2002 by directing the Secretary of Homeland Security (DHS) to respond to, recover from, and mitigate against cyber threats aimed at federal information systems and other critical information systems. DHS must coordinate amongst agencies, cybersecurity officials, and private sector companies to identify and thwart risks. Notably, the amended version of the PRECISE Act would impose limited regulations on private sector companies; rather the Act directs the Secretary to develop market-based incentives (e.g. tax relief) to improve coordination and cooperation in the private sector. Additionally, the Act creates the National Information Sharing Organization, a quasigovernmental, not-for-profit that serves as a clearinghouse for the exchange of cyber threat information amongst private and government actors. Originally under PRECISE, the DHS would establish regulations for critical infrastructure operations through sector-specific agencies; however the House Homeland Committee struck the sector-specific agencies provisions against objections by House Democrats. 5 The bill, at present, encourages private companies to voluntarily adopt cybersecurity standards. 5 Compare House GOP Leadership Lines Up Series of Votes on Cybersecurity, 11 Priv. & Sec. L. Rep. No 689 (April 23, 2012) (eliminating sector-specific agency oversight), with House Panel OKs Cybersecurity Measure Calling for Incentives, Limited Regulations, 11 Privacy & Sec. L. Rep. No. 230 (Feb. 6, 2012) (including sectorspecific agency oversight)

4 Pending Federal Legislation on Cyber Security: 3. Cybersecurity Act of 2012 (S. 2105) (Introduced 2/14/12 by Sen. Joseph I. Lieberman. Referred to Committee on Homeland Security and Governmental Affairs. Hearings Held 2/16/12. No further action). The bill constitutes a comprehensive cybersecurity measure aimed at (1) identifying high risk sectors, (2) establishing means to designate critical infrastructures, (3) developing risk-based cybersecurity performance requirements, and (4) creating response and restoration plans. Critical infrastructure is defined as those assets or systems so vital to the United States that incapacity would have a debilitating impact on security, national economic security, or national public health or safety. If deemed a critical infrastructure operation, such as power, water, or transportation systems, the operation would be subject to agency oversight and regulation. Although an oversight agency remains unnamed, when appointed the agency could impose civil penalties on violators. Additionally, the Act would amend the Homeland Security Act of 2002 by consolidating cybersecurity resources under the National Center for Cybersecurity and Communications. The Act also amends the Federal Information Security Management Act of 2002 to revise information security requirements for improved cyber threat risk assessment. Further, the DHS is tasked with coordinating amongst agencies and private actors to establish a risk management strategy for securing the federal information infrastructure. Senate members and affected industries remain at odds as to the most appropriate way to regulate cybersecurity. Sen. John McCain criticized the bill for creating performance requirement regulations rather than voluntary information sharing (see alternative bill S. 2151). 6 The U.S. Chamber of Commerce echoed these sentiments warning that regulations will lead to increased consumer costs without necessarily improving cybersecurity. 7 On February 29, 2012, the cable, telecommunications and wireless industries wrote to Senate and House leaders imploring the adoption of a non-regulatory cybersecurity act. The White House issued support for Lieberman s Cybersecurity Act. 8 Although Sen. Harry Reid has promised senate debate on this Act and others (see S. 2151), discussions remain delayed as of May 28, See Senate Republicans Introduce Non-Regulatory Cybersecurity Bill, 11 Priv. & Sec. L. Rep. No. 392 (March 5, 2012). 7 See id. 8 See Senate Republican Introduce Non-Regulatory Cybersecurity Bill, supra note

5 Pending Federal Legislation on Cyber Security: 4. Cybersecurity Information Sharing Act of 2012 (S. 2101) (Related bill: S. 2105) (Introduced 2/13/12 by Sen. Dianne Feinstein. Referred to Committee on Homeland Security and Governmental Affairs. No Further Action.) The bill would permit private entities to monitor and respond to cyber threats received on their own and other authorized information systems. The private entities can exchange lawfully secured cyber threat information so long as the information is used only to protect against or combat cyber threats. When exchanging information, private entities must work to safeguard personal identities and may not use the information to gain an unfair competitive advantage. The relevant cyber threat information is disclosed within cybersecurity exchanges, established by the Secretary of Homeland Security (DHS). The DHS would be required to establish policies and procedures for receiving, handling, and using the threat information. The Act protects entities that monitor and exchange cyber threats by establishing the good faith defense. Here, entities can assert a complete defense against a criminal and civil action brought under the Act if the entity can establish it acted in good faith to comply with the Act. Finally, The Director of National Intelligence, the Secretary of Defense, the DHS and the Attorney General would be charged with monitoring the use and disclosure of information that may intersect with privacy and civil liberties concerns

