Today the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “The Need for Privacy Protections: Perspectives from the Administration and the Federal Trade Commission.” The hearing examined the need for privacy legislation and the recent privacy reports from the White House and the Federal Trade Commission. Testifying on behalf of the federal government were Cameron Kerry, General Counsel at the Department of Commerce, Jon Leibowitz, Chairman of the Federal Trade Commission (FTC), and Maureen Ohlhausen, FTC Commissioner. The witness statements and an archive of the hearing webcast may be found here.

Last week, the U.S. House of Representatives passed a slate of four cybersecurity bills as part of “Cyber Week." Here is a brief recap of the House activity:

• On Thursday, April 26, the House approved H.R. 3523, the Cyber Intelligence Sharing and Protection Act, by a vote of 248-168. The final version of the bill included amendments that addressed definitions of what information can be shared, limiting it to information linked specifically to threats to government or private networks (“cyber threat information”). An amendment offered by Rep. Mike Pompeo (R-KS) and approved by the House clarified that the Act would not alter or add government authority over private networks. Another approved amendment, offered by Rep. Ben Quayle (R-AZ), limits the use of cyber threat information, received by the government from the private sector, for cybersecurity purposes and for certain other specified purposes, including its use to prevent cyber threats and crimes to citizens that could cause them death or serious bodily harm, and its use to protect minors from sexual crimes and pornography. The bill was also amended to have it require reauthorization (or “sunset”) after five years.
• The House also passed, on Thursday, H.R. 4257, the Federal Information Security Amendments Act of 2012, by voice vote. This bill amends the Federal Information Security Management Act (FISMA) to harmonize information security programs across civilian government agencies, in part, by updating FISMA to refocus agency cybersecurity programs on proactively countering threats through automated and continuous monitoring of network systems activity, and to take advantage of commercially-developed information security technologies to do so. 
• On Friday, April 27, the House finished its Cyber Week work by passing H.R. 2096, the Cybersecurity Enhancement Act of 2012, by a vote of 395-10, and passing H.R. 3834, the Advancing America's Networking and Information Technology Research and Development Act of 2012, by voice vote. These bills would enhance national cybersecurity research and development (R&D) as well as interagency planning and coordination.

Upon passage, these four bills were delivered to the Senate and will await further consideration there. The Senate is expected to take up cybersecurity legislation sometime next month.

Today the Obama Administration issued a Statement of Administration Policy (SAP) opposing the principal House cybersecurity bill, HR 3523, CISPA (Rogers-Ruppersberger). It states (in its final sentence) that, “if HR 3523 were presented to the President, his senior advisors would recommend he veto the bill.” As much discussed and pointed out in today’s House Rules Committee meeting, this language is not as strong as language that could have been inserted in the SAP to the effect that the President “will veto” the bill if it passes Congress. The bill is scheduled to be taken up on the House floor as early as tomorrow afternoon (with actual timing subject to when the Rules Committee issues a rule on amendments that will be in order). The vote on the amendments and bill are expected to conclude by Friday of this week, before the House begins a week-long recess next week.

The House will be considering on the floor this week (dubbed “Cyber Week”), the following four cybersecurity bills, as described by Speaker Boehner in a press release last Friday:

• Cyber Intelligence Sharing and Protection Act (H.R. 3523), introduced by Intelligence Committee Chairman Mike Rogers (R-MI), will help private sector job creators defend themselves from attacks from countries like China and Russia by allowing the government to provide the intelligence information needed to protect their networks and their customers’ privacy. The bill also provides positive authority to private-sector entities to defend their own networks and to those of their customers, and to share cyber threat information with others in the private sector, as well as with the federal government on a purely voluntary basis.

Read More

An en banc U.S. Court of Appeals for the Ninth Circuit ruled today that employers and website hosts cannot use the Computer Fraud and Abuse Act to prosecute users who violate company policies or website terms of use. The ruling puts the Ninth Circuit at odds with four other federal circuits which have opined on the same issue, and raises the possibility of U.S. Supreme Court review. In addition, a bill pending in the Senate would amend the CFAA to eliminate contract-based civil claims under the statute.

Read More

Last week the FTC issued its final report to address privacy issues associated with new and emerging technologies and business models (“Report”). This follows the FTC’s preliminary report issued in December 2010. Since the preliminary report, the FTC received and considered over 450 comments prior to making its final recommendations.

The Report articulates a privacy framework of best practices (“Framework”) for businesses to follow in developing and implementing privacy and security practices relating to the collection and use of consumer data. While not legally binding, the Framework is an indication of how the FTC will use its enforcement and regulatory authority, including its authority to challenge unfair or deceptive practices, under Section 5 of the FTC Act. As such, companies should pay close attention to the Framework in order to mitigate any FTC enforcement actions.

Read More

Last month, we reported that it was being widely reported that HIPAA/HITECH Act Omnibus Final Rule would be issued in March 2012, but that it had not yet been submitted to the Office of Management and Budget (OMB) for review under Executive Order 12866.

