Tag Archives: legislation

Kentucky Enacts Data Breach Notification Statute

On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation. H.B. 232 also includes a separate section … Continue Reading

Cybersecurity in the Senate: Progress During the Lame Duck?

By William Weber on November 13, 2012 Posted in Cybersecurity, Federal Legislation

As I last reported in August, just before Congress recessed to campaign for reelection, the Senate failed to end debate and take up the Cybersecurity Act of 2012, S. 3414 by eight votes (really only seven, as Majority Leader Reid switched his vote so as to be able to bring it up again in the … Continue Reading

Rockefeller Questions Fortune 500 on Cybersecurity Act / Data Security Practices

By William Weber on September 20, 2012 Posted in Cybersecurity, Federal Legislation

Senate Commerce Committee Chairman John D. Rockefeller (D-WV) yesterday blanketed the entire FORTUNE 500 list of companies with a pointed letter inquiring about business opposition to cybersecurity issues and seeking a response by October 19. (Press release here) The letter asks for information on companies’ cybersecurity practices and companies’ concerns about the federal government’s role … Continue Reading

Rep. Markey Introduces Mobile Device Privacy Act Amid Hearing on App Industry Job Growth

By William Weber on September 19, 2012 Posted in Mobile Privacy

Last week, Rep. Ed Markey (D-MA), co-chair of the Congressional Privacy Caucus, introduced broad legislation to require multiple actors in the mobile communications ecosystem to disclose and obtain express prior consent for the installation of “monitoring software” and to adopt and disclose detailed information security requirements to be promulgated by the FTC. The bill grew … Continue Reading

White House Releases Consumer Online “Privacy Bill of Rights”

By Erica Gann Kitaev on February 23, 2012 Posted in Federal Legislation, Online Privacy

The Obama Administration today unveiled a report entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. A central component of the report, which is directed at improving online privacy protections, is a “Consumer Privacy Bill of Rights.” The Consumer Privacy Bill of Rights … Continue Reading

Online Privacy and Data Security Legislation Update — 2011 Year in Review

By Craig A. Hoffman on December 28, 2011 Posted in Children’s Privacy, Cybersecurity, Federal Legislation, Online Privacy

The end of 2010 featured the Department of Commerce citing the need for a Privacy Bill of Rights in its green paper and the FTC's preliminary online privacy report discussing the need for a Do Not Track mechanism. The momentum generated by these reports led to the introduction of multiple versions of Do Not Track and comprehensive privacy rights bills in early 2011. By mid-2011, at least five different data security and breach notification proposals were circulating in the wake of high profile data breaches. Reports about location based tracking led to the introduction of geolocation privacy and surveillance bills. Proposed amendments to the Children's Online Privacy Protection Act, Electronic Communications Privacy Act, and Video Privacy Protection Act were also made. And by the end of 2011, several cybersecurity bills designed to protect critical infrastructure had been introduced. Even though Congress held hearings on privacy issues, subcommittees approved several bills, and there was support from the Obama administration for comprehensive privacy legislation, as many expected, however, none of these bills were enacted when the first session of the 112th Congress adjourned December 18. The safe prediction for 2012 is more of the same--a lot of proposals but no consensus. It is certainly possible that another high profile data breach or cyberattack against a utility or government contractor could create enough urgency to force a consensus. However, numerous high profile breaches (Epsilon, Sony, Citi, RSA, Lockheed Martin and several health care providers), hactivist attacks against government security contractors (IRC Federal and HBGary), and reports about how the "weaponized" Stuxnet virus caused centrifuges in an Iranian nuclear facility to spin wildly out of control were not enough in 2011. We certainly expect to see data breach notification, comprehensive privacy, and cybersecurity bills addressed again in 2012. We may also see narrower bills aimed at online and location based tracking as well as Children's privacy. Emerging technology, including mobile payments and facial recognition, may also garner legislative attention. Below is a round-up of the 2011 privacy and data security legislative proposals, including links to more detailed analysis from our blog posts during the year.… Continue Reading

PRECISE Act Introduced in House to Boost Critical Infrastructure Cybersecurity

By Craig A. Hoffman on December 22, 2011 Posted in Cybersecurity, Federal Legislation

There has been no shortage of cybersecurity bills introduced in Congress in 2011. The Obama Administration even issued a cybersecurity legislative proposal in May 2011 that would require the Department of Homeland Security (DHS) “to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for … Continue Reading

SAFE Data Act Approved by House Subcommittee

By Craig A. Hoffman on July 21, 2011 Posted in Data Breach Notification Laws, Federal Legislation

The House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Mary Bono Mack (CA), approved the Secure and Fortify Electronic Data Act (H.R. 2577) (SAFE Data Act) following lengthy debate on July 20, 2011. The SAFE Data Act contains information security requirements and breach notice obligations consistent with Rep. Bono Mack’s statements following the … Continue Reading

FTC Enforcement of the Red Flags Rule Likely to Begin January 1

By Craig A. Hoffman on December 23, 2010 Posted in Enforcement, Federal Legislation

Since 2008, the Federal Trade Commission (“FTC”) has announced multiple times that it would delay enforcement of the Red Flags Rule. The last Enforcement Policy announced a delay through December 31, 2010, so that Congress could consider legislation regarding the scope of entities covered by the Rule. The Rule applies to “financial institutions” and “creditors” … Continue Reading

HHS Withdraws Draft Of Final HIPAA Breach Nofitifcation Rule

By John Mulhollan on September 2, 2010 Posted in Federal Legislation, HIPAA/HITECH, Medical Privacy

On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review. The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect. All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.… Continue Reading