Privacy & Information Security Law Blog

On January 18, 2017, the Department of Homeland Security (“DHS”) issued an updated National Cyber Incident Response Plan (the “Plan”) as directed by Obama’s Presidential Policy Directive 41, issued this past summer, and the National Cybersecurity Protection Act of 2014.

On January 3, 2017, the Office of Management and Budget (“OMB”) issued a memorandum (the “Breach Memorandum”) advising federal agencies on how to prepare for and respond to a breach of personally identifiable information (“PII”). The Breach Memorandum, which is intended for each agency’s Senior Agency Official for Privacy (“SAOP”), updates OMB’s breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (“FISMA”).

On December 1, 2016, the nonpartisan Commission on Enhancing Cybersecurity (the “Commission”), established in February 2016 by President Obama as part of a $19 billion Cybersecurity National Action Plan, issued its Report on Securing and Growing the Digital Economy (the “Report”), which includes recommended actions that the government and private sector can take over the next 10 years to improve cybersecurity.

On November 20, 2016, the heads of state of the 21 member economies of the Asia-Pacific Economic Cooperation (“APEC”) forum reaffirmed the APEC Cross-Border Privacy Rules (“CBPR”) system in their Leaders’ Declaration at the APEC Leaders’ Meeting in Lima, Peru as follows: “We recall the APEC Leaders 2011 Honolulu Declaration and recognize the importance of implementing the APEC Cross-Border Privacy Rules System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR system.” The fact that the CBPR system is mentioned in the Leaders’ Declaration reflects its priority status on the APEC agenda.

The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.

On July 26, 2016, the White House unveiled Presidential Policy Directive PPD-41 (“PPD-41”), Subject: United States Cyber Incident Coordination, which sets forth principles for federal responses to cyber incidents approved by the National Security Council (“NCS”). Coming on the heels of several high-profile federal breaches, including the Office of Personnel Management’s loss of security clearance information and the hack of over 700,000 IRS accounts, PPD-41 is a component of President Obama’s Cybersecurity National Action Plan. PPD-41 first focuses on incident response to cyber attacks on government assets, but also outlines federal incident responses to cyber attacks on certain critical infrastructure within the private sector.

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and U.S. Department of Justice (“DOJ”) jointly issued final guidance on the Cybersecurity Information Sharing Act of 2015 (“CISA”). Enacted in December 2015, CISA includes a variety of measures designed to strengthen private and public sector cybersecurity. In particular, CISA provides protections from civil liability, regulatory action and disclosure under the Freedom of Information Act (“FOIA”) and other open government laws for “cyber threat indicators” (“CTI”) and “defensive measures” (“DM”) that are shared: (1) among businesses or (2) between businesses and the government through a DHS web portal. Congress passed CISA in order to increase the sharing of cybersecurity information among businesses and between businesses and the government, and to improve the quality and quantity of timely, actionable cybersecurity intelligence in the hands of the private sector and government information security professionals.

On June 2, 2016, the European Union and the U.S. signed an Umbrella Agreement, which will implement a comprehensive data protection framework for criminal law enforcement cooperation. The agreement is not yet in effect and additional procedural steps are needed to finalize the agreement. The European Council will adopt a decision on the Umbrella Agreement after obtaining consent from the European Parliament.

On February 29, 2016, the European Commission issued the legal texts that will implement the EU-U.S. Privacy Shield. These texts include a draft adequacy decision from the European Commission, Frequently Asked Questions and a Communication summarizing the steps that have been taken in the last few years to restore trust in transatlantic data flows.

The agreement in support of the new EU-U.S. transatlantic data transfer framework, known as the EU-U.S. Privacy Shield, was reached on February 2, 2016, between the U.S. Department of Commerce and the European Commission. Once adopted, the adequacy decision will establish that the safeguards provided when transferring personal data pursuant to the new EU-U.S. Privacy Shield are equivalent to the EU data protection standards. In addition, the European Commission has stated that the new framework reflects the requirements that were set forth by the Court of Justice of the European Union (the “CJEU”) in the recent Schrems decision.

On February 24, 2016, President Obama signed the Judicial Redress Act (the “Act”) into law. The Act grants non-U.S. citizens certain rights, including a private right of action for alleged privacy violations that occur in the U.S. The Act was signed after Congress approved an amendment that limits the right to sue to only those citizens of countries which (1) permit the “transfer of personal data for commercial purposes” to the U.S., and (2) do not impose personal data transfer policies that “materially impede” U.S. national security interests.

On February 10, 2016, the U.S. House of Representatives passed the Judicial Redress Act, which had been approved by the Senate the night before and included a recent Senate amendment. The House of Representatives previously passed the original bill in October 2015, but the bill was sent back to the House due to the recent Senate amendment. The Judicial Redress Act grants non-U.S. citizens certain rights, including a private right of action for alleged privacy violations that occur in the U.S. The amendment limits the right to sue to only those citizens of countries that (1) permit the “transfer of personal data for commercial purposes” to the U.S., and (2) do not impose personal data transfer policies that “materially impede” U.S. national security interests. The bill now heads to President Obama to sign.

