Homeland Security Committee Releases Updated Encryption Report – Last week, House Homeland Security Committee Chairman Michael McCaul (R-TX) released an update to the Committee’s report on encryption. The original report, “Going Dark, Going Forward,” was released in June 2016. It was drafted by Republican staff of the Homeland Security Committee and represents an in-depth congressional analysis on the issue of encryption. Over the course of more than a year, Committee Members and staff held more than 150 meetings with key stakeholders—including representatives from federal, state, and local law enforcement, the technology industry, privacy groups, academia, and the intelligence community.
The report describes the important themes and considerations surrounding the widespread use of encryption technologies, the ways in which various governments around the world are responding to the issue, and why future progress in addressing the challenges will likely depend on a more formal national discussion. As a result of their investigation, the Committee determined that there is no silver bullet when it comes to encryption and “going dark.” The Committee concluded that the best way to move forward is to formally convene a commission of experts to examine the issue of encryption and law enforcement’s future in light of constantly evolving technology.
The report also lays the groundwork for a National Commission on Digital Security and Technology Challenges, an idea proposed by Chairman McCaul and Senator Mark Warner (D-VA) in early 2016. Chairman McCaul has said that a National Commission would “bring the key players to the table to develop recommendations for maintaining privacy and digital security, while also finding ways to keep criminals and terrorists from exploiting these technologies to escape justice.”
The Committee’s update to their report was prompted by the recent terror attacks in Paris, Brussels, and Nice, and the subsequent legislative actions taken by European nations to address the implications of encryption on counterterrorism and law enforcement. Chairman McCaul said, “[t]he recent developments in this area highlight that the encryption issue is not going away. On the contrary, it continues to be a major challenge to law enforcement and the intelligence community around the world. The United States should be leading efforts to develop a sustainable, sensible solution. Instead, we are sitting on our hands and doing nothing.”
The updated report, “Going Dark, Going Forward Version 2.0,” is available here.
Reporter, Lauren M. Donoghue, Washington, DC, +1 202 626 8999, ldonoghue@kslaw.com.
Recently Introduced Legislation Designed To Secure Voting Systems – On September 21, 2016, Representative Hank Johnson (R-GA) introduced two bills in the U.S. House of Representatives that aim to protect U.S. voting systems from hackers. These two pieces of legislation—the “Election Infrastructure and Security Promotion Act of 2016” and the “Election Integrity Act of 2016”—were introduced “[i]n the wake of the [Democratic National Committee] server hack,” Rep. Johnson said in a statement. “We must work to reduce the vulnerability of our crucial voting systems, protect the security and integrity of our electoral process, and ensure all Americans have the opportunity to vote.”
Under the Election Integrity Act of 2016 (H.R. 6072), all voting systems used in federal elections would be required to provide paper ballots and make those ballots available to each voter for inspection and verification before the voter’s ballot is cast and counted. In addition, H.R. 6072 would prohibit the connection of voting systems (upon which ballots are programmed or votes are cast) to the Internet. Currently, five states use electronic-only voting without a paper trail: New Jersey, Delaware, South Carolina, Georgia, and Louisiana. Another ten states allow for mixed methods that can include electronic systems without paper.
Under the Election Infrastructure and Security Promotion Act (H.R. 6073), the Secretary of Homeland Security would be required to classify voting systems used in the United States as “critical infrastructure.” This term is defined in Section 1016 of the Critical Infrastructure Protection Act of 2001 as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” There are currently 16 critical infrastructure sectors that compose these assets, systems, and networks (e.g., the U.S. power grid and water supply).
Classifying voting systems as critical infrastructure gives the U.S. Department of Homeland Security (“DHS”) the authority to enhance its efforts and provide increased support to secure such systems. Under H.R. 6073, the DHS would be required to conduct research and development in order to mitigate the effects of voting system hacks, and prepare and submit to the relevant committees in the House and Senate a comprehensive plan to protect the critical infrastructure of the voting systems against threats, including acts of terrorism. In addition, under H.R. 6073, the Director of the National Institute of Standards and Technology (“NIST”) would be given the authority to develop standards for safeguarding the operational security of the voting systems used in federal elections and ensuring that the process by which ballots are counted in federal elections is transparent and permits voters to verify that votes in such elections are counted correctly.
Both Acts include amendments to the Help America Vote Act of 2002 in order to ensure state compliance with the NIST standards discussed above. H.R. 6072 has been referred to the House Judiciary Committee. H.R. 6073 has been referred to the House Administration Committee; House Science, Space, and Technology Committee; and House Homeland Security Committee. The text of the Election Integrity Act of 2016, H.R. 6072, can be found here. The text of the Election Infrastructure and Security Promotion Act of 2016, H.R. 6073, can be found here.
Reporter, Jennifer Raghavan, San Francisco, +1 415 318 1234, jraghavan@kslaw.com.
FTC Testifies Before Senate Commerce Committee About Data Security Approach – On Tuesday, September 27, 2016, the three active commissioners at the Federal Trade Commission (“FTC” or the “Commission”) testified before the U.S. Senate Committee on Commerce, Science, and Transportation regarding the Commission’s use of its authority relating to data security issues. While the hearing covered various topics as part of the Committee’s oversight of the FTC, members of the Committee focused on the FTC’s work in the data security area and appeared skeptical that the Commission was using its authority properly.
