Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

EU and U.S. officials finally unveiled the full text of the proposed EU-U.S. Privacy Shield framework earlier this week. The agreement is the culmination of a five-month negotiation to address European concerns regarding mass surveillance and personal data protection issues surrounding transatlantic data transfers. The European Commission’s Article 29 Working Party must now review and approve it.

Pixelated shield icon on digital background,, illustrating EU-U.S. Privacy Shield conceptPrivacy Shield replaces the Safe Harbor framework, which the European Court of Justice invalidated in October. That decision impacted nearly 4,000 United States companies that transfer data from the EU to the United States under Safe Harbor.

Under the provisions of Privacy Shield:

  • Companies must self-certify annually that they meet its requirements
  • The U.S. Department of Commerce will monitor all registered companies to ensure that their publicly facing privacy notices reflect Privacy Shield principles
  • Companies that leave the program will still be required to follow its principles for as long as they use, maintain and store the personal data they received while they were participants
  • There will be a 45-day response period for EU consumer complaints related to mishandling personal information
  • In addition to directly contacting the company, EU consumers can submit their complaint to their data protection authority, which will coordinate with the U.S. Department of Commerce or the Federal Trade Commission to achieve a response within 90 days.
  • Companies must offer an alternative dispute resolution process for consumers and provide details on said process in its privacy notice
  • Participating companies that do not comply with the Privacy Shield framework will face sanctions, which can include fines and exclusion from the program.

The Story So Far

The origins of the Safe Harbor framework, agreed upon in July 2000, lie in the 1995 EU Data Protection Directive, which laid out seven data protection principles. Safe Harbor allowed companies to transfer data out of the EU if they annually self-certified their adherence to those seven principles. About 4,000 U.S. companies took advantage of the program as an alternative to binding corporate rules or model contractual clauses.

In October 2015, the European Court of Justice (ECJ) found that Facebook’s transfer of data from the EU back to the U.S. violated EU citizens’ privacy rights under the EU Data Protection Directive. and invalidated Safe Harbor in the process. The case arose in response to Edward Snowden’s revelations about the NSA’s PRISM program.

Shortly thereafter, EU authorities announced they would suspend enforcement campaigns against Safe Harbor-certified U.S. companies until February 2016, but reserved their rights to enforce the Data Protection Directive in the event that a replacement was not implemented before that deadline.

Enter the Judicial Redress Act, Stage Left

Meanwhile, the U.S. Senate began negotiating the terms of the Judicial Redress Act – a bill that would allow EU citizens to pursue a private right of action for misuse of their personal data that occurs in the U.S. While the Act falls short of providing the same level of protections EU citizens enjoy in their own countries, it does more closely align those protections, allowing some level of comfort for EU officials.

The U.S. House of Representatives passed its Judicial Redress bill in October 2015, shortly after the ECJ’s decision. The bill was expected to pass the Senate in early 2016, but an 11th hour amendment limited the right to sue to citizens of countries that permit data transfers for commercial purposes to the U.S. and do not impose personal data transfer protections that impede U.S. national security interests. That amendment stalled discussions between the U.S. and the EU days before the February deadline. Fortunately, the parties reached an agreement before Congress finalized the privacy legislation – the interested parties had to wait to see if the U.S. would follow through on its promise to provide privacy protections to EU citizens.

The Senate voted on, and passed, the amended version of the Judicial Redress Act, which allowed both houses to consolidate and pass it. The finalized bill was sent to President Obama’s desk in mid-February and he signed it into law on February 24.

What’s Next?

The European Commission submitted the Privacy Shield text to the EU data protection authorities. The DPAs will convene in April to review and announce their position. While their positions will not be legally binding, they will be highly impactful and could set the stage for the ECJ’s inevitable review of the framework. If the ECJ finds that the agrement fails to adequately protect EU citizens and their right to privacy, then the court will likely send it back to the committee for a rewrite.  The associated uncertainty prior to any review may lead to greater demand for U.S. companies to implement binding corporate rules or model contractual clauses to transfer personal data out of the EU. Additionally, many U.S. companies have already been exploring projects to create local data infrastructure in the EU, which may become necessary if Privacy Shield is never ratified.