On February 9, 2016, President Obama signed an Executive Order establishing a permanent Federal Privacy Council (“Privacy Council”) that will serve as the principal interagency support structure to improve the privacy practices of government agencies and entities working on their behalf. The Privacy Council is charged with building on existing interagency efforts to protect privacy and provide expertise and assistance to government agencies, expand the skill and career development opportunities of agency privacy professionals, improve the management of agency privacy programs, and promote collaboration between and among agency privacy professionals.

On December 16, 2015, leaders in the U.S. House of Representatives and Senate released a $1.1 trillion omnibus spending bill that contained cybersecurity information sharing language that is based on a compromise between the Cybersecurity Information Sharing Act, which passed in the Senate in October, and two cybersecurity information sharing bills that passed in the House earlier this year. Specifically, the omnibus spending bill included Division N, the Cybersecurity Act of 2015 (the "Act"). 

On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. The FAST Act, which is aimed at improving the country’s surface transportation infrastructure, contains a provision that modifies the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).

On November 19, 2015, the White House released a fact sheet from the 23rd Annual APEC Economic Leaders’ Meeting in the Philippines. Under the section on Enhancing Regional Economic Integration, representatives from the U.S. and other APEC economies reinforced their commitment to the ongoing implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system for information controllers.

On November 5, 2015, the White House released the proposed text of the Trans-Pacific Partnership Agreement (the “TPP”) containing a chapter on cross-border data transfers in the context of electronic commerce. In the chapter on Electronic Commerce, Chapter 14, the TPP includes commitments from participating parties to adopt and maintain a legal framework to protect personal information, and encourages cross-border data transfers to help facilitate business and trade.

On November 9, 2015, U.S. District Judge Richard J. Leon issued a preliminary injunction ordering the National Security Agency to stop its bulk telephony metadata program. The preliminary injunction was issued in favor of subscribers of Verizon Wireless Business Network and comes 20 days before the program was set to expire under the USA Freedom Act. The case is Klayman v. Obama et al. (1:13-cv-00851) in the U.S. District Court for the District of Columbia.

On October 27, 2015, the U.S. Senate passed S.754 - Cybersecurity Information Sharing Act of 2015 (“CISA”) by a vote of 74 to 21. CISA is intended to facilitate and encourage the sharing of Internet traffic information between and among companies and the federal government to prevent cyber attacks, by giving companies legal immunity from antitrust and privacy lawsuits. CISA comes in the wake of numerous recent, high-profile cyber attacks.

On September 8, 2015, representatives from the U.S. Government and the European Commission initialed a draft agreement known as the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (the “Umbrella Agreement”). The European Commission’s stated aim for the Umbrella Agreement is to put in place “a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.” The Umbrella Agreement has been agreed upon amid the ongoing uncertainty over the future of the U.S.-EU Safe Harbor, and was drafted shortly before the release of the September 23 Advocate General’s Opinion in the Schrems v. Facebook litigation. The content of the Umbrella Agreement is in its final form, but its implementation is dependent upon revisions to U.S. law that are currently before Congress.

On July 9, 2015, the National Telecommunications and Information Administration (“NTIA”) announced the launch of its first cybersecurity multistakeholder process, in which representatives from across the security and technology industries will meet in September to discuss vulnerability research disclosure.

On March 31, 2015, the Electronic Privacy Information Center (“EPIC”) filed a petition (the “Petition”) with the U.S. Court of Appeals for the District of Columbia Circuit accusing the Department of Transportation’s Federal Aviation Administration (“FAA”) of unlawfully failing to include privacy rules in the FAA’s proposed framework of regulations for unmanned aircraft systems (“UAS”), otherwise known as drones. The Petition stems from the FAA’s November 2014 denial of another EPIC petition calling for the FAA to address the threat of privacy and civil liberties associated with the deployment of aerial drones within the U.S.

As reported in Bloomberg BNA, on April 1, 2015, the White House announced that President Obama has signed a new executive order providing the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, the ability to impose sanctions on individuals and entities that engage in certain cyber-enabled activities. The signed executive order, entitled Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (the “Executive Order”), focuses on blocking the property or interests in property located in the United States of persons engaging in cyber-enabled activities that cause a significant threat to the national security, foreign policy, economic health or financial stability of the U.S. (collectively, the “Significant Threat”).

On March 4, 2015, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced a new multistakeholder process seeking comments on best practices concerning privacy, transparency and accountability issues related to the use of commercial and private unmanned aircraft systems (“UAS”), otherwise known as drones. The NTIA’s request was made in response to a Presidential Memorandum issued by the White House on February 15 which directed NTIA to facilitate discussion between private sector entities to develop standards for commercial UAS use.

On February 27, 2015, the White House released a highly-anticipated draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Act”) that seeks to establish baseline protections for individual privacy in the commercial context and to facilitate the implementation of these protections through enforceable codes of conduct. The Federal Trade Commission is tasked with the primary responsibility for promulgating regulations and enforcing the rights and obligations set forth in the Act.