6 Pending Federal Legislation on Cyber Security: 5. Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT) (S. 2151) (Introduced 3/1/12 by Sen. John McCain. Referred to Committee on Commerce, Science and Transportation. A bipartisan group of Senators committed to meet as of 5/15/12 to negotiate between two competing cyber security bills (S and S. 2151). No further Action.) The SECURE IT Act responds to cyber threats using non-regulatory, voluntary information sharing schemes. Private sector companies may disclose cyber threat information to a government operated cybersecurity center. Reported threats may then be disclosed to or used by the federal government for cybersecurity or national security purposes or to prevent and investigate crimes, subject to information sharing procedures. Federal contractors providing electronic communication, remote computing or cybersecurity services to federal agencies must report cyber threats to the agency and the contractor may also furnish the information to the cybersecurity center. Private entities that share cyber threat information secure legal protections under the Act, including an antitrust exemption and liability protections when defending their own private networks. Additionally, SECURE IT directs the Director of National Intelligence and the Secretary of Defense to establish procedures for sharing information within and amongst government agencies. SECURE IT also amends the U.S. criminal code to increase punishments and establish new penalties for various cyber crimes. Finally, the Act serves as a comprehensive measure aimed at regulating widespread cyber security matters for the future; therefore the Act establishes several programs for long term training, development, and maintenance of cyber threat information sharing. Sen. McCain introduced the SECURE IT bill as an alternative to the Cybersecurity Act of 2012 (S. 2015), an Act that relies upon regulations for information sharing. Several industry groups applaud SECURE IT, including the U.S. Chamber of Commerce and the Internet Security Alliance. 9 A Chamber spokesman praised the Act s reliance on voluntary coordination instead of new regulations. 10 Members of the Senate and Secretary of Homeland Security, Janet Napolitano, spoke in May 2012 of the pressing need to pass federal cyber security legislation. 11 On March 27, 2012 Rep. Mary Bono Mack introduced a nearly identical version of SECURE IT in the House (H.R. 4263), which as of April 9, 2012 remains under consideration by the Subcommittee on Crime Terrorism, and Homeland Security. Critics of both the Senate and House versions of SECURE IT have suggested that voluntary information sharing inadequately protects national security and instead urge Congress to pass mandatory regulations. 9 See Senate Republican Introduce Non-Regulatory Cybersecurity Bill, supra note See id. 11 See White House Announces Voluntary, Private Sector-Led Efforts to Combat Botnets 11 Priv. & Sec. L. Rep. No. 892 (June 4, 2012)

7 Pending Federal Legislation on Cyber Security: 6. Homeland Security Cyber and Physical Infrastructure Protection Act of 2011 (H.R. 174) (Introduced 1/05/11 by Rep. Bennie G. Thompson. Referred to Subcommittee on Technology, Information Policy, Intergovernmental Relations and Procurement Reform. No action.) Would amend the Homeland Security Act of 2002 to establish within the Department of Homeland Security (DHS) an Office of Cyber security and Communications, to be headed by an Assistant Secretary and to include (a) the United States Computer Emergency Readiness Team; (b) a Cyber security Compliance Division; and (c) other DHS units with primary responsibility for emergency or national cyber security. The Office would establish and enforce cyber security requirements for civilian nonmilitary and non-intelligence community federal systems to prevent, respond to and recover from cyber attacks and incidents. The Act would also require all federal entities to report any cyber incidents on their networks to the Office, which would be required to research each incident and report on the extent of compromise, the attackers, the method of penetration, the ramifications and recommended mitigation activities. In addition, the Office would (a) establish and enforce cyber security requirements for private sector computer networks within covered critical infrastructures; (b) be required to share information regarding cyber security threats, vulnerabilities and proposed mitigations; (c) designate information received and provided to federal agencies and critical infrastructure owners and operatives as sensitive security information and enforce requirements for handling, storage and dissemination; and (d) support research, development, testing, evaluation and transition of cyber security technology relevant to large-scale, high-impact attacks

