Federal Internet Security Legislation ‘On Hold’ Despite Potential Benefits, Commerce’s Kerry Says
All federal Internet security legislation is likely “on hold for the time being,” said Commerce Department General Counsel Cameron Kerry at a Practising Law Institute panel Monday. The long-promised White House consumer protection proposal (WID Dec 2 p1) and updates to the Electronic Communications Privacy Act are both in a holding pattern, he said, while the White House continues to do background work with its big data task force (WID Jan 21 p1) and NTIA-facilitated codes of conduct (WID Dec 5 p10). Other panelists said a federal data breach notification law is potentially useful for consumers, businesses and U.S. trade relations with Europe, but could have a negative impact on data security if the law defangs state attorneys general enforcement power (WID Jan 3 p1).
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
"I'm skeptical that legislation is going to happen,” Kerry said. Despite the increasing awareness of the fragility of data security (WID Jan 13 p1), “consumers don’t bear the risk,” Kerry said. Plus, the discussion has shifted dramatically to the government’s data security since the leaks from former NSA contractor Edward Snowden, he said. “In that environment, it'd be impossible for the Obama administration to say, ‘We have to do something about all this data being collected in the private sector,'” and continue pushing its consumer privacy legislative proposal, said Kerry.
Instead, the administration has had to switch gears, Kerry said. He was acting Commerce Department secretary when the first Snowden revelations were published. In the first White House meetings, Kerry recalls he showed up “full of ideas and I would say that these issues were new to a lot of the people around the table,” he said. “That has certainly changed in the interim.” Most of those “extensive” conversations had to do with government surveillance issues. Now the president has addressed some of those issues and can focus the discussion “more broadly on privacy issues,” he said.
"I think there are compelling reasons to move forward on” the consumer privacy bill of rights, Kerry said. “To put in place a set of ground rules that will help to reaffirm and rebuild trust is economically vital,” he said, saying the U.S. cloud computing industry stands to lose considerable money. “That’s reflected in people moving hosting from American companies to European companies,” he said.
Consumers are receiving a record number of notifications of data breaches because of the labyrinthine data breach laws across the country, said data security lawyer Cynthia Larose, chairwoman of Mintz Levin’s Privacy and Security Practice. Forty-six states, the District of Columbia and Puerto Rico all have separate laws that “generally apply to all companies,” she said. Some states require companies to notify a consumer regulator, others a telecommunications regulator, and a few have no notification laws at all, she said. Fine levels differ in each state, rising as high as Massachusetts’s $50,000-per-violation maximum. “Being in the middle of the data breach is like the fog of war,” she said.
That over-notification to consumers “maybe produces the complacency,” Kerry said. Because of that, Larose said “I do see some value in standardizing what data breach notices look like.” The volume of notifications currently is “burdensome,” she said, and “people just don’t pay attention to them.” But it could be “dangerous for a federal data breach act to strip state attorneys generals of any ability to enforce their laws,” she said. Center for Democracy and Technology Project on Consumer Privacy Director Justin Brookman said, “I don’t see a great need for a [federal] data breach notification law. From a consumer perspective” the multitude of state laws may be a benefit. “We would only support a data breach notification standard that preempts the state laws if it gives protections to consumers,” he said. Additionally, the gap between congressional Republicans and Democrats is “pretty broad,” making a useful compromise unlikely, he said.
Absent congressional action, government could still develop a “common set of expectations” for consumers and companies, Kerry said. Industry transparency and choice alone will not create these expectations, he said. It’s “at best a fiction and in most instances impossible,” he said. “How do you apply consent to sensors in our roads? How do you apply consent to cameras in different locations?”
The consumer bill of rights can help establish these expectations through a three-prong process, Kerry said: “Flexible best practices in a non-prescriptive way”; a principles-based code of conduct created with industry and civil society; and “an iterative, common-law process of FTC adjudication of the application of principles to really work these issues out as we move forward.” MIT Computer Science and Artificial Intelligence Laboratory Principal Research Scientist Daniel Weitzner said he thinks a set of binding principles could offer businesses a “safe harbor” from FTC enforcement action. It “also gives consumers the certainty that there’s a set of rules out there,” he said. (cbennett@warren-news.com)