On February 15, 2015, the White House released a Presidential Memorandum entitled “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems” (the “Memorandum”) to address the privacy, civil rights and civil liberties concerns associated with the federal government’s use of Unmanned Aircraft Systems (“UAS”). The Memorandum provides privacy expectations for the federal government’s use of UAS by setting requirements for federal agencies to establish and maintain privacy and civil liberty safeguards, as well as by placing restrictions on certain information collection and use practices.

On February 13, 2015, at the White House’s Cybersecurity and Consumer Protection Summit at Stanford University, President Obama signed an executive order promoting private sector cybersecurity information sharing (“Executive Order”). Building on the current cybersecurity information sharing efforts of Information Sharing and Analysis Centers and groups such as the National Cyber-Forensics and Training Alliance, the new Executive Order emphasizes the need for private companies, non-profit organizations and government agencies to share information about cyber threats, vulnerabilities and incidents. Its purpose is to facilitate private-private and public-private cybersecurity information sharing while (1) protecting the privacy and civil liberties of individuals; (2) protecting business confidentiality; (3) safeguarding shared information; and (4) protecting the government’s ability to detect, investigate, prevent and respond to cyber threats.

Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.

On January 13, 2015, President Obama announced legislative proposals and administration efforts with respect to cybersecurity, including a specific proposal for a national data breach notification standard. Aside from the national data breach notification standard, the President’s other proposals are designed to (1) encourage the private sector to increase the sharing of information related to cyber threats with the federal government and (2) modernize law enforcement to effectively prosecute illegal conduct related to cybersecurity.

On January 12, 2015, President Obama announced at the Federal Trade Commission several new initiatives on data security and consumer privacy as part of a weeklong focus on privacy and cybersecurity. He noted that on January 13 at the Department of Homeland Security, he would address how to improve protections against cyber attacks, and on January 14, he would address how more Americans can have access to faster and cheaper broadband Internet. He stated that the announcements he is making this week are “sneak previews” of the proposals he will make in next week’s State of the Union address.

On December 15, 2014, Microsoft reported the filing of 10 amicus briefs in the 2nd Circuit Court of Appeals signed by 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations, in support of Microsoft’s litigation to resist a U.S. Government’s search warrant purporting to compel the production of Microsoft customer emails that are stored in Ireland. In opposing the Government’s assertion of extraterritorial jurisdiction in this case, Microsoft and its supporters have argued that their stance seeks to promote privacy and trust in cross-border commerce and advance a “broad policy issue” that is “fundamental to the future of global technology.”

In a flurry of activity on cybersecurity in the waning days of the 113th Congress, Congress unexpectedly approved, largely without debate and by voice vote, four cybersecurity bills that: (1) clarify the role of the Department of Homeland Security (“DHS”) in private-sector information sharing, (2) codify the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework, (3) reform oversight of federal information systems, and (4) enhance the cybersecurity workforce. The President is expected to sign all four bills. The approved legislation is somewhat limited as it largely codifies agency activity already underway. With many observers expecting little legislative activity on cybersecurity before the end of the year, however, that Congress has passed and sent major cybersecurity legislation to the White House for the first time in 12 years may signal Congress’ intent to address systems protection issues more thoroughly in the next Congress.

On December 5, 2014, the National Institute of Standards and Technology (“NIST”) released an update on the implementation of the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”). NIST issued the Framework earlier this year in February 2014 at the direction of President Obama’s February 2013 Critical Infrastructure Executive Order. The update is based on feedback NIST received in October at the 6th Cybersecurity Framework Workshop as well as from responses to an August Request for Information.

On October 17, 2014, the White House announced that the President signed a new executive order focused on cybersecurity.  The signed executive order, entitled Improving the Security of Consumer Financial Transactions (the “Order”), is focused on securing consumer transactions and sensitive personal data handled by the U.S. Federal Government.

On August 14, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) submitted its response to the National Telecommunications and Information Administration’s (“NTIA’s”) request for public comment on big data and consumer privacy issues. The NTIA’s request, which follows the White House’s recent study of big data, the May 2014 Big Data Report, and the associated President’s Council of Advisors on Science and Technology Report, seeks further public input on how big data impacts the Consumer Privacy Bill of Rights, and whether the Consumer Privacy Bill of Rights should be modified to contemplate big data.

On July 2, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) held a public meeting to finalize the release of a report concluding that the National Security Agency’s (“NSA’s”) collection of electronic communications from targets reasonably believed to be non-U.S. persons located outside the United States has operated lawfully within its statutory limitations.

On June 25, 2014, U.S. Attorney General Eric Holder announced that the Obama Administration is looking to pass legislation that would provide EU citizens with a right to judicial redress in U.S. courts if their personal information that was shared for law enforcement purposes is later intentionally or wilfully disclosed. The announcement was made during the EU-U.S. Ministerial Meeting on Justice and Home Affairs in Athens, Greece, which was co-chaired by the Attorney General and aimed to advance EU-U.S. cooperation in efforts to stop transnational crime and terrorism. The announcement also relates to the ongoing negotiations of the new “umbrella” EU-U.S. Data Protection and Privacy Agreement (“DPPA”).