Committee Chairman Senator John Thune (R-SD) opened the hearing on this topic, saying that “[w]hen Congress drafted the FTC Act, we took care to ensure the prohibitions of Section 5 would be evergreen. . . . But Section 5’s flexibility does not mean it is open-ended.” Section 5 of the FTC Act (15 U.S. Code § 45) gives the FTC authority to regulate “unfair or deceptive acts or practices in or affecting commerce.” “Unfair” practices are defined in the statute as those that “cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Last year in FTC v. Wyndham Worldwide Corporation, the Third Circuit held that the FTC has authority to regulate “unfair” or “deceptive” cybersecurity practices under Section 5.
FTC Chairwoman Edith Ramirez responded to Senator Thune that, although Section 5 is not open-ended, the FTC needs to use its authority to address data security issues. She testified, “[d]ata security is the most significant challenge we face as a nation.” She further stated that the FTC needs to “use[] its core enforcement authority – Section 5 [ ] – to take action against companies engaged in unfair or deceptive practices involving the privacy and security of consumers’ information.”
Still, Senator Thune expressed concern that the FTC already had expanded its authority to actions that seemingly did not involve tangible monetary harm, such as the FTC’s recent decision to hold LabMD liable for “unfairness” over the purported leak of a patient data file that seemingly did not tangibly harm consumers. In that decision, the FTC explained, “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).” Senator Thune characterized this decision and reasoning as “extraordinary” and that it raises “serious questions about whether the FTC’s actions are always predicated on substantial injury to consumers.”
Senator Thune asked Chairwoman Ramirez how, under this standard, the FTC decides when a harm is “substantial” enough to justify action, and Chairwoman Ramirez responded that tangible harm is not required for bringing an unfairness action. “There is no limitation on unfairness requiring actual or likely harm that it be economic,” Chairwoman Ramirez testified. “Most of our cases do tend to assert harm that is economic and tangible but there is no restriction, and in a few instances that are appropriate we do feel that it’s proper for the agency to address serious intangible harms like privacy harms that would include infringement and potential revelation of private information such as privacy intrusions.”
Senator Deb Fischer (D-NE) expressed concern with Chairwoman Ramirez’s explanation, stating that she worried that the FTC would use its numerous pages of guidance, which tend to further confuse companies as to the FTC’s requirements, to continue to expand its authority in enforcement actions over data security. Chairwoman Ramirez again tried to alleviate concerns by explaining that the guidance is not binding and “any enforcement action would have to reflect a considered decision by the commission that we have a reasonable belief that applicable law, whether it is the FTC Act or another statute that we enforce, has been violated.”
Reporter, Bethany Rupert, Atlanta, GA, +1 404 572 3525, brupert@kslaw.com.
In Data Breach Suit, Federal Court Holds Banks To Higher Standard Than Customers – On Wednesday, September 28, 2016, an Illinois federal district judge dismissed data breach-related claims brought by numerous banks against a grocer citing the sophistication of the business relationship between the banks and the grocer as a main reason the claims could not proceed.
Between December 2012 and March 2013, Schnucks, a grocery chain headquartered in St. Louis, Missouri, experienced a data breach that made payment card information transmitted through its computer system vulnerable to attack by cyber criminals. The data breach may have affected as many as 2.4 million cardholders who shopped at Schnucks during the timeframe of the breach. The banks alleged that Schnucks did not properly encrypt customer payment information and thus fell short of industry standard. The banks pursued multiple theories of relief, including RICO conspiracy claims, breach of fiduciary duty, negligence, breach of contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
The U.S. District Court for the Southern District of Illinois dismissed all of the banks’ claims, holding that the alleged harms sustained were too general and that “mere allegations of trust between sophisticated business parties are insufficient to create a fiduciary relationship between the parties.” The court observed that in cases brought by customers, the customers can allege plausible claims based on concrete harm suffered, such as fraudulent charges on their accounts, late fees incurred as the result of fraudulent activity, and costs incurred as a result of acquiring an identity theft monitoring service. Additionally, customers’ data-breach claims appeal to the common life experience of walking into a merchant to buy a sandwich or a coffee and the expectation that their data will be kept safe.
In contrast, according to the court, the banks’ allegations of harm were too general. For example, the banks alleged that they have incurred and will continue to incur costs to (1) cancel and reissue cards, (2) close and reopen accounts, (3) notify customers, and (4) investigate and monitor for fraud, emphasizing the argument that Schnucks made fraudulent representations or omissions to the banks regarding its data security practices, and the banks relied on such misinformation in releasing customer funds to Schnucks. The court, however, held that the generality of these allegations made it too difficult to assess the validity of the claims. Two of the banks’ claims were dismissed with prejudice. The banks will have the opportunity to replead the other claims.
Reporter, Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com.
Also In The News
The Department of Homeland Security Releases Draft Cyber Incident Response Plan – On Friday, September 30, 2016, the Department of Homeland Security (“DHS”) published a draft of its updated National Cyber Incident Response Plan (“NCIRP”). Companies and individuals have 30 days to provide feedback. The plan is in response to President Obama’s Presidential Policy Directive 41 (PPD-41) issued in July. The directive called for an updated NCIRP that defines a nationwide approach to cyber incidents and outlines the roles of both federal and non-federal entities and how the U.S. government prepares for, responds to, and recovers from significant cyber incidents.