The federal government website that reports on regulations under review by OMB now reports that the final rule was formally received by OMB for review on Saturday, March 24, 2012. Under Executive Order 12866, OMB has up to 90 days to review final rules.

As a reminder, the omnibus rule is expected to include:

• A final breach notification rule.
• A final HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act.
• A final rule implementing changes in the Privacy and Security Rules mandated by the HITECH Act, as well as other changes to the Privacy Rule proposed in July 2010.
• A final rule implementing changes to the Privacy Rule required by the Genetic Information Nondiscrimination Act.

Stay tuned for further developments.

Since November 2011, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has been conducting audits of covered entities (the “HIPAA Audit Program”) for compliance with the privacy and security requirements under HIPAA and the HITECH Act (collectively, the “Privacy & Security Rules”). While the Internal Revenue Service and the Department of Labor have conducted audits with respect to HIPAA’s portability requirements in the past, the HIPAA Audit Program is a new enforcement effort for HHS/OCR, which until now relied mainly on complaint-based investigations and reviews. This advisory summarizes the HIPAA Audit Program as we currently understand it and provides some basic compliance reminders that may be helpful in preparing for such an audit.

The advisory is provided in PDF on the Alston & Bird website: 
www.alston.com/EBEC_Advisory_HIPAA_Audit_Program  

The United States Supreme Court Rules that Certain GPS Surveillance Constitutes a Search under the Fourth Amendment

The United States Supreme Court’s decision in U.S. v. Jones, 132 S. Ct. 945 (2012), reveals deep fractures in the Court’s Fourth Amendment jurisprudence. Although all members of the Court upheld the D.C. Circuit’s decision that a Fourth Amendment search occurred under the facts presented, they split in their fundamental reasoning in reaching that conclusion. In sum:

Read More

On February 22, 2012, California Attorney General Kamala D. Harris announced an agreement with the operators of the six major “app stores” to provide consumers an opportunity to review an app’s privacy policy before downloading the app. The deal with six companies, Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion requires the app stores to present consumers with the privacy policy for any app that collects personal information.

Read More

It is being widely reported that the HIPAA/HITECH Act Omnibus Final Rule will be issued in March 2012. This omnibus rule is expected to include:

• A final breach notification rule.
• A final HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act.
• A final rule implementing changes in the Privacy and Security Rules mandated by the HITECH Act, as well as other changes to the Privacy Rule proposed in July 2010.
• A final rule implementing changes to the Privacy Rule required by the Genetic Information Nondiscrimination Act.

Read More

The European Commission has released its final draft proposal for comprehensive reform of data protection standards in the European Union. This draft of a proposed new General Data Protection Regulation (the “Regulation”) is largely consistent with the earlier draft that was the subject of a post on this blog dated December 5, 2011. But there are a number of changes from the prior version both in the body of the Regulation and in the accompanying explanatory proposal. Notable revisions include:

Read More

The European Commission has prepared and circulated a draft new General Data Protection Regulation (the “Regulation”). The draft is consistent with many of the expectations the Commission set in its November, 2010, communication titled, “A Comprehensive Approach on Personal Data Protection in the European Union,” and in public statements since made by EU policymakers. The new draft Regulation, which would repeal Directive 95/EC/46 (the “Directive”), confirms that the EC is continuing to advocate dramatic changes to the regulation of privacy and data security in the EU.

Read More

Yesterday, the House Intelligence Committee passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011, by a nearly unanimous vote of 17-1. The legislation, which was introduced Wednesday by Committee Chairman Mike Rogers (R-MI), with the support and cosponsorship of a bipartisan group of 28 House members, would provide for sharing of certain classified cyber threat intelligence and information between the U.S. Government’s intelligence community and approved private sector companies and organizations. During the Committee’s markup of the bill, two amendments were approved by voice vote; the first, introduced by Chairman Rogers and Ranking Member Dutch Ruppersberger (D-MD) enhances the privacy protections in the bill by restricting the government’s use of information provided to it from private parties, and the second, introduced by Mike Thompson (D-CA) would require an annual report to Congress from the Inspector General of the Intelligence Community on information voluntarily provided by the private sector to the government to ensure it was shared for cybersecurity purposes. These reports will aid the Intelligence Committee in exercising proper Congressional oversight of the program going forward.

Regarding the Committee vote, Chairman Rogers said, “The decisiveness of the vote shows the tremendous bipartisan support for this bill. Through hard work and compromise we have struck a delicate balance that provides strong protections for privacy and civil liberties, while still enabling effective cyber threat sharing and providing clear authority for the private sector to defend its own networks.” Ranking Member Ruppersberger echoed that sentiment as well, stating, “This has been an extraordinary bipartisan effort. I am proud of the compromise this bill represents and look forward to all stakeholders continuing to work together throughout the legislative process.” The bill will now head to the House floor and the Committee’s leadership is looking forward to working with House leadership to advance it through the chamber.