8 Pending Federal Legislation on Cyber Security: 7. (Reintroduced) Cyber security and Internet Freedom Act of 2011 (S. 413). (Introduced 02/17/11 by Sen. Joseph I. Lieberman. Hearings held by Committee on Homeland Security and Governmental Affairs 05/23/11. One of seven Senate committees claiming jurisdiction over the issue. On 07/13/11 Sen. John McCain called for creation of temporary Select Senate Committee on Cyber Security and Electronic Intelligence Leaks to break the logjam. Efforts to reconcile Senate and White House cyber security proposals put on hold 07/18/11. Bill remained in committees as of Feb ) Would establishes in the Executive Office of the President an Office of Cyberspace Policy to (a) develop national strategy to increase security and resiliency of cyberspace; (b) oversee, coordinate and integrate federal policies and activities relating to cyber security; (c) ensure that all federal agencies comply with related guidelines, policies and directives of Department of Homeland Security and other agencies; and (d) ensure that federal agencies have access to, receive, and appropriately disseminate law enforcement, intelligence, terrorism and other information relevant to the security of federal, military and intelligence information infrastructure. Requires President to appoint Director of Cyberspace Policy within the Department of Homeland Security, which position intersects that proposed in H.R. 174 (described above) and to establish within DHS a National Center for Cyber security and Communications (NCCC), the Director of which shall work with the private sector and lead the federal effort to secure, protect and ensure resiliency of the national information infrastructure, including by creating the United States Computer Emergency Readiness Team to collect and disseminate information on risks to the infrastructure and security controls. Declares that neither the President, the Director of the National Center for Cyber security and Communications (NCCC), nor any officer or employee of the U.S. government shall have the authority to shut down the internet, but authorizes the President to declare national cyber emergencies (for period of 30 days, to be extended only with Congressional approval) and the NCCC Director to take steps to direct owners and operators to implement required response plans and emergency actions to maintain operations. Bars other federal entities from intervening in the response (including by restricting or intercepting communications, compelling disclosure or controlling infrastructure) unless determined necessary by the Director. Requires owners and operators of critical infrastructure to certify to the Director whether implemented approved security and cyber emergency measures. Mandates readiness and capacity assessments of the federal workforce to respond to cyber security requirements

9 Pending Federal Legislation on Cyber Security: 8. Executive Cyberspace Coordination Act of 2011 (H.R. 1136). (Introduced 03/16/11 by Rep. James R. Langevin. Referred to House Subcommittee on Cyber security, Infrastructure Protection and Security Technologies 03/25/11. No action.) Would establish National Office for Cyberspace (NOC) within the Executive Office of the President, to serve as principal office for coordinating cyberspace policies, procedures and information bearing on the cyber security of federal information systems. Requires the NOC Director to (1) develop and update information security policies and procedures; (2) establish a national cyber security education and computer literacy program; (3) review federal agency budgets relating to the protection of information infrastructures; and (4) ensure the operation of a central federal information security incident center. Requires the promulgation of information security standards for federal information systems, a vulnerability assessment for all major information systems, and annual independent audits of each federal agencies information security programs and practices. Requires all federal agency contracts to include requirements for information security. Establishes a Federal Chief Technology Officer position to advise the President and agency officials on significant developments and trends in information technology and best-in-class technologies. Grants the Secretary of Homeland Security primary authority for the protection of the critical information infrastructure