The Judicial Redress Act of 2015 (H.R. 1428/S.1600) is now law, effectively extending parts of the U.S. Privacy Act of 1974 to EU citizens. The Act serves as a big step in U.S. efforts to regain the trust of European cybersecurity authorities in the post-Safe Harbor era. EU citizens benefit from heightened data privacy, protection and security in the United States.

In a press conference following the singing, Obama emphasized his commitments to privacy measures that make the United States an attractive place for global companies to do business.

Analysts are concerned the Act may not go far enough with providing data security safeguards to EU citizens. However, the general consensus among cybersecurity authorities is positive: the law will create avenues for collaborative data privacy efforts, international law enforcement and more secure data transfers.

European Commissioner Vĕra Jourová said the Judicial Redress Act is key to gaining approvals on the EU-U.S. Data Protection Umbrella Agreement. The agreement bolsters international law enforcement efforts by ensuring high-quality protection of all personal data flowing across the Atlantic. Data privacy improvements will benefit individuals regardless of nationality, and police and criminal justice authorities will have common regulatory bases to work from. Streamlining international law enforcement will benefit the safety of Europeans and increase U.S. and EU partnerships against crime and terrorism.

The Judicial Redress Act helps the U.S. comply with EU data privacy standards, emphasizes U.S. commitments to collaborative data privacy law enforcement and brings the U.S. and EU one step closer to signing the Privacy Shield agreement.

Privacy and security legislation seems to bypass the usual partisan congressional divides as the Judicial Redress Act (H.R. 1428/S. 1600) passed both houses. The U.S. and EU have been collaborating to implement the Data Privacy and Protection Agreement (DPPA), which has been encouraged by congressional support. Known as the “Umbrella” agreement, DPPA regulates personal data flows between the U.S. and EU so that law enforcement authorities can focus on the prevention, investigation and prosecution of transnational crimes. The Judicial Redress Act bolsters international cooperation by expanding law enforcement information exchanges. In essence, its adoption would encourage the EU to embrace the DPPA.

With the end of the Safe Harbor era, the Judicial Redress Act has data sharing provisions that advanced negotiations for the U.S.-EU “Privacy Shield.” Specifically, the Act details how the U.S. would work with international players to comply with data transfer regulations and data privacy efforts. To quote Representative Bob Goodlatte (R-VA-06), the legislation creates “a healthy environment for U.S. companies to do business overseas.” It shows U.S. intentions to work more closely with international business communities and rebuild trust.

The positive sentiments of the legislation were echoed by Senator Chris Murphy (D-CT): “Despite months of delay, the Judicial Redress Act will cement the vital international relationships we rely on to fill gaps in law enforcement and support U.S. technology companies conducting business abroad.”

The Judicial Redress Act has made it to President Obama’s desk and is expected to be signed. The adoption of the Act will strengthen ties between the U.S. and EU for ensuring data security, privacy and trust.

U.S. Capitol Building, Washington, D.C.A recent bill proposed by the U.S. Senate states requirements for publicly traded companies to increase transparency about cybersecurity threats, risks and breaches. The bill includes disclosure standards such as having publicly owned companies reveal whether anyone on its board of directors has cybersecurity expertise or specialization. Companies would provide this information through U.S. Securities and Exchange Commission investor reports.

The bill stems from an urgency to combat cyber threats in light of investigative findings from cybersecurity practices of top 100 financial firms as well as recent attacks on major publicly traded companies like Sony and Home Depot. If the bill passes, investors and shareholders can monitor how well public companies secure private data and information, motivating companies to enhance security measures.

The U.S. Senate voted 74-21 to pass the Cybersecurity Information Sharing Act (CISA) on Tuesday in part as a reaction to the EU’s rejection of the Safe Harbor Agreement. Sen. Dianne Feinstein (D-CA) introduced the bill in June 2014 following a flurry of major cyberattacks on U.S. organizations.

U.S. Capitol Building, Washington, D.C.The CISA bill was authored to promote information-sharing from companies that experience cyberattacks. CISA offers liability protections to organizations that work with the Department of Homeland Security (DHS) when threats arise or defensive protocols are implemented. Those that criticize the bill point out that “liability protections” could burden a company with unnecessary or unwanted levels of government surveillance, and that shared information could pass to other federal agencies such as National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). However, Sen. Richard Burr (R-NC), who co-sponsored the bill, emphasized that companies are not required to participate as the program is voluntary. It remains unknown whether CISA may potentially replace the Safe Harbor Agreement invalidated by the EU Court of Justice.

