The Senate Select Committee on Intelligence drafts data encryption law

On April 13, Senate Select Committee on Intelligence Chairman Richard Burr (R-N.C.) and Vice Chair Dianne Feinstein (D-Calif.) released the Compliance with Court Orders Act of 2016. This piece of draft legislation seeks to protect Americans from criminals and terrorists by requiring companies to give access to encrypted data upon the issuance of a court order.

Vice Chairman Feinstein states, “Today, terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order. We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.”

The act, which is likely a political response to Apple’s refusal to unlock encrypted data stored on the devices of the San Bernadino shooters, will receive input from the public and key stakeholders before being formally introduced as a bill.

The draft has a long way to go, and it certainly will face stiff opposition. Showing support of Apple, many technology companies have recently opposed any requirement that would require a back door to their encryption features. Still, it highlights that there continues to be strong political interest in mandating technology companies to assist law enforcement agencies with access to encrypted data. Undoubtedly, such pressure will continue to grow.

General News, Legislation

The new EU-U.S. Privacy Shield agreement and what it means for businesses

The U.S. Department of Commerce and European Commission have released details on the EU-U.S. Privacy Shield framework. The agreement seeks to ensure that Europeans have data-protection rights when U.S. companies import their personal data. Stated simply, the Privacy Shield will provide:

  • Strong obligations on companies and robust enforcement
  • Clear safeguards and transparency obligations on U.S. government access
  • Effective protection of EU citizens’ rights with several redress possibilities
  • An annual joint review mechanism to monitor the effectiveness of the Privacy Shield

For more, read the latest Cybersecurity Insight

General News, Legislation

President Obama takes additional action on cybersecurity

On February 9, President Obama has signaled his — and Washington’s — increasing focus on cybersecurity; his 2017 budget proposal included $19 billion directed toward cybersecurity-related issues. In addition to this budget proposal, the president issued an executive order creating two new cybersecurity initiatives: the Commission on Enhancing National Cybersecurity and the Federal Privacy Council. The commission will be comprised of leaders in public and private sector commerce and law enforcement and is set to make recommendations to the president by December 1, 2016, on improving online security in America. The Federal Privacy Council includes the lead privacy officials at 25 federal agencies and is charged with coordinating the protection of government data.  The president also indicated plans to establish a Chief Information Security Officer position at the federal level. (More information regarding these efforts can be found here and here.)

Legislation

Bill introduced to repeal Cybersecurity Act of 2015

On January 8, 2016, Michigan’s Republican representative, Justin Amash, presented H.R. 4350 in the U.S. House of Representatives with the intent to repeal the Cybersecurity Act of 2015. Congress originally passed the act, which became law on December 18, 2015, to avoid a government shutdown. Read more

Legislation

Congressional action on cybersecurity may ramp up by spring

Congress is actively working to tighten cybersecurity regulations in 2016. A recent article from The Hill quotes Representative Randy Neugebauer (R-Texas) as saying he's hoping Congress will pass data breach security legislation by the spring. 

"It's important to the (financial services) industry, (and) it's important to the American people to be assured their data is secured," Neugebauer told The Hill.

At issue is whether there will be one bill or two. 

In December, the House Financial Services Committee advanced a bill introduced by Neugebauer that would "set nationwide data security standards and require businesses to notify customers following a breach." The Energy and Commerce Committee then introduced a competing bill, and Republicans and Democrats are now arguing over whether the future federal law would supersede state data security regulations. 

Rep. Neugebauer’s bill, if it comes to fruition, would be a big deal. As we’ve written about in the past, there’s currently a patchwork of regulations that vary state-by-state to govern notification standards in the event of a breach. Having one standard would simplify the law and, in theory, be easier and cheaper for businesses to manage. On the other side, smaller retailers disagree. They argue that Neugebauer's bill would be too burdensome for modest businesses and would allow other companies to avoid regulation altogether.

Legislation