10 Pending Federal Legislation on Cyber Security: 9. White House Cyber security Regulatory Framework for Covered Critical Infrastructure Act (Introduced 05/16/11.) Dual focus on (a) implementing national cyber security program for computer networks and critical infrastructure and (b) mandating a national standard for data breach notification. As to national cyber security, the White House proposal would require the Department of Homeland Security (DHS) to work with the private sector to identify core critical-infrastructure operators and to prioritize the top cyber threats and vulnerability facing these entities. Such operators (including those already reporting to the SEC) would be required to develop cyber security risk mitigation plans that would be assessed by third-party, commercial auditors. The proposal also establishes stronger penalties for computer crimes, beefs up cyber security staffing at DHS, and updates the Federal Information Security Management Act to improve cyber security of federal information technology systems. See section by section description of the proposed legislation at As to the national data breach notification standard, the proposal would cover businesses that collect, use, transmit, retain or dispose of sensitive personally identifiable information on more than 10,000 individuals within a 12 month period, exclusive of businesses about covered by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The proposal defines sensitive personally identifiable information (SPII) as name combined with any two of full birth date, home address or telephone number, or mother s maiden name. SPII also includes full Social Security, driver s license, passport or other government issues identification number, biometric data, a unique financial account or payment care number, or other financial information. Covered businesses would be required to notify individuals within 60 days of SPII being unsecured by technology and to notify the Department of Homeland Security of a breach involving (a) more than 5,000 individuals; (b) a database containing information on more than 500,000 individuals; (c) a database owned by the federal government; or (d) a database containing SPII of federal employees or contractors. DHS notification would be required at least 72 hours being providing notice to affected individuals or within 10 day of discovery of the breach, whichever comes first. Breaches affecting more than 5,000 individuals in any one state would require the business to notify the individuals and also post notices in news media outlets. The proposal also includes three breach notification exemptions, however: (1) a risk of harm trigger for when notice is required, exempting covered businesses that notify the FTC within 45 days that, upon investigation, they have concluded that there is no reasonable risk that the security breach has resulted or will result in harm; (2) an exemption for businesses that use a program that blocks unauthorized financial transactions before they are charged to individual accounts while notifying the affected individuals of the attempted security breach; and (3) an exemption if the U.S. Secret Service or FBI determines that notice could reveal sensitive source or methods or damage national security. The FTC would promulgate and enforce breach notification

11 Pending Federal Legislation on Cyber Security: rules; state attorney generals would be authorize to file enforcement actions and impose civil penalties of up to $1,000,000 per security incident that is not willful or intentional. Individual lawsuits would be prohibited and existing state breach notification laws would be preempted. See fact sheet on the White House proposal at

12 Pending Federal Legislation on Cyber Security: 10. Cyber security Enhancement Act of 2011 (H.R. 2096) (Related Bills H.R and S. 1152). (Introduced 06/02/11 by Reps. McCaul and Lipinski and referred to the Committee on Science, Space and Technology. Reported amended on 10/31/11. Passed, as amended, by the House on 4/27/12. Referred and received by Senate and referred to Committee on Commerce, Science, and Transportation on 5/7/12.) An act amending the Cyber Security Research and Development Act (15 U.S.C. 7401) in order to advance cyber security research, development and technical standards by requiring that the National Science and Technology council, with the assistance of the National Coordination Office, develop -- within twelve (12) months of the Act s passage a strategic plan based on an overall assessment of cyber security risk to guide the overall direction of federal cyber security and information assurance R&D for information technology and networking systems. Once every three (3) years after the initial strategic plan is transmitted to Congress, said agencies shall update the plan. The strategic plan will be required to (1) specify near-, mid- and long-term research objectives; (2) focus on innovative, transformational technologies to enhance the digital infrastructure; (3) foster new cyber technologies and applications, including the dissemination of best practices; (4) establish a national research infrastructure for creating, testing and evaluating next generation secure networking and IT systems; (5) facilitate access by academic researchers to the infrastructure and to data; and (6) engage females and minorities in fostering a more diverse cyber workforce. The plan must also include an implementation roadmap (1) specifying the role or each Federal agency in implementation; (2) the amount and source of required funding to implement each major research objective; and (3) estimates of funding required for each major research objective for the following three (3) fiscal years