On November 29, the Federal Trade Commission announced that it had entered an agreement and consent order with Facebook Inc. to settle charges made by the FTC that Facebook’s changes to its website’s privacy settings in December 2009 had threatened the “health and safety” of Facebook’s users. As alleged in the FTC’s complaint, Facebook’s 2009 website changes made aspects of users’ profiles, such as name, picture, gender and friends lists public by default, retroactively overriding their existing privacy preferences without their consent. The FTC charged that these changes were in violation of Facebook’s own published privacy policy and, as a result, Facebook engaged in deceptive practices in violation of Section 5 of the FTC Act.

Read More

The pilot phase of the HHS Office for Civil Rights (OCR) HIPAA Privacy and Security Audit Program is now underway through December 2012.

Background. Under HITECH Act § 13411, 42 USC § 17940, HHS is required to provide for periodic audits to ensure that HIPAA covered entities and their business associates are complying with the HIPAA Privacy, Security and Breach Notification Rules.

Read More

In a departure from most other courts, the United States Court of Appeals for the First Circuit has concluded that Maine law allows plaintiffs to recover certain damages arising from a data breach. Anderson v. Hannaford Bros. Co., --- F.3d ----, 2011 WL 5007175 (1st Cir. Oct. 20, 2011). Hannaford’s holding regarding damages, as described in detail below, highlights the potential litigation risks associated with a data breach.

Read More

In response to various political pressures, including a letter dated May 11, 2011, from Senator Jay Rockefeller (D-WV) and four other senators to SEC Chairman Mary Schapiro, the Staff of the Security and Exchange Commission’s (SEC) Division of Corporation Finance issued guidance on October 13, 2011 regarding its views on disclosure obligations relating to cybersecurity risks and cyber incidents.

While not a formal interpretation, the guidance provides valuable insight into the sort of disclosure practices registrants should consider when evaluating their own cybersecurity (including risks and incidents). In particular, the Guidance clarifies registrants’ responsibility to discuss cybersecurity and cyber incidents in the risk factors and MD&A sections of their public reports. In describing risk factor disclosure obligations related to cybersecurity, the guidance notes that registrants should make disclosure if “these issues are among the most significant factors that make an investment in the company speculative or risky.” The Guidance also notes that discussion of cybersecurity issues may be required in MD&A if one or more known cyber incidents, or if the risks of any potential incident, are likely to materially affect the registrant’s results of operations, liquidity or financial condition. Disclosure may also be required if such an incident would cause reported financial information to be not necessarily indicative of future operating results or financial condition.
The Alston & Bird securities law and legislative teams have issued a client advisory, which provides further details and color on the October 13, 2011 guidance. The advisory may be found here.

This afternoon the House Republican Cybersecurity Task Force announced a report containing its recommendations on federal cybersecurity legislation pursuant to a request by the House Republican leadership to examine four critical areas: critical infrastructure and incentives, information sharing and public-private partnerships, existing cybersecurity laws, and legal authorities.

The Task Force recommends actions which could be accomplished in the current Congress, and also suggests that hearings should be held in each of the four areas:

• Critical Infrastructure and Incentives: Congress should encourage private companies to improve cybersecurity by adopting voluntary incentives including, among other things, tax credits and grant funding; Congress should also streamline existing regulations and promulgate new regulations narrowly and only as necessary. The issue of insurance and liability for breaches should also be considered to encourage companies to meet mandated security standards.
• Information Sharing and Public-Private Partnerships: A new organization outside of government should be tasked with acting as an information clearinghouse for ISPs and software and hardware vendors in the event of a breach. This model would require amendment of certain existing laws to facilitate information sharing among companies (including addressing the issue of state-by-state data breach laws), and safe harbor and liability protections should be extended to private companies cooperating with this organization.
• Updating Existing Cybersecurity Laws: Several federal laws have not been updated to keep pace with the growth of technology. Some of these include the Federal Information Security Management Act and the Computer Fraud and Abuse Act; various communications and criminal statutes (including RICO) should also be updated to reflect the current state of computer and Internet use.
• Legal Authorities: Congress needs to examine the relationship between government regulation and private business, especially concerning attacks on private entities which may have public repercussions. This discussion should include the military and intelligence communities as well as business, particularly with regard to attacks originating outside the United States.

The report concludes with brief discussions of the areas of recruitment and training of cybersecurity personnel, federal research and development, procurement and the supply chain, and coordination with international laws and establishment of international security standards.

In light of changes in technology, particularly in the mobile, interactive gaming and social networking space, this past week the FTC formally requested comments to its proposed changes to the Children’s Online Privacy Protection Rule (“COPPA”).  Comments on the proposed changes are due November 28, 2011.

The changes focus on five substantive sections of the rule: (i) definitions, (ii) parental notice, (iii) parental consent, (iv) confidentiality and security, and (v) the self-regulatory safe harbor.  Key highlights are stated below.

Read More