Four amendments addressing privacy concerns did not pass the Senate, in addition to Sen. Rand Paul’s (R-KY) amendment that proposed removing immunity from companies that break privacy agreements with their consumers.

The House will initiate a conference to determine how information should be shared with the government. The final measure, which both chambers must pass, will include a combination of three bills. Signaling potential approvals, the House passed two cybersecurity bills in April: the Protecting Cyber Networks Act (H.R.1560) (PCNA) and the National Cybersecurity Protection Advancement Act (H.R. 1731) (NCPAA). In fact, CISA and PCNA share broad similarities as both focus on incentivizing companies to share cyberattack and cyber threat information with government agencies. The PCNA was passed in hopes that it would create in-the-moment response and notice systems that efficiently warn other networks about hacker strategies and the vulnerabilities they exploit. PCNA privacy provisions require companies to remove Personally Identifying Information irrelevant to the threat at hand.

Also sharing similarities with CISA, the NCPAA provides liability protections to companies who voluntarily share cyber threat data with the DHS. These liability protections are meant to insulate companies from class actions or heightened regulatory oversight they could otherwise experience under the PCNA. Authors of the NCPAA also sought to safeguard individual privacy for citizens and included a number of provisions ensuring that cyber threat information may only be used for cybersecurity issues.

According to Sen. Burr, the conference with the House may commence this week, but the final measure will be ready by 2016. Congress expects the president to approve the final measure.

U.S. Capitol Building, Washington, D.C.Data thieves and hackers are developing attacks with increased sophistication. Recently, Ryanair lost $5 million and sensitive company information from a cyberattack involving falsified bank transfer information. With a strong focus on combating evolving cyber threats, the House of Representatives has passed two cybersecurity bills. The Senate now takes up the Cybersecurity information Act of 2015 (CISA). The bills create liability protections for companies and business who share cyber threat and cyberattack information with the government – a data-sharing effort supported by cybersecurity experts. Those critical of the bill point out that it falls short on protecting individual and consumer data while it may mitigate penalties for businesses that improperly handle or disclose personal information. Congress seems poised to pass both cybersecurity bills, and companies should be aware of how the protections offered from these bills may affect their current cybersecurity policies and standards

The two bills recently passed by the House are the Protecting Cyber Networks Act (H.R.1560) (PCNA) and the National Cybersecurity Protection Advancement Act (H.R. 1731) (NCPAA). In addition to CISA in the Senate, they would streamline data and information sharing between the private and public sectors. Specifically, the bills allow companies to report cyber threats, attacks and systems vulnerabilities to the government without fear of legal liability and antitrust backlash as well as intellectual property violations.

The bills respectively create a “safe harbor” for companies that share cyber risk information with federal authorities. The House Intelligence Committee formed the PCNA, requires the Director of National Intelligence to create standards and procedures for helping companies share cybersecurity information and threat data and implement these sharing processes into their current cyber threat response plans. The legislation allows non-government entities to inform other non-government parties and some designated federal entities to report “defensive measures” – or cyber threat risks and response data – amongst each other. However, the bill does not permit non-government entities to share data with the National Security Agency or the Department of Defense.

The House Homeland Security Committee developed the NCPAA, which focuses on protecting private businesses and companies from data sharing liabilities with the Department of Homeland Security (DHS). The bill essentially amends the Homeland Security Act of 2002 by adding data sharing protections meant to motivate companies to openly and willfully inform federal authorities of their cybersecurity threats. NCPAA specifically creates stronger avenues of coordination between the DHS cybersecurity and communications center and its non-government representatives, which include tribal governments, information sharing/analysis centers and other private bodies. Under NCPAA, the center is permitted to work with international entities regarding global cybersecurity cisaCybersecurity information Act of 2015 (CISA)issues as long as personal information and data is removed if it is unnecessary to the cyber risk at hand. DHS Secretary Jeh Johnson described the center as the main point of coordination between federal authorities and private entities.