13 1. Secure and Fortify Electronic Data (SAFE) Act (H.R. 2577) (Related Bills H.R. 1707, H.R. 1841, S. 1207) (Introduced 7/18/11 by Rep. Mary Bono Mack. Referred to Subcommittee on Commerce, Manufacturing, and Trade on 7/29/11. No further Action.) SAFE ACT would direct the Federal Trade Commission to promulgate regulations requiring any person engaged in interstate commerce that possesses personal information data to create and implement security policies and procedures. Data holders must implement procedures for (1) collecting, using, and disseminating personal information; (2) identifying a primary contact for managing personal information; and (3) assessing vulnerabilities within their data information system. Upon discovering a breach, a person in interstate commerce that holds personal information must without unreasonable delay (1) notify Federal law enforcement; (2) take steps to mitigate the breach, and (3) identify and notify within forty-eight hours the affected individuals and the FTC. No notification is required if there is no reasonable risk of identity theft, fraud, or other unlawful conduct. A breach of unreadable, unusable, undecipherable and secured, encrypted data creates a presumption that no reasonable risk exits. If a certain data breach occurs, the Act requires a person subject to the Act to provide credit monitoring to affected individuals. The FTC enforces the Act and may issue civil penalties against violators. Further, state attorneys general can prosecute under the Act. The SAFE Act exempts persons subject to requirements under HIPAA and the Graham-Bliley Act. Related Bills H.R. 1707, H.R and S all require the FTC, in varying ways, to regulate the area of data privacy and breach response. The four Bills were proposed approximately a year ago and remain in committee review. The U.S. Chamber of Commerce criticized the SAFE Act in a September 26, 2011 letter to Rep. Bono Mack. The Chamber argues the Act (1) imposes too harsh penalties on entities that inadequately respond to data breaches; (2) permits attorneys general in all fifty states to prosecute under the Act, which could lead to duplicative litigation; (3) proscribes too strict (forty-eight hours) notification window; (4) contains legally vague preemption language, and (5) requires costly credit monitoring on occasions where the risks to affected individuals are minimal.

14 2. (Reintroduced) Data Security Act of 2011 (S. 1434) (Introduced 7/28/11 by Sen. Thomas R. Carper. Referred to Committee on Banking Housing and Urban Affairs. No further Action.) Senator Carper introduced a version of this bill on three previous occasions with no success. 12 The Act requires entities to implement procedures to protect sensitive account information (financial account information) and sensitive personal information (PII) from an unauthorized breach likely to result in substantial harm or inconvenience to the consumer. The scope and sophistication of the procedures can vary depending on the size and complexity of the entity s operations. Breach notice, subject to usability standards, is required when the breach will likely result in substantial harm or inconvenience to the consumer. Substantial harm or inconvenience means, material financial loss to, or civil or criminal penalties imposed on a consumer; or the need for a consumer to expend significant time and effort to correct erroneous information. 13 Closing a financial account or harm or inconvenience that does not rise to the level of identity theft is not substantial under the Act. Institutions compliant with the Graham- Leach-Bliley Act are exempt. The FTC or other appointed federal agencies enforce the Act. No private right of action or class actions exists under the Act. The Act preempts state laws with regards to persons who have a duty to prevent, investigate and mitigate against data security breaches. 12 See Carper Reintroduces Bipartisan Data Security, Breach Notice Bill, 10 Priv. & Sec. L. Rep. No (Aug. 1, 2011). 13 S. 1434, 112th Cong. 2 (11)(A)(i) (2011)

