On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation. H.B. 232 also includes a separate section … Continue Reading
As I last reported in August, just before Congress recessed to campaign for reelection, the Senate failed to end debate and take up the Cybersecurity Act of 2012, S. 3414 by eight votes (really only seven, as Majority Leader Reid switched his vote so as to be able to bring it up again in the … Continue Reading
Senate Commerce Committee Chairman John D. Rockefeller (D-WV) yesterday blanketed the entire FORTUNE 500 list of companies with a pointed letter inquiring about business opposition to cybersecurity issues and seeking a response by October 19. (Press release here) The letter asks for information on companies’ cybersecurity practices and companies’ concerns about the federal government’s role … Continue Reading
Last week, Rep. Ed Markey (D-MA), co-chair of the Congressional Privacy Caucus, introduced broad legislation to require multiple actors in the mobile communications ecosystem to disclose and obtain express prior consent for the installation of “monitoring software” and to adopt and disclose detailed information security requirements to be promulgated by the FTC. The bill grew … Continue Reading
The Obama Administration today unveiled a report entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. A central component of the report, which is directed at improving online privacy protections, is a “Consumer Privacy Bill of Rights.” The Consumer Privacy Bill of Rights … Continue Reading
The end of 2010 featured the Department of Commerce citing the need for a Privacy Bill of Rights in its green paper and the FTC's preliminary online privacy report discussing the need for a Do Not Track mechanism. The momentum generated by these reports led to the introduction of multiple versions of Do Not Track and comprehensive privacy rights bills in early 2011. By mid-2011, at least five different data security and breach notification proposals were circulating in the wake of high profile data breaches. Reports about location based tracking led to the introduction of geolocation privacy and surveillance bills. Proposed amendments to the Children's Online Privacy Protection Act, Electronic Communications Privacy Act, and Video Privacy Protection Act were also made. And by the end of 2011, several cybersecurity bills designed to protect critical infrastructure had been introduced. Even though Congress held hearings on privacy issues, subcommittees approved several bills, and there was support from the Obama administration for comprehensive privacy legislation, as many expected, however, none of these bills were enacted when the first session of the 112th Congress adjourned December 18.
The safe prediction for 2012 is more of the same--a lot of proposals but no consensus. It is certainly possible that another high profile data breach or cyberattack against a utility or government contractor could create enough urgency to force a consensus. However, numerous high profile breaches (Epsilon, Sony, Citi, RSA, Lockheed Martin and several health care providers), hactivist attacks against government security contractors (IRC Federal and HBGary), and reports about how the "weaponized" Stuxnet virus caused centrifuges in an Iranian nuclear facility to spin wildly out of control were not enough in 2011. We certainly expect to see data breach notification, comprehensive privacy, and cybersecurity bills addressed again in 2012. We may also see narrower bills aimed at online and location based tracking as well as Children's privacy. Emerging technology, including mobile payments and facial recognition, may also garner legislative attention.
Below is a round-up of the 2011 privacy and data security legislative proposals, including links to more detailed analysis from our blog posts during the year.… Continue Reading
There has been no shortage of cybersecurity bills introduced in Congress in 2011. The Obama Administration even issued a cybersecurity legislative proposal in May 2011 that would require the Department of Homeland Security (DHS) “to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for … Continue Reading
The House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Mary Bono Mack (CA), approved the Secure and Fortify Electronic Data Act (H.R. 2577) (SAFE Data Act) following lengthy debate on July 20, 2011. The SAFE Data Act contains information security requirements and breach notice obligations consistent with Rep. Bono Mack’s statements following the … Continue Reading
Since 2008, the Federal Trade Commission (“FTC”) has announced multiple times that it would delay enforcement of the Red Flags Rule. The last Enforcement Policy announced a delay through December 31, 2010, so that Congress could consider legislation regarding the scope of entities covered by the Rule. The Rule applies to “financial institutions” and “creditors” … Continue Reading
On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review. The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect. All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.… Continue Reading