The Senate’s CISA bill shares many similarities with PCNA. It aims to strengthen data-sharing and cyberattack response efforts between federal and private sectors. Criticism of the bill, mostly from civil liberties groups, is that the legislation creates personal data privacy issues from increased government and company oversight.

How Liability Protections Will Work

PCNA and NCPAA both include language with liability protections for non-government entities involved in data sharing. NCPAA, which has stronger language, explains that non-federal sharers of information are safeguarded from civil or criminal actions when the data is important to cyber threat defensive measures and risk mitigation. If there is any aspect of willful misconduct on the part of the private entity, then the liability protections are void. According to civil liberty groups, the term “defense measure” is poorly defined as it relates to a private company’s actions against the source of a cyberattack.

PCNA features very similar language on liability protections, but details that a non-government entity will be protected from liability even during a good faith failure to share cyber threat information. This wording opens up the potential argument that there is no “good faith” reason to withhold data breach information from federal authorities. The “willful misconduct” standard is harder to prove. Analysts suggested that the “good faith” language may expose companies to litigation from the way its interpretation can be approached. Notably, the CISA language closely resembles the NCPAA “willful misconduct” standard, which benefits businesses.

When Will the Bills Pass?

Plans to vote on CISA have been tabled as the Senate focuses on addressing Patriot Act provisions that expire June 1. Senate Majority Leader Mitch McConnell (R-KY) aimed to streamline the Act’s reauthorization and renew the provisions in question through 2020. One provision specifically allows the National Security Agency (NSA) to gather large amounts of information about private phone calls made by U.S. citizens, which other senators would like to amend.

The NSA bill has been a target of close scrutiny by its opponents, who are also critical of CISA’s authorization to expand data gathering privileges by federal agencies. In a 388 to 88 vote, the House passed the USA Freedom Act, which limits NSA surveillance oversight, ceases bulk data gathering of phone records and renews expiring provisions until December 2019. The House vote may spark the Senate to vote on the Patriot Act bill, which in turn would allow the cybersecurity legislations to be voted on before June. Senator Rand Paul (R-KY), however, has indicated he would possible filibuster the vote on the NSA bill.

Another Consumer Notification Bill on the Horizon

Congress is exploring additional legislation that creates a federal standard outlining how and when private sector entities must alert their customers to breaches of personal data. Senators are working on legislation that would define notification standards, but there is a disagreement about whether those standards should outweigh state-level notification requirements.

Takeaway

The timing of the cybersecurity bills’ passage is unpredictable. However, Senate approvals are expected by the end of May. The bills will then proceed to the House to work through differences.

Businesses and companies should take advantage of the safe harbor protections afforded in the cybersecurity legislations. Their passing is just around the corner.

After Wednesday’s approval of the Protecting Cyber Networks Act (H.R.1560) (PCNA), the House of Representatives passed the National Cybersecurity Protection Advancement Act (H.R. 1731) (NCPAA) the next day. Technology, telecommunications and infrastructure companies view this move as an essential complement to the PCNA

U.S. Capitol Building, Washington, D.C.NCPAA gives companies protection against liability for data sharing with the Department of Homeland Security (DHS) by amending the 2002’s Homeland Security Act encouraging voluntary cyber threat information sharing. Without protections, companies could expose themselves to class actions or an increase in regulatory enforcement. The NCPPA includes many provisions ensuring protection of privacy for American citizens and also assures shared threat information is only used for the purposes of cybersecurity.

The NCPAA allows the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to include tribal governments, information sharing and analysis centers and private entities as non-federal representatives. Additionally, the Act expands NCCIC’s functions to include global cybersecurity with international partners and requires federal and non-federal entities to pursue reasonable action in removing and guarding information that may be used to identify specific persons and that is unrelated to risks or incidents prior to sharing. It also prohibits federal entities from using shared indicators or defense measures to monitor or collect information to track an individual’s PII and bans using that information for regulatory purposes. Furthermore, it establishes a private cause of action for someone to bring against the federal government if a federal agency violates restrictions – willfully or with intent – on the use and protection of voluntarily shared indicators or defense measures. Finally, it exempts non-federal entities from antitrust laws that share indicators, measures or assistance for cybersecurity purposes in accordance with the NCPAA.