15 3. Personal Data Protection and Breach Accountability Act of 2011 (S. 1535) (Related Bills S. 1151, S. 1408) (Introduced 9/8/11 by Sen. Richard Blumenthal. Committee on Judiciary passed an amended version and placed on Senate Legislative Calendar on 9/22/11. No further action.) This Act, as compared to S and S. 1408, represents the most expansive data privacy and breach response legislation. The Act proposes the broadest definition of personally identifiable information (PII). 14 Wherever there is a breach, subject to exceptions, the entity possessing the PII must notify affected individuals without unreasonable delay. The Act provides a safe harbor provision whereby the entity need not notify affected individuals if, after assessing the breach, there is no significant risk of identity theft or physical, economic, or significant emotional harm to the affected individuals. Bills S and S include only the identity theft and physical and economic harm elements. When conducting a risk assessment, the entity must consult with the FTC and only if the FTC permits the entity to avail itself of the safe harbor provision may it do so. Unreadable and undecipherable data establishes a presumption of no risk; while nonencrypted data creates a presumption of risk. When a breach occurs, an entity must notify a designated government agency if the breach affected more than 5,000 individuals, the database affected holds information of more than 500,000 individuals, or the breach affected government databases. 15 The Act providers for several exceptions. First, the Act exempts entities subject to HIPAA and the Gramm-Leach-Bliley Act. Second, in matters of national security, federal agencies may delay notification of a breach. Where notification is required, the Act requires notification to affected individuals in the form of written and telephone communications, and notification must be made publicly if more than 5,000 individuals were affected. Unlike the comparable bills, this Act requires the notifying company to pay for costs or damages incurred as a result of the breach. The FTC, Attorney General and state attorneys general can enforce violations. Finally, the Act, unlike its counterparts, provides for a non-waivable private right of action. 16 In addition to breach response, the Act establishes a data privacy program. Entities collecting, using, or storing more than 10,000 individuals PII must create a data security program to be monitored by 14 S and S define personally identifiable information as: first and last name plus his or her home address, phone number, mother s maiden name, or birth date. KATHLEEN ANN RUANE, CONG. RESEARCH SERV., R42474, SELECTED FEDERAL DATA SECURITY BREACH LEGISLATION 3 (2012). The definition also includes: nontruncated Social Security number, driver s license number, passport number, alien registration number, or other governmentissued, unique identifier on its own; cellphone GPS location; fingerprints, voice prints, retina scans, or other biometric data ; or other unique account identifiers, such as financial account numbers and credit card numbers, etc. Id. S goes on to include medical history and security codes. Id. 15 S requires a higher threshold, requiring notification if 10,000 individuals or a database with 1,000,000 million individuals is affected. Id. at

16 the FTC. A private right of action is established for violations concerning the data security program as well. The Act preempts most state breach and privacy laws but not the state common law. Finally, the Act establishes a post-breach clearinghouse that entities can coordinate with to assess system vulnerabilities

17 4. Privacy Act Modernization for the Information Age Act of 2011 (S. 1732) (Introduced 10/18/11. Referred to Committee on Homeland Security and Governmental Affairs. No further action.) The Act amends the Privacy Act of 1974, the E-Government Act of 2002, and the National Intelligence Reform Act of 2004 in order to improve privacy protections for federally held PII. Federal agencies may only maintain PII in their systems of record for stated purposes, meaning only for purposes relevant and necessary to carrying out authorized government tasks. Data held by third parties, yet under the control of the federal government is covered under the Act. The Act expands an agency s responsibilities over the collection, use, maintenance and disclosure of PII, including the obligation to ensure accuracy of data. The Office of Management and Budget (OMB) must create and maintain a centralized website that explains how and what information is stored in agencies systems of records. The Act revises and increases penalties for violations. Damages from a class action claim are capped at ten million dollars. The E-Government Act is amended to define the oversight functions required of the OMB, which includes overseeing coordination and compliance procedures within agencies, improving breach responses, and strengthening the accountability of agency officials. If a breach occurs that creates a risk of identity theft, fraud or other unlawful conduct then the agency must notify the affected individuals. The Act establishes a Federal Chief Privacy Officer in the OMB to carry out the listed responsibilities and creates a Chief Privacy Officers Council to establish best practices. Finally, the National Intelligence Reform Act is amended to expand the authority of civil liberties officers investigating violations

18 5. White House Consumer Data Privacy in a Networked World (White Paper) (Published 2/23/12.) The Administration proposes a Consumer Privacy Bill of Rights, industry specific codes of conduct that the Administration wants businesses to voluntarily implement and Congress to adopt in legislation. The Bill of Rights creates baseline standards on what data is collected, how it is used and secured, and the means by which consumers can control their personal data. To establish these standards, the Administration invites stakeholders from varying companies and privacy advocate groups to voluntarily participate in forums where codes of conduct will be formulated. When the codes are publicly and affirmatively adopted by entities, subject to FTC jurisdiction, the terms would become legally enforceable. Additionally, the Administration calls on Congress to increase FTC and state attorneys general enforcement authority. Finally, the Administration aims to increase global interoperability between U.S. consumer privacy data systems and frameworks in other countries. The Department of Commerce s National Telecommunications and Information and Administration (NTIA) is facilitating the stakeholder efforts. 17 The NTIA is considering, as of April 2, 2012, whether the stakeholders forums will be held publicly or privately, a decision that could affect the legitimacy of the forums. On April 12, 2011, Sen. John Kerry introduced the similarlynamed Commercial Privacy Bill of Rights Act of 2011 (S. 799). The Act was referred on April 12, 2011, to the Committee on Commerce, Science and Transportation where it remains, although its name appears to live on through the White House bill. 17 See Commerce Official Says Agency Will Act as Privacy Facilitator, Not Regulator 11 Priv. & Sec. L. Rep. No. 664 (April 16, 2012)