On June 19, 2014, the President’s Export Council (“PEC”) held a meeting to discuss nine key issues, including the effects of foreign laws that restrict cross-border data flows. At the meeting, the private sector members of the PEC submitted a recommendation letter to President Obama expressing their concern about the threat to American business from protectionist, cross-border data transfer restrictions imposed by foreign countries. The letter describes how certain governments are implementing “digital protectionism” in the form of laws and policies restricting the cross-border flow of data (for example, by requiring domestic processing and storage of data citing concerns for personal privacy and national security). These foreign laws may limit the ability of American businesses, particularly small- and medium-sized businesses, to expand their business operations to include countries that enact such measures.

On June 4, 2014, the U.S. Government Accountability Office (“GAO”) testified before the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law on GAO’s findings regarding (1) companies’ use and sharing of consumer location data, (2) privacy risks associated with the collection of location data, and (3) actions taken by certain companies and federal agencies to protect the privacy of location data. GAO’s testimony relates to its 2012 and 2013 reports that examined the collection of location data by certain mobile industry companies and in-car navigation providers.

On May 22, 2014, the United States House of Representatives passed H.R. 3361, a bill aimed at limiting the federal government’s ability to collect bulk phone records and increasing transparency regarding decisions by the Foreign Intelligence Surveillance Court (“FISC”). The bill was approved by a vote of 323-121 by majorities of both Democrat and Republican members of the United States House of Representatives. It now moves to the Senate where it is likely to pass.

On May 1, 2014, the White House released a report examining how Big Data is affecting government, society and commerce. In addition to questioning longstanding tenets of privacy legislation, such as notice and consent, the report recommends (1) passing national data breach legislation, (2) revising the Electronic Communications Privacy Act (“ECPA”), and (3) advancing the Consumer Privacy Bill of Rights.

On April 10, 2014, U.S. Department of Justice Deputy Attorney General James Cole and Federal Trade Commission Chair Edith Ramirez announced a joint DOJ and FTC antitrust policy statement on the sharing of cybersecurity information (“Policy Statement”). The Policy Statement, as well as their remarks, emphasize the seriousness of the cybersecurity challenge and the need to improve cybersecurity information sharing. It is another example of the Obama Administration’s efforts to encourage the sharing of information about cybersecurity threats and vulnerabilities.

President Obama’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity identified “insurance liability considerations” as an incentive that might improve security. Over the course of the year since the Executive Order was issued, there has been an increase in the marketing of cyber insurance products. In an article published in Law360, Hunton & Williams Insurance Litigation & Counseling partner Lon Berk discusses how most cyber insurance policies currently available do not protect against major risks to critical infrastructure. Since the ...

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final Cybersecurity Framework, as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Framework, which includes standards, procedures and processes for reducing cyber risks to critical infrastructure, reflects changes based on input received during a widely-attended public workshop held last November in North Carolina and comments submitted with respect to a preliminary version of the Framework that was issued in October 2013.

On December 16, 2013, the United States District Court for the District of Columbia granted a preliminary injunction barring the federal government from collecting and analyzing metadata related to two consumers’ mobile phone accounts. The court held that the two individual plaintiffs were entitled to a preliminary injunction because they had standing to challenge the government’s data collection practices and were substantially likely to succeed on the merits of their claim. The court has stayed issuance of the injunction pending appeal to the D.C. Circuit Court.

On December 18, 2013, the White House published a report recommending reforms to the federal government’s wide-ranging surveillance programs. The voluminous report, entitled “Liberty and Security in a Changing World,” was authored by The Review Group on Intelligence and Communications Technologies, an advisory panel that includes experts in national security, intelligence gathering and civil liberties.

On December 12, 2013, Fred H. Cate, Senior Policy Advisor in the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”), submitted comments in response to the National Institute of Standards and Technology’s (“NIST’s”) Preliminary Cybersecurity Framework (the “Preliminary Framework”). On October 22, NIST issued the Preliminary Framework, as required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (“Executive Order”), and solicited comments on the Framework. The Preliminary Framework includes standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.

On December 3, 2013, Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, spoke at the American European Community Association Conference in Brussels on Data Protection: The Challenges and Opportunities for Individuals and Businesses. Strickling discussed the Obama Administration’s commitment to “preserving the dynamism and openness of the Internet, enhancing the free flow of information, and strengthening our Internet economy.” He addressed the issues surrounding U.S. surveillance operations and the European Commission’s recent report on Safe Harbor. Strickling also provided a progress report on improvements to consumer privacy protection since the White House released its Consumer Privacy Bill of Rights in February 2012, including an update on the National Telecommunications and Information Administration’s (“NTIA’s”) multistakeholder process to develop industry codes of conduct.