New cybersecurity legislation was passed by the House of Representatives after increasing pressure from the industry to assist companies in strengthening key infrastructure and implementing quicker and more rigorous responses to attacks. Despite protests from privacy and civil liberties groups, the Protecting Cyber Networks Act (H.R.1560) (PCNA) was approved in a 307-116 vote with bipartisan support.

U.S. Capitol Building, Washington, D.C.Just this week several major trade associations—the National Cable & Telecommunications Associations, CTIA-the Wireless Association and USTelecoM-the Broadband Association—wrote a letter urging Speaker Boehner and Minority Leader Pelosi to pass two new cybersecurity bills: the PCNA and the National Cybersecurity Protection Advancement Act (H.R. 1731) (NCPAA). When it comes to cybersecurity, companies in the cable and telecommunications, wireless/cellular telephone and broadband/network infrastructure industries are “on the front lines” of the cybersecurity battle. Thus, the associations expressed an urgency for passing “both bills, without counterproductive amendments that would make America’s information systems less safe or discourage private sector participation for fear of attracting litigation.”

The PCNA is intended to work as a bridge between corporations and government agencies to improve communication and exchange of information regarding cyber threats, vulnerabilities and cyber attacks. Congress hopes the bill will decrease the threat of attacks and notify other network and infrastructure operators about the latest techniques utilized by advanced hackers by giving companies a real-time notice and response system via agencies like the NSA.

While the PCNA garnered support from the industry, there was backlash from 55 privacy and civil liberties groups that wrote a letter of their own to Congress in opposition of it. The ACLU, Electric Frontier Foundation, Freedom of the Press Foundation and Human Rights Watch were among the groups that critiqued it, saying the PCNA would “significantly increase the National Security Agency’s (NSA’s) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity.” Their primary concerns are the sections of the bill that permit the sharing of data between companies and the NSA that may violate the Electronic Communications Privacy Act or the Wiretap Act, as well as the lack of limitations on government use of shared information for cybersecurity purposes.

Despite these reservations, the PCNA does, in fact, contain some security provisions such as the requirement that all personally identifying information deemed nonessential to the investigation of the supposed threat be scrubbed or removed. Despite his prior inclination to veto the Cybersecurity Information Sharing Act and Protection Act (CISA) back in 2003, President Obama now supports both the PCNA and its Senate counterpart, the CISA, because of these security measures and the influx of high profile data breaches in 2014.

A companion legislation, the NCPAA, is expected to be voted on in Congress today. If approved, it would protect companies from liability for any information they share with the Department of Homeland Security. The industry views the NCPAA as a crucial piece of legislation necessary for encouraging a more open sharing of cybersecurity threat information by protecting companies from potential class actions or increased regulatory enforcement actions.

In an effort to standardize data breach laws nationwide, Rep. Marsha Blackburn (R-Tenn) introduced H.R. 1770 to the House and Energy Commerce Committee this past week. Called the Data Security and Breach Notification Act, it aims to replace all state data breach laws with one federalized standard. Currently, 47 states and the District of Columbia have separate and distinct data breach laws. Rep. Blackburn’s legislation intends to make it easier for U.S. companies to adhere to data breach requirements by creating uniformity.

U.S. Capitol Building, Washington, D.C.If passed, H.R. 1770 would require any company that “acquires, maintains, stores, sells or otherwise uses data in electronic form that includes personal information”[i] to “implement and maintain reasonable security measures and practices to protect and secure personal information.”[ii] While companies with security breaches must have notification requirements, such notifications can be evaded if there is “no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was affected by the breach of security.”[iii] However, in cases where more than 10,000 individuals’ personal information is “accessed or acquired by an unauthorized person,” the breached company would be required to inform both the Federal Bureau of Investigations and/or the Secret Service.[iv] If enacted, the legislation would give enforcement powers to state Attorneys General and the Federal Trade Commission.[v]

Following its approval by the House Energy and Commerce Committee on April 15, H.R. 1770 is expected to potentially see the floor under the guidance of Chairman Fred Upton (R-Mich) sometime the week of April 20.


References
[i] Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 5(5) (2015).
[ii] H.R. 1770 at § 2.
[iii] H.R. 1770 at § 3(a)(3).
[iv] H.R. 1770 at § 3(a)(5).
[v] H.R. 1770 at §4(a)-(b).