19 6. BEST PRACTICES Act (Building Effective Strategies to Promote Responsibility, Accountability, Choice Transparency, Innovation, Consumer Expectations and Safeguards Act)(H.R. 611). (Introduced 02/10/11 by Rep. Bobby L. Rush, IL. Referred 02/18/11 to House Subcommittee on Commerce, Manufacturing and Trade. No further action.) This bill would address the growing concern over the collection, storage and commercial use by internet service providers of sensitive individual information, often without transparent notice. The bill constrains the commercial conduct of covered entities, defined as persons engaged in commerce that collect or store date containing covered/sensitive information (excluding (1) governments; (2) persons storing covered information from or about fewer than 15,000 individuals); (3) persons collecting covered information from or about fewer than 10,000 individuals during any 12-month period); and (4) persons who do not use covered information to monitor or analyze the behavior of individuals as the person s primary business. The bill would require covered entities to make available to individuals whose information it collects or maintains information about its privacy practices and an individual s options with regard to such practices, including (1) the covered entity s identity; (2) a description of the purpose for and potential for information disclosure; (3) the individual s means to access the information, limit its collection, use and disclosure, and submit questions or complaints regarding the covered entities practices. The bill also prohibits covered entities from (1) collecting, using or disclosing information except in easy-to-understand notices consistent with FTC regulations; (2) collecting or using information without the individual s consent (either affirmative or failure to decline to consent); and (3) disclosing information to a third party without affirmative consent. Covered entities are required in addition to assure information accuracy, security, integrity and confidentiality and to provide individuals with information access and dispute resolution procedures. Creates certain exemptions for covered entities participating in one of FTC self-regulatory programs (Choice Program). Provides for FTC, state and private rights of enforcement

20 7. The Commercial Privacy Bill of Rights Act of 2011 (S. 799). (Introduced 04/12/11 by Sen. John F. Kerry, MA. Read twice and referred 04/12/11 to Senate Committee on Commerce, Science and Technology. No further action.) This bill would require the FTC to initiate various rulemakings to further secure covered information, defined as (1) personally identifiable information; (2) unique identifier information; and (3) any information collected, used or stored is such manner as may reasonably be used to identify a specific individual. One rulemaking would proscribe the security measures to be carried out by covered entities collecting, using, transferring or storing certain personal information of 5,000 or more individuals in any 12-month period. A second rulemaking would proscribe the notification, consent, inaccuracy correction, deidentification and stop use rights of individuals whose data has been collected. The bill also limits information collection to restricted purposes for which it is reasonably necessary, sets out specific contract provisions required to use a service provider or to transfer personal information to a third party, and provides for FTC and attorneys general enforcement (but no private right of action), civil penalties and safe harbor programs

21 8. Data Accountability and Trust Act (H.R. 1707). (Related Bill S and H.R. 2577). (Introduced 05/04/11 by Rep. Bobby L. Rush, IL. Referred 05/06/11 to House Subcommittee on Commerce, Manufacturing and Trade. No further action.) A second bill directed to the FTC which largely proscribes largely the same requirements as those detailed in DATA 2011 below, except also (1) requires that the FTC be notified of information security breaches (including method and timeliness requirements); (2) exempts from notification requirements situations where the information broker determines there is no reasonable risk of identity theft, fraud or other unlawful conduct; and (3) preempts all state information security laws