On December 3, 2013, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced a new multistakeholder process to develop a code of conduct regarding the commercial use of facial recognition technology. The first meeting is set for February 6, 2014 in Washington, D.C., and will provide stakeholders with background on the privacy issues associated with facial recognition technology, including how facial recognition technology currently is being used by businesses and how it may be used in the near future. The February meeting is open to all interested stakeholders and will be available for viewing via webcast. Additional meetings are planned for the spring and summer of 2014.

On October 22, 2013, the National Institute of Standards and Technology (“NIST”) issued the Preliminary Cybersecurity Framework (the “Preliminary Framework”), as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Preliminary Framework includes standards, procedures and processes for reducing cyber risks to critical infrastructure. It will be published in the Federal Register within a few days for public comment. Under the Executive Order, NIST is required to issue a final version of the Framework in February 2014. NIST is planning to host a public workshop on the Preliminary Framework in mid-November to give industry and other groups an opportunity to provide their views on this document.

On August 28, 2013, the Obama Administration issued several documents relating to the Cybersecurity Framework that the President called for in Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The documents include:

• Preliminary Cybersecurity Framework (Discussion Draft);
• Preliminary Cybersecurity Framework: Illustrative Examples (Discussion Draft);
• Message to Senior Executives on the Cybersecurity Framework (Discussion Draft);  and
• Cybersecurity Framework Performance Goals (Draft).

On August 6, 2013, the Obama Administration posted links on The White House Blog to reports from the Departments of Commerce, Homeland Security and Treasury containing recommendations on incentivizing companies to align their cybersecurity practices with the Cybersecurity Framework. These reports respond to the Administration’s February 2013 executive order entitled Improving Critical Infrastructure Cybersecurity (the “Executive Order”).

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Providence, Rhode Island, on Thursday, July 18 from 8:30 – 11:00 a.m. EDT. Seminar participants will hear from Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments, including the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation (“APEC”) group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on how companies comply with laws and privacy regulations in the United States, Asia and Europe. A representative from the Safe Harbor-certified company Textron Inc. (“Textron”) also will discuss the company’s experience developing and implementing a privacy compliance program.

On July 1, 2013, the National Institute of Standards and Technology (“NIST”) issued a preliminary draft outline of the Cybersecurity Framework that is being developed pursuant to the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”).

On July 1, 2013, Practising Law Institute (“PLI”) hosts its first symposium on Cybersecurity 2013: Managing the Risk in New York. Hunton & Williams partner Lisa J. Sotto is the Chair of the event. The program features timely cybersecurity topics, including the threat landscape, the legal environment (such as the Obama Administration’s Executive Order on Cybersecurity), and how companies can manage cybersecurity incidents when they occur and seek to prevent cyber attacks before they occur. Hunton & Williams partner Paul M. Tiao and Centre for Information Policy Leadership ...

On June 17, 2013, the Federal Trade Commission announced that FTC Chair Edith Ramirez has appointed Jessica Rich as Director of the Bureau of Consumer Protection. Rich has served in several leadership roles in the FTC’s Bureau of Consumer Protection during her 20-year tenure with the agency. Most recently, she served as Associate Director of the Division of Financial Practices.

The Obama Administration is in the process of finalizing its review of a statutory electronic surveillance proposal initially developed by the FBI, and is expected to support the introduction of a modified version as legislation. The proposal addresses concerns raised by law enforcement and national security agencies regarding the widening gap between their legal authority to intercept real-time electronic communications pursuant to a court order, and the practical difficulties associated with actually intercepting those communications. According to the government, this gap increasingly prevents the agencies from collecting Internet-based phone calls, emails, chats, text messages and other communications of terrorists, spies, organized crime groups, child pornography distributors and other dangerous actors. The FBI refers to this as the “going dark” problem.

On April 16, 2013, the Office of the President issued a Statement of Administration Policy that includes a threat to veto the U.S. House of Representatives’ Cyber Intelligence Sharing and Protection Act (“CISPA” or H.R. 624) if further changes are not made to the bill’s privacy protections. Specifically, the Obama Administration recommends that the bill require private entities to remove personal information when sharing cybersecurity information with the government or other private entities.

On March 28, 2013, the Department of Commerce’s Notice of Inquiry into “Incentives to Adopt Improved Cybersecurity Practices” was published in the Federal Register (78 Fed. Reg. 18954). This Notice, which includes a series of broad questions for owners of the nation’s critical infrastructure, follows up on earlier Commerce inquiries focused on incentives for noncritical infrastructure. The Notice states that Commerce will use the responses it receives to evaluate a set of incentives designed to encourage owners of critical infrastructure to participate in a voluntary cybersecurity program. The Notice also indicates that Commerce will use the responses to inform its evaluation of whether the incentives would require legislation or could be implemented pursuant to existing law and authorities. In addition, the Notice provides that Commerce may use the responses to develop a broader set of recommendations that would apply to U.S. industry as a whole.

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Waltham, Massachusetts, on Monday, March 25 from 8:30 – 11:30 a.m. EST. Seminar participants will hear from a number of Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments involving the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on your company and its compliance with laws and privacy regulations in the United States, Asia and Europe.

