Data Protection Report - Norton Rose Fulbright

Media outlets previewing the President’s upcoming State of the Union Address (to be delivered on Tuesday, January 20 at 9 pm ET) have reported that the President will name cybersecurity as one of the top issues that businesses and the government must tackle in 2015. The President has characterized cyberattacks and cyber warfare as a “direct threat” to the American economy.

Setting out the Administration’s agenda, the President, speaking at the FTC, called on Congress to enact privacy and cybersecurity bills that the White House views as critical, but which have languished in the legislative gridlock for years.

Among the key proposals:

National data breach legislation

The President is proposing legislation that would harmonize the myriad state requirements governing companies’ obligations to investigate data breaches and notify affected individuals and other parties. The proposal would create a national incident response and breach notification standard that may replace state laws. Businesses have long struggled to comply with 47 state and U.S. territory breach laws, and have clamored for a single standard.

Our take: The President has recognized that the patchwork of state laws is confusing for consumers and costly to comply for businesses. As an issue of information security, there is no reason why Congress and the President can’t find consensus on breach response laws. Both parties agree that personal information must be secured and that consumers, no matter in which state they reside, should be notified of incidents in accordance with a single standard. As a practical matter, in the current environment of dozens of state laws, when large breaches affect individuals across the US, businesses often notify affected individuals in accordance with most restrictive applicable state law. This approach may be counterproductive by encouraging over-notification and thus desensitizing consumers to breaches. This is a problem that has been documented and recognized by businesses and regulators, including the California Attorney General. All of these considerations lend support to an appropriate, reasonable and balanced national standard for breach response. This initiative may find bipartisan support until it becomes law.

Cybersecurity information sharing

The Administration is proposing to further incentivize companies to share information about cybersecurity threats. The focus of the proposal is for businesses to share “appropriate” cybersecurity threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC would share the information in near  real-time with relevant federal agencies and private sector Information Sharing and Analysis Organizations (ISAOs) (which the proposal also encourages businesses to establish). The legislation would provide “targeted liability protection for companies that share information.”

Our take: The proposal builds on the existing cybersecurity threat sharing framework, which we recently addressed. The bottom line is that while exact parameters of the liability protections mentioned by the President are not fully fleshed out, we anticipate proposals that (a) limit antitrust liability and (b) potentially, liability with respect to the reliance on information that businesses ultimately share with these information exchanges. The scope of the liability protections will be one of the critical factors in determining the feasibility of this proposal.

Computer Fraud and Abuse Act update

The President has proposed updating the Computer Fraud and Abuse Act to effectively remove “insignificant conduct” from the scope of activities that may result in liability. The proposal seeks to accomplish that goal by significantly limiting the prosecution of users under the CFAA on the theory of “exceeding” the limits of authorized access to a computer. The CFAA would, however, continue to allow prosecutions based on allegations of  access to government-owned computers, or when the alleged value of stolen information exceeds $5,000. The proposal also seeks to add CFAA offenses to the RICO Act, criminalize foreign trade in stolen US financial data, and expand law enforcement authority with respect to cyber incidents.

Our take: The CFAA provisions imposing liability for exceeding the user’s authority have long remained controversial. One of the persistent complaints by commentators has been that the law—designed to address hacking— is being co-opted to, for example, punish employees who take work-related files when leaving their jobs. This issue lead to a Circuit split, with the Ninth Circuit and the Fourth Circuit holding that the CFAA does not impose liability for exceeding computer “use” restriction (e.g., do not use the computer for non-business purposes or do not use the database or other files for non-business purposes). This view of the law conflicts with the First, Fifth, Eighth, and Eleventh Circuits, which have held that users that violate such use restrictions also run afoul of the CFAA. The CFAA came into a more prominent national spotlight when Aaron Swartz—an American computer programmer, entrepreneur, writer, and political organizer—was charged with violating the act by exceeding his authorized access to a digital research library. The prosecution—which was widely seen as overly aggressive and not justified—is thought to have contributed to Mr. Swartz’s suicide.

There is little doubt that the updates to the CFAA that the President has proposed seek to change the dynamic of the law in light of the Circuit split and the case of Mr. Swartz. The fate of this proposal is difficult to judge, however. While there is a need to use the law to prosecute the cases it was intended to address (i.e., hacking), the overreaches may have already been addressed and discouraged by stakeholders’ reaction to allegations of misuse of the law, which culminated in Swartz’s prosecution and suicide. At the same time, in the information age, the CFAA remains an important tool for companies to safeguard their most sensitive information from theft by departing employees and others. Our take is that CFAA’s current status quo will remain in place for 2015.

Access to credit scores

The President has encouraged companies to make credit scores more accessible to consumers. Currently, consumers are entitled to receive annual credit reports are no cost. These free reports contain information about consumers’ financial accounts and credit lines. The free reports do not, however, include credit scores—the “FICO scores”—that reflect in a single number the most important indication of a consumer’s creditworthiness.

Our take: The President stopped short of calling for legislation calling for free FICO scores, instead encouraging “more companies to join the effort” of providing this information to consumers.  Our take is that this is not a top legislative priority. First, the score is available for an additional premium to consumers who want to know their credit ranking before applying for a loan.  Second, consumers whose loan applications are rejected or who are subject of another adverse action based on the their credit report (e.g., a higher interest rate), are entitled to received their reports and scores under existing legislation—the FCRA, as amended by FACTA.

Consumer Privacy Bill of Rights

The Administration will ask Congress to enact into law the Consumer Privacy Bill of Rights that the White House articulated in its 2012 Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. The Bill of Rights articulated the following general principles for the collection, use, disclose and retention of personal data by businesses:

  • Individual control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
  • Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
  • Respect for context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Security: Consumers have a right to secure and responsible handling of personal data.
  • Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  • Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Our takeUnlike information security, the issues of consumer privacy—the rules on how companies can collect, use and disclose personal data—are unlikely to find bipartisan consensus in the immediate future. This is because privacy issues go to the heart of of much of the current Internet economy. One way to think of this is that personal data is the currency of the modern advertising-based consumer economy. Regulating privacy, in this context, is akin to regulating this currency. There is no question that such regulations affect the currency’s “value” and, consequently, the businesses operating in the ecosystem. There isn’t an industry buy-in that such rules are necessary, and any comprehensive rules would need a broad industry consensus, supported by lawmakers from both parties. At the same time, many of the principles of the Bill of Rights are already reflected in widely accepted best practices. For instance, most online businesses provide consumers with notices of their privacy practices and a variety of privacy choices, relating to marketing communications, online tracking and advertising and sharing of personal data. Self-regulatory groups have implemented privacy codes of conduct that companies in the mobile, ad-tech, energy and other industries have agreed to follow.

In retrospect, 2014 has once again offered examples of cybersecurity incidents affecting companies’ reputation, business operations and financial performance. The lesson of 2014 is that comprehensive approach to cybersecurity and privacy is not just an issue of compliance; it is good for business.

Throughout 2015, our blog will continue to offer insights into cybersecurity and privacy issues globally. Stay tuned.