22 9. Data Accountability and Trust Act (DATA) of 2011 (H.R. 1841). (Introduced 05/11/11 by Rep. Cliff Stearns, FL. Referred 05/13/11 to House Subcommittee on Commerce, Manufacturing and Trade. No further action.) A third bill directed to the FTC, this one requiring the agency to promulgate regulations requiring persons engaged in interstate commerce who own or possess electronic data containing personal information to (1) establish security policies and procedures, (2) submit those policies to the FTC in connection with a breach or on FTC request; (3) establish procedures to verify the accuracy of information identifying individuals; (4) establish procedures permitting individuals whose personal information has been collected to request access, review and correct inaccurate information; (5) establish measures permitting the auditing or retracing of access to or transmission of electronic personal information; and (6) not obtain or disclose information through pretexting. The bill also authorizes the FTC to proscribe a standard method(s) for destroying obsolete non-electronic data and for notifying the FTC of security breaches, including special notification requirements for contractors maintaining or processing personal information, breaches involving telecommunications and computer services, and health information

23 10. Personal Data Privacy and Security Act of 2011 (S. 1151). (Related Bills S and S. 1408). (Introduced 06/07/11 by Sen. Patrick J. Leahy, VT. Read twice and referred to the Senate Judiciary Committee. Hearing held by the Judiciary Committee 09/07/11. Business meeting of the Judiciary Committee to consider S.1151 held on 09/15/11. Two amendments to the bill were adopted and four held over. On 9/22/11 Senate Judiciary Committee passed the amended version. Consideration ongoing.) This bill aims squarely at preventing and mitigating identity theft, ensuring privacy, providing notice of security breaches and enhancing criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent and misuse of personally identifiable information. Specifically, the bill amends the federal criminal code to (1) make fraud in connection with unauthorized access of personally identifiable information (electronic or digital) a predicate for racketeering charges and (2) prohibit concealment of security breaches involving sensitive personally identifiable information, and also sets penalties for attempts and conspiracies to commit fraud in connection with computers. The bill also establishes standards for developing and implementing safeguards to protect sensitive personal information, imposes civil penalties for violating such standards, and requires that notifications of breach be given to (1) individuals whose data has been compromised; (2) all nationwide consumer reporting agencies if more than 5,000 individuals require notification; and (3) the United States Secret Service and the FBI if more than 10,000 individuals are affected. The bill authorizes the Attorney General and state attorneys general to bring civil actions against violators of the Act and requires the GSA, in awarding contracts of $500,000 or more, to take into account the data privacy and security capabilities and track record of a data broker. Further, the bill requires federal information security programs to evaluate and audit the practices of their contractors or other business entities supporting their systems or operations involving personally identifiable information and to address discovered deficiencies. It also requires federal agencies to conduct privacy impact assessments before buying personally identifiable information from any data broker. Finally, this bill piles on in requiring data brokers (that is business entities that collect, transmit or provide access to sensitive personally identifiable information on more than 5,000 individuals who are not customers or employees of that business in order to give the information to non-affiliated third parties on an interstate basis) to (1) disclose to individuals the personal electronic records maintained for disclosure to third parties; (2) disclose adverse actions by third parties as to the individuals; and (3) maintain procedures for correcting inaccurate or incomplete records. At an executive business meeting held on September 15, 2011, the Senate Judiciary Committee approved two amendments, one "common sense" amendment clarifying that the definition of "exceeds authorized access" in the Computer Fraud and Abuse Act does not include violations of internet terms of service agreements or non-government employment agreements restricting computer access and the second making a variety of technical changes to the

24 CFAA amendment. The bill was held over for further consideration, with four additional proposed amendments still pending

25 11. Data Breach Notification Act of 2011 (S.1408) (Related Bills S and S. 1535) (Introduced 07/22/11 by Sen. Diane Feinstein, CA. On 9/22/11 Senate Judiciary Committee passed amended version. Placed on Senate Legislative Calendar 2/6/12. Consideration ongoing.) This bill is Senator Feinstein s eighth attempt in as many years to secure passage of a federal breach notification bill

26 12. Personal Data Protection and Breach Accountability Act of 2011 (S Introduced by Sen. Blumenthal on 9/8/11) B v2-26 -