As reported in The Washington Post, large financial institutions are increasingly disclosing cyber attacks, and potential vulnerability to cyber threats, in their annual reports filed with the Securities and Exchange Commission. Numerous banks disclosed such attacks in their 2012 reports, even in cases where the ongoing threat of the attacks did not result in any material harm to the institution. For example:

On February 28, 2013, a White House official confirmed that President Obama will nominate Edith Ramirez as Chair of the Federal Trade Commission. Ramirez, who has served as an FTC Commissioner since April 2010, will replace outgoing Chairman Jon Leibowitz, who announced his departure earlier this month.

Prior to being nominated to the FTC in 2010, Ramirez worked as an attorney in private practice, focusing on litigation and antitrust issues. Ramirez has been an active participant in the Asia-Pacific Economic Cooperation Data Privacy Subgroup and the development of the APEC ...

On February 26, 2013, the National Institute of Standards and Technology (“NIST”) issued a Request for Information (“RFI”) to gather comments regarding the development of a framework to reduce cybersecurity risks to critical infrastructure. As we previously reported, the Obama Administration’s executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”), released on February 12, 2013, directs NIST to coordinate development of this framework. Under the Executive Order, NIST is charged with collaborating with industry partners and identifying existing international standards and practices that have proven effective.

On February 20, 2013, Hunton & Williams LLP hosted a webinar on cybersecurity risks and the Obama Administration’s recently-issued Executive Order on cybersecurity issues related to critical infrastructure. The webinar, entitled “The Cybersecurity Executive Order: Understanding Its Impact on Your Business,” covered issues such as the current threat landscape, U.S. and EU regulatory initiatives related to cybersecurity, and guidelines to help businesses prevent and manage cyber events.

The Executive Order, “Improving Critical Infrastructure Cybersecurity,” and the Presidential Policy Directive (“PPD”), “Critical Infrastructure Security and Resilience,” signed by President Obama on February 12, 2013, raise the stakes in the national debate over cybersecurity requirements and seem likely, if not designed, to provoke a legislative response. Industry has good reason to pay attention.

On February 8, 2013, during the Centre for Information Policy Leadership’s First Friday call, Hunton & Williams partner Frederick Eames offered insights on how key U.S. government players are likely to approach privacy and data security initiatives this session. Eames discussed upcoming privacy legislation and outlined his predictions regarding how several Congressional committees, including the House of Representatives Energy & Commerce Committee and the Senate Committee on Commerce, Science, & Transportation, will address privacy-related issues.

Listen to the full ...

On February 12, 2013, in conjunction with the release of an executive order on Improving Critical Infrastructure Cybersecurity (the “Executive Order”), President Obama signed a Presidential Policy Directive on Critical Infrastructure Security and Resilience (“PPD-21” or “PPD”). The PPD revokes the 2003 Homeland Security Presidential Directive-7 (issued by President George W. Bush as an initiative under the former Office of Homeland Security and the Homeland Security Council) to adjust to the new risk environment and make the nation’s critical infrastructure more resilient. The PPD expands upon the work that has been accomplished to date for the physical security of critical infrastructure and lays a foundation for the implementation of the Executive Order to protect critical infrastructure cybersecurity.

On February 11, 2013, the Federal Trade Commission announced that a congressionally-mandated study of the U.S. credit reporting industry found that 26 percent of consumers identified at least one error that might affect their credit score. The study reported that 5 percent of consumers had errors on their credit reports that could result in less favorable terms for loans and insurance.

Today, the Obama Administration released an executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”), which is focused primarily on government actions to support critical infrastructure owners and operators in protecting their systems and networks from cyber threats. The Executive Order requires administrative agencies with cybersecurity responsibilities to (1) share information in the near-term with the private sector within the scope of their current authority and to develop processes to address cyber risks; and (2) review and report to the President on the sufficiency of their current cyber authorities. The requirements to review and report to the President likely will serve to pressure Congress to pass more comprehensive legislation that should, inter alia, address issues that an executive order cannot, such as the provision of liability protection, incentives for compliance, and regulatory authority to compel compliance.

On February 1, 2013, the Federal Trade Commission issued a new report entitled Mobile Privacy Disclosures: Building Trust Through Transparency. The report makes recommendations “for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures,” offering specific recommendations for mobile platforms, app developers, advertising networks and other third parties operating in this space. The FTC’s report also makes mention of the Department of Commerce’s National Telecommunications and Information Administration’s efforts to engage in a multistakeholder process to develop an industry code of conduct for mobile apps.

On February 1, 2013, the Federal Trade Commission announced that Chairman Jon Leibowitz will step down from his role on February 15, 2013. Leibowitz, who has been with the Commission since 2004 and was appointed Chairman in 2009, leaves the agency with a much more aggressive privacy agenda than the one he inherited, having helped to shape “groundbreaking work on consumer protection and competition issues.” During what may be his final press conference as Chairman, Leibowitz announced a new staff report on mobile app privacy disclosures and an enforcement action against the operator of a social networking app stemming from allegedly deceptive information collection practices that violated Section 5 of the FTC Act and the Children’s Online Privacy Protection Act.

