Today the House voted 288-127 to pass the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624. The bill passed by a wider margin than last Congress, with 92 Democrats voting in favor of H.R. 624. Several amendments regarding privacy concerns were adopted. Ranking Member Dutch Ruppersberger (D-MD) stated after the vote “CISPA recognizes that you can’t have true security without privacy, and you can’t have privacy without security. This bill effectively works to protect both.”

Read More

Yesterday afternoon the House Permanent Select Committee on Intelligence marked up H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), which was introduced in February. The bill passed the Committee by a vote of 18-2 after the approval of six amendments.

Ranking Member Dutch Ruppersberger (D-MD) praised the “collaborative effort” on improving privacy and civil liberties, while Chairman Mike Rogers (R-MI) noted the amended bill will help American businesses protect their networks from “cyber looters” while improving the cybersecurity marketplace, and without imposing unfunded mandates or additional federal regulation on the private sector.

Written by Jeff Sural, Counsel, Legislative & Public Policy, Privacy & Data Security | Alston & Bird LLP

A California State Assembly Member has proposed legislation that would require online privacy policies to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared. California A.B. 242 was introduced by Assemblyman Ed Chau on February 6 and would amend the California Online Privacy Protection Act (Cal. Bus. and Prof. Code § 22575) with the new requirements. The bill has not yet been referred to a committee, but likely will be within the next few weeks. Assemblyman Chau was recently named Chair of the Assembly Select Committee on Privacy.

The amendments would not change the existing provisions of the statute, which requires operators of commercial websites that collect personal information to “conspicuously” post privacy policies detailing the categories of personal information collected.

Written by Bruce Sarkisian, Associate, Technology, Privacy & IP Transactions | Alston & Bird LLP

House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) re-introduced the Cyber Intelligence Sharing and Protection Act (CISPA) this morning. The bill has been numbered H.R. 624.

In their press release, Chairman Rogers and Ranking Member Ruppersberger confirmed that this bill is identical to the version that the full House of Representatives approved by a bipartisan vote of 248-168 on April 26, 2012. The bill sponsors also noted that CISPA had 112 bipartisan cosponsors last Congress. As with all pending legislation in Congress, the start of the 113th Congress last month required the bill sponsors to reintroduce the bill in order to begin the Congressional consideration process again this session.

Read More

On January 14, 2013, Singapore passed an amendment to the Computer Misuse Act (now renamed the Computer Misuse and Cybersecurity Act), which provided the government with additional authorities to prevent, detect and counter cyber attacks on critical infrastructure. Key aspects of this law include the ability of the government to direct a person or organization to take specific steps – including exercising certain powers under the criminal procedure code -- with respect to preventing, detecting, or countering a cyber threat where the threat relates to certain types of critical infrastructure. Such broad authority could encompass directing companies to conduct “pre-emptive” strikes or other measures prior to the onset of an imminent cyber attack. Importantly, the law confers immunity from any civil or criminal liability resulting from fulfilling an obligation under the law, but also provides for criminal penalties for failing to comply.

Read More

On October 15, 2012, the Singapore Parliament passed the Bill for the Personal Data Protection Act 2012. The enactment of this Act is a fundamental shift in Singapore's approach to data protection, away from the current sectoral approach to a more European-like general data protection approach. The Act aims to establish a framework for personal data protection, by including recognized data protection concepts such as consent, withdrawal, notification of purpose, and access to and correction of personal data.

Read More

Last evening, the Senate Judiciary Committee approved by voice vote a location privacy bill -- S. 1223, the Location Privacy Protection Act -- sponsored by Senator Al Franken (D-MN) and cosponsored by four other Democratic members of the committee. In his remarks before the vote, Senator Franken stated that “companies that collect our location information are not protecting it the way they should.”

Read More

This morning, Congressmen Edward J. Markey (D-MA) and Joe Barton, (R-TX), Co-Chairmen of the Congressional Bi-Partisan Privacy Caucus, hosted a roundtable briefing with Federal Trade Commission (FTC) Chairman Jonathan Leibowitz, FTC Commissioner Julie Brill, and invited representatives of companies and consumer advocacy groups to discuss the “data broker” industry and consumer concerns with the transparency of data collection practices.

Read More

Chief executives of each of the Fortune 500 companies will soon receive a letter from Senator John D. Rockefeller IV (D-W.Va.) asking them to describe how their companies address computer network security, or “cybersecurity.” In the letter, Senator Rockefeller explains that he is addressing Fortune 500 companies directly because of the recent stalling of the Cybersecurity Act (S. 3414) in the U.S. Senate.

Read More

Rep. Ed Markey (D-MA) today introduced in the U.S. House of Representatives the “Mobile Device Privacy Act”, which was numbered H.R. 6377 and will be referred to the House Energy & Commerce Committee for further consideration. Congressman Markey serves as a member of the committee and Co-Chair of the Bi-Partisan Congressional Privacy Caucus. In his released statement, the Congressman remarked, “Consumers should be in control of their personal information, including if and when their mobile devices are transmitting data to third parties.”

Read More

On August 14, 2012, Governor Andrew M. Cuomo signed a series of bills designed to enhance personal privacy protections and combat consumer fraud. A key piece of the legislative package safeguards Social Security Numbers by limiting their collection and dissemination to certain entities that have a public or practical interest in the information, including the state of New York and its political subdivisions, certain federally regulated entities and banking institutions.

