This guest post was co-authored by Stephen Grossman and Michael Hayes. Stephen and Michael are partners in Montgomery McCracken’s Litigation Department and co-chairs of the firm’s Electronic Discovery practice. Stephen can be reached at 856.488.7767 or at firstname.lastname@example.org. Michael can be reached at 215.772.7211 or at email@example.com.
During his State of the Union address last evening, President Obama urged Congress to enact legislation to “better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” The President’s call to action comes on the heels of his remarks before the Federal Trade Commission in which he outlined his administration’s latest cybersecurity and data protection proposals. Prompt consideration of the President’s proposals appears to be a hopeful prospect, with the Subcommittee on Commerce, Manufacturing, and Trade set to hold its first related hearing next week (entitled “What are the Elements of Sound Data Breach Legislation?”). More effective data protections and uniform breach notification requirements stand to benefit individuals. But will the President’s proposals better protect and support American businesses? It may be too early to tell, but one outcome of any successful legislation is likely certain: broader regulatory and enforcement power for the FTC and DOJ.
What are the key proposals the President is advocating? First, the Administration wants to “promote better cybersecurity information sharing between [and amongst] the private sector and government” by encouraging the private sector to share cyber threat information with the Department of Homeland Security. The President has alluded to certain liability protections to incent businesses to report cyber threats to DHS, but we’ve yet to see any concrete details – so more to come. According to the White House, its proposal will enable DHS to more rapidly and effectively communicate emerging threats to the private sector through new industry collectives it coins “Information Sharing and Analysis Organizations.” We’ve yet to see a draft bill on this proposal, but we will keep you posted.
Next, the Administration wants passage of a unifying, federal data breach notification statute (the “Personal Data Notification and Protection Act”) to replace the patchwork of state laws that businesses have had to contend with to date. According to the White House, businesses will have a bright-line, 30 day notification period when they discover customers’ personal or financial information has been compromised. Notification methods authorized by the proposal include mailings, personal telephone calls, emails (if authorized by the individual), and even through media outlets. Notably, the White House proposal includes provisions for authorized delays and even exemptions for good cause such as national security and law enforcement purposes, to determine the scope of the breach, to complete risk assessments, and to prevent further intrusions. If passed, this proposal will vest significant new regulatory and enforcement authority in the FTC. While a federal notification standard is sorely needed for the benefit of business and consumers, we hope that any regulation provides a clear framework and incentives to businesses for compliance.
Another Administration proposal, the Student Digital Privacy Act, focuses on the protection of students’ personal information and data collected in the educational context. Modeled on a California statute, the bill “would prevent companies from selling student data to third parties for purposes unrelated to the educational mission” or from engaging in search-engine-style targeted advertising based on data collected in schools. This should be the least controversial and most easily passed of the Administration’s several cybersecurity proposals.
The Administration also wants to “modernize” the Computer Fraud and Abuse Act by at once increasing criminal and civil penalties (including forfeiture) for violations and “ensuring that insignificant conduct does not fall within the scope of the statute.” The former, according to the White House, will help deter cyber criminals, while the latter (we surmise) is intended to prevent abusive prosecutions such as the one that led to the suicide of Aaron Swartz. This proposal may not gain sufficient traction to ensure passage. Even if it does, we doubt the CFAA amendment will have an appreciable effect on the behavior of true bad actors, and the amendments could spawn further confusion regarding what types of behavior are or are not prohibited. Hopefully, “modernization” of the CFAA won’t just mean increasing enforcement powers and penalties, but also provide better clarity on prohibited conduct. For an in-depth discussion of the proposed amendments to the CFAA, check our Orin Kerr’s post on the subject here.
No matter what side of the political aisle suits your fancy, a commitment to combating the threat of cybercrime, improving cybersecurity, and better protecting the personal and financial information of Americans is vital in our digital world. Unfortunately, that likely will mean broader government enforcement powers and a focus on companies that fail to have what the government considers adequate policies in place to protect and safeguard personal information.