On December 18, 2012, the U.S. House of Representatives passed H.R. 6671, a bill that would amend the Video Privacy Protection Act (“VPPA”) consent requirements for disclosing consumers’ viewing information. The Senate approved the bill without changes on December 20, 2012. The bill would make it easier for companies to develop innovative technologies for the sharing of consumers’ video viewing habits. The current version of the VPPA requires certain video providers to obtain a consumer’s consent each time they wish to share the consumer’s viewing information ...

On November 30, 2012, the Federal Trade Commission announced the issuance of an interim final rule (“Interim Final Rule”) that makes the definition of “creditor” in the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule”) consistent with the definition contained in the Red Flag Program Clarification Act of 2010.

On November 22, 2012, the Brussels-based publication European Voice published an editorial by U.S. Department of Commerce General Counsel Cameron Kerry entitled Avoiding a Data Divide Between the US and the EU. The article notes the importance of continued collaboration between the European Union and the United States as both assess their respective privacy frameworks to ensure that any changes encourage enhanced trade and strong economic growth, but also contain robust protections for consumers. Mr. Kerry’s editorial emphasizes the need to foster global privacy ...

Reporting from Washington, D.C., Hunton & Williams partner Frederick Eames writes:

Elections have consequences. What are the consequences of the 2012 election on U.S. federal privacy, data security and breach notice legislation? We outline some key developments in the U.S. House of Representatives and Senate and explain how these developments might affect legislative priorities and prospects for the 113th Congress beginning in 2013.

The absence of congressional action on cybersecurity legislation has spurred efforts by various entities to exert influence over cybersecurity policy. This client alert focuses on some of those efforts, including the Federal Energy Regulatory Commission’s (“FERC’s”) creation of a new cybersecurity office, North American Electric Reliability Corporation (“NERC”) action on cybersecurity Critical Infrastructure Protection (“CIP”) standards, continuing legislative developments concerning cybersecurity and anticipated White House executive orders on cybersecurity.

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

As policymakers around the world consider revisions to existing privacy and data protection law, they often refer to “interoperability” as a mechanism to facilitate the flow of data across national and regional borders. Reports released this year by the Obama Administration and the Federal Trade Commission recognize the value of interoperability to the growth of the digital economy and improving privacy compliance. Principles underlying the APEC framework would support a system for transferring data across APEC economies, and the OECD has acknowledged that regulatory authorities worldwide share the responsibility of promoting the protection of cross-border data flows. But although interoperability is expected to help lower barriers to data transfers, simplify compliance and protect individuals’ rights, there has been little discussion of how interoperability would work in practice.

On May 26, 2012, the United States government submitted its request to participate in the APEC Cross-Border Privacy Rules (“CBPRs”) system. The CBPRs system was endorsed by APEC leaders in November 2011. The protocol requires a participating economy to submit:

• A letter of intent to participate;
• Confirmation that a privacy enforcement agency in the economy is a participant in the Cross-Border Privacy Enforcement Arrangement;
• Notice that the economy intends to make use of at least one APEC-recognized accountability agency; and
• A description of the domestic laws and other legal mechanisms to give effect to the enforcement activities related to the activities of the accountability agent, which also must include an enforcement map.

On April 26, 2012, the U.S. House of Representatives approved the Cyber Intelligence Sharing and Protection Act (“CISPA” or H.R. 3523), which is aimed at facilitating the exchange of cyber threat intelligence information between the government and certain private entities. In addition, the House approved the Federal Information Security Amendments Act of 2012 (H.R. 4257), which modifies the Federal Information Security Management Act of 2002 to provide for automated and continuous monitoring of the security of government information systems.

Drawing on its eleven years of experience facilitating multistakeholder processes, on April 2, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments in response to the Department of Commerce’s National Telecommunications and Information Administration’s request for public comments on the multistakeholder process to develop consumer data privacy codes of conduct. The NTIA’s request relates to the topics and processes that will inform the creation of binding codes of conduct as discussed in the Obama Administration’s February ...

On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report charts a path forward for companies to act in the interest of protecting consumer privacy.

In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, “Simply put, your computer is your property; no one has the right to put anything on it that you don’t want.” In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of this year, the new Congress likely would introduce a legislative solution.

On March 21, 2012, the U.S. Department of Commerce’s National Telecommunications and Information Administration announced a one-week extension to the deadline for responses to their March 2 request for public comments on the multistakeholder process to develop consumer data privacy codes of conduct. Comments are now due on Monday, April 2, 2012. The request for comments relates to both the topics and processes that will inform the creation of binding codes of conduct as discussed in the Obama Administration’s February release of a framework for a Consumer Privacy Bill of ...

On February 24, 2012, Eric Chabrow of BankInfoSecurity interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing the need for a Consumer Privacy Bill of Rights, Sotto briefly outlined the strengths and weaknesses of the proposed bill, and its potential impact on businesses.