Read More

This afternoon, Senators John McCain (R-AZ), Kay Bailey Hutchison (R-TX), Chuck Grassley (R-IA), Saxby Chambliss (R-GA), Lisa Murkowski (R-AK), Dan Coats (R-IN), Ron Johnson (R-WI), and Richard Burr (R-NC) reintroduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act, which now bears the number S. 3342.

Read More

Today the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “The Need for Privacy Protections: Perspectives from the Administration and the Federal Trade Commission.” The hearing examined the need for privacy legislation and the recent privacy reports from the White House and the Federal Trade Commission. Testifying on behalf of the federal government were Cameron Kerry, General Counsel at the Department of Commerce, Jon Leibowitz, Chairman of the Federal Trade Commission (FTC), and Maureen Ohlhausen, FTC Commissioner. The witness statements and an archive of the hearing webcast may be found here.

Written by Paul Martino, Partner | Alston & Bird LLP

Last week, the U.S. House of Representatives passed a slate of four cybersecurity bills as part of “Cyber Week." Here is a brief recap of the House activity:

• On Thursday, April 26, the House approved H.R. 3523, the Cyber Intelligence Sharing and Protection Act, by a vote of 248-168. The final version of the bill included amendments that addressed definitions of what information can be shared, limiting it to information linked specifically to threats to government or private networks (“cyber threat information”). An amendment offered by Rep. Mike Pompeo (R-KS) and approved by the House clarified that the Act would not alter or add government authority over private networks. Another approved amendment, offered by Rep. Ben Quayle (R-AZ), limits the use of cyber threat information, received by the government from the private sector, for cybersecurity purposes and for certain other specified purposes, including its use to prevent cyber threats and crimes to citizens that could cause them death or serious bodily harm, and its use to protect minors from sexual crimes and pornography. The bill was also amended to have it require reauthorization (or “sunset”) after five years.

Read More

Today the Obama Administration issued a Statement of Administration Policy (SAP) opposing the principal House cybersecurity bill, HR 3523, CISPA (Rogers-Ruppersberger). It states (in its final sentence) that, “if HR 3523 were presented to the President, his senior advisors would recommend he veto the bill.” As much discussed and pointed out in today’s House Rules Committee meeting, this language is not as strong as language that could have been inserted in the SAP to the effect that the President “will veto” the bill if it passes Congress. The bill is scheduled to be taken up on the House floor as early as tomorrow afternoon (with actual timing subject to when the Rules Committee issues a rule on amendments that will be in order). The vote on the amendments and bill are expected to conclude by Friday of this week, before the House begins a week-long recess next week.

Written by Paul Martino, Partner | Alston & Bird LLP

The House will be considering on the floor this week (dubbed “Cyber Week”), the following four cybersecurity bills, as described by Speaker Boehner in a press release last Friday:

• Cyber Intelligence Sharing and Protection Act (H.R. 3523), introduced by Intelligence Committee Chairman Mike Rogers (R-MI), will help private sector job creators defend themselves from attacks from countries like China and Russia by allowing the government to provide the intelligence information needed to protect their networks and their customers’ privacy. The bill also provides positive authority to private-sector entities to defend their own networks and to those of their customers, and to share cyber threat information with others in the private sector, as well as with the federal government on a purely voluntary basis.

Read More

Yesterday, the House Intelligence Committee passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011, by a nearly unanimous vote of 17-1. The legislation, which was introduced Wednesday by Committee Chairman Mike Rogers (R-MI), with the support and cosponsorship of a bipartisan group of 28 House members, would provide for sharing of certain classified cyber threat intelligence and information between the U.S. Government’s intelligence community and approved private sector companies and organizations. During the Committee’s markup of the bill, two amendments were approved by voice vote; the first, introduced by Chairman Rogers and Ranking Member Dutch Ruppersberger (D-MD) enhances the privacy protections in the bill by restricting the government’s use of information provided to it from private parties, and the second, introduced by Mike Thompson (D-CA) would require an annual report to Congress from the Inspector General of the Intelligence Community on information voluntarily provided by the private sector to the government to ensure it was shared for cybersecurity purposes. These reports will aid the Intelligence Committee in exercising proper Congressional oversight of the program going forward.

Read More

In a departure from most other courts, the United States Court of Appeals for the First Circuit has concluded that Maine law allows plaintiffs to recover certain damages arising from a data breach. Anderson v. Hannaford Bros. Co., --- F.3d ----, 2011 WL 5007175 (1st Cir. Oct. 20, 2011). Hannaford’s holding regarding damages, as described in detail below, highlights the potential litigation risks associated with a data breach.

Read More

This afternoon the House Republican Cybersecurity Task Force announced a report containing its recommendations on federal cybersecurity legislation pursuant to a request by the House Republican leadership to examine four critical areas: critical infrastructure and incentives, information sharing and public-private partnerships, existing cybersecurity laws, and legal authorities.

Read More

In light of changes in technology, particularly in the mobile, interactive gaming and social networking space, this past week the FTC formally requested comments to its proposed changes to the Children’s Online Privacy Protection Rule (“COPPA”).  Comments on the proposed changes are due November 28, 2011.

The changes focus on five substantive sections of the rule: (i) definitions, (ii) parental notice, (iii) parental consent, (iv) confidentiality and security, and (v) the self-regulatory safe harbor.  Key highlights are stated below.

Read More