The White House today released its long-awaited report outlining a framework for U.S. data protection and privacy policy. As expected, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Global Innovation in the Global Digital Economy” articulates a Consumer Privacy Bill of Rights based on the individual’s right to exercise control over what personal data companies collect from the individual and how companies use the data. The Consumer Privacy Bill of Rights, which reflects principles of fair information practices and applies to personal data, sets forth individual rights for consumers and corresponding obligations of companies in connection with personal data. It also provides for the consumer’s right to:

• transparent privacy and data security practices;
• expect that companies will collect, use and disclose data in a manner consistent with the context in which it was collected;
• have their data handled in a secure manner;
• access and correct personal data;
• set reasonable limits on the personal data that companies collect and retain; and
• have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

As reported in BNA’s Privacy Law Watch, on July 19, 2011, President Obama announced his intention to nominate Maureen K. Ohlhausen to the Federal Trade Commission. Obama sent his official nomination to the Senate on July 21, 2011. If approved, Ohlhausen will serve a seven-year term beginning on September 26, 2011, replacing Commissioner William E. Kovacic.

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

On June 8, 2011, the Department of Commerce’s Internet Policy Task Force released a report entitled “Cybersecurity, Innovation and the Internet Economy.”  The report contains four broad policy recommendations: (1) the creation of a nationally recognized approach to minimize vulnerabilities for the Internet and networking services industry, (2) the development of incentives to combat cybersecurity threats, (3) increased cybersecurity education and research, and (4) the promotion of international cooperation to enable sharing of cybersecurity best practices.

As we reported last week, on May 12, 2011, the Obama administration announced a comprehensive cybersecurity legislative proposal in a letter to Congress.  The proposal, which is the culmination of two years of work by an interagency team made up of representatives from multiple departments and agencies, aims to improve the nation’s cybersecurity and protect critical infrastructure.  If enacted, this legislation will affect many government and private-sector owners and operators of cyber systems, including all critical infrastructure, such as energy, financial systems, manufacturing, communications and transportation.  In addition, the proposal includes a wide-reaching data breach notification law that is intended generally to preempt the existing state breach laws in 46 states plus Washington, D.C., Puerto Rico and the U.S. Virgin Islands.

On May 12, 2011, the White House released the long-expected cybersecurity legislative proposal in response to the need to protect Americans from cyber threats.  The proposal is the culmination of several years of work following the White House’s release of the Cyberspace Policy Review in 2009 and includes the following sections:

On March 16, 2011, U.S. Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling called on Congress to enact robust, baseline legislation to “reform consumer data privacy in the Internet economy.” Speaking before the U.S. Senate Committee on Commerce, Science and Transportation, Assistant Secretary Strickling emphasized the Department of Commerce’s support for a legislative proposal that would adopt many of the recommendations of the “Green Paper,” a Department report authored last December.

While much of the attention of the privacy policy community in Washington, D.C. has been focused on the two reports issued in December 2010 by the Federal Trade Commission and the Department of Commerce, a third government report has received far less press attention, but may have a greater impact on U.S. business and consumers.  The work of the President’s Council of Advisors on Science and Technology (“PCAST”) and its Health Information Technology Working Group, the report, “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” was released by the White House on December 8, 2010.

On December 18, 2010, President Obama signed into law the “Red Flag Program Clarification Act of 2010” (S.3987), which amends the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.  The law limits the scope of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flags Rule”), which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

As previously reported, on December 16, 2010, the U.S. Department of Commerce released its Green Paper “aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth.”

During a press teleconference earlier that morning announcing the release of the Green Paper, Secretary Gary Locke commented on the Green Paper’s recommendation of adopting a baseline commercial data privacy framework, or a “privacy bill of rights,” built on an expanded, revitalized set of Fair Information Practice Principles (“FIPPs”).  He indicated that baseline FIPPs would respond to consumer concerns and help increase consumer trust.  The Secretary emphasized that the Department of Commerce would look to stakeholders to help flesh out appropriate frameworks for specific industry sectors and various types of data processing.  He also noted that the agency is soliciting comments on how best to give the framework the “teeth” necessary to make it effective.  The Secretary added that the Department of Commerce is also open to public comment regarding whether the framework should be enforced through legislation or simply by conferring power on the Federal Trade Commission.

On December 16, 2010, the U.S. Department of Commerce Internet Policy Task Force issued its “Green Paper” on privacy, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  The Green Paper outlines Commerce’s privacy recommendations and proposed initiatives, which contemplate the establishment of enforceable codes of conduct, collaboration among privacy stakeholders, and the creation of a Privacy Policy Office in the Department of Commerce.  Noting that “privacy protections are crucial to maintaining the consumer trust that nurtures the Internet’s growth,” the Green Paper “recommends reinvigorating the commitment to providing consumers with effective transparency into data practices, and outlines a process for translating transparency into consumer choices through a voluntary, multistakeholder process.”