Don't expect much action from Congress, it's an election year.
While there may be a new encryption bill as an outgrowth of Apple's confrontation with the FBI, in talking to security industry pros and Washington insiders, the consensus is that when it comes to cybersecurity legislation, including pending national bills on digital privacy and breach notification, nothing will happen until after the election.
“It's unlikely any bills will pass this year,” says Ari Schwartz, now managing director for cybersecurity services at Venable, and up until last fall, the National Security Council's senior director for cybersecurity.
On the plus side, late last year, President Obama signed into law the Cybersecurity Information Sharing Act (CISA), which according to Schwartz, gives companies incentives to share information in the event of a security breach.
And in mid-February, the Department of Homeland Security, which was identified in CISA as the lead agency for managing cybersecurity information sharing, released guidance that requires companies to remove personally identifiable information (PII) before sharing cyberthreat information. It also requires DHS to conduct a privacy review of the information shared by the company that sustained an attack. Final guidance will be released this summer, adds Schwartz.
Of course, privacy advocates, including Sen. Ron Wyden (D-Ore.) and the American Civil Liberties Union (ACLU) cried foul after CISA passed, claiming that the law signed by President Obama has no teeth and would do little to prevent major hacks.
On the federal legislative front, privacy advocates received a glimmer of hope in early February when House Judiciary Committee Chairman Bob Goodlatte (R-Va.) indicated that the Judiciary Committee planned to markup the Email Privacy Act this spring.
The federal privacy legislation aims to reform the Electronic Communications Privacy Act (ECPA) of 1986, a law that was signed around the time email was first being introduced. It's essentially a companion bill to the legislation first introduced three year ago on the Senate side by Sen. Patrick Leahy (D-Vt.) and Sen. Mike Lee (R-Utah). The bill would amend ECPA to require government officials to obtain a warrant to require internet service providers or other online service providers to disclose the private communications of their users. The law as it's currently written also includes personal or proprietary documents stored with cloud service providers.
Following Rep. Goodlatte's announcment, Sen. Leahy said, “updating our digital privacy laws is long overdue and passing this bill should be a no-brainer.”
While many expected the Email Privacy Act to pass in 2015, it was held up by the Securities and Exchange Commission, which, in representing federal civilian agencies, asked for an exemption from the warrant requirement as specified in the updated version of ECPA.
Sen. Leahy remains optimistic: “This legislation has been held up too long by some who seek to exempt civil regulatory agencies from the Fourth Amendment's warrant requirement. We must pass this important piece of privacy legislation this year so that Americans who share photos, send emails and text loved ones can do so knowing that their privacy rights are protected by a law that matches the needs of the 21st century.”
Well-intentioned though individual Congressional representatives may be, Republicans and Democrats as a group have their heels dug in on immigration, trade policy, the vacancy of the Supreme Court following the passing of Justice Antonin Scalia, and climate change, so there's no reason to expect they will pass any meaningful cybersecurity legislation this year.
That's where the states come in. For starters, 47 states have passed a breach notification bill (Alabama, New Mexico and South Dakota are the exceptions). And, with California leading the way, states are poised to pass privacy bills during the rest of this year.
California's Electronic Communications Privacy Act (CalECPA) was signed by Democratic Governor Jerry Brown last fall and went into effect on Jan. 1. It was viewed in privacy circles as landmark legislation because California was the first state to enact a comprehensive law protecting location data, content, metadata and device searches. The law bars any state law enforcement agency from compelling a business to turn over any digital information without a warrant.
“What's important is that it also has a suppression remedy,” explains Nicole Ozer (left), technology and civil liberties policy director for the ACLU of Northern California.
“CalECPA says that if law enforcement does not follow the law and issue a warrant, the case will be thrown out of court,” she says. “The law is critical because there has been such an increase in warrantless searches. Google, for example, has reported a 180 percent increase in demand in the past five years.”
Democratic State Senator Mark Leno, one of the co-sponsors of CalECPA, says the new law had strong support from privacy advocates of all stripes as well as Silicon Valley technology companies.
“It's actually very basic,” he says. “CalECPA updates privacy law for the 21st century. We all communicate digitally today so we need digital protection. When you think about it, the American Revolution was fought in part to combat the warrantless searches by the British military.”
The ACLU's Ozer says Minnesota, New Mexico, New York and Virginia have all introduced or announced plans to pass laws based on CalECPA. And, numerous other states have introduced more limited bills to protect personal information.
In Michigan, Republican State Senator Pete Lucido recently introduced a bill that would keep information private unless consumers choose to opt in to having a business share their personal information with third-party marketers. The law would cover any business that people do with a bank, including a home or car loan, or even a credit card or a personal checking account.
“Once you apply for a credit card, the marketers know who you are,” Lucido says. “People then get solicited for everything under the sun and that has to stop. The thing people have to ask themselves is, why do they receive all this unwanted stuff in their mailboxes?”
Other states have gotten busy as well. Alabama has a bill pending to protect student data privacy. Nebraska has introduced bills on employee data privacy, location tracking and also on student data privacy. And New Mexico wants to protect personal data privacy.
California's Leno says while states can lead the way, the federal government still has to step up and pass meaningful cybersecurity legislation, especially in the area of privacy.
Nobody expect miracles, but with the states keeping the privacy fire alive, it's possible there may be privacy reform once a new Congress goes into session early next year. For now, look for the guidance from DHS on information sharing later this year. And, it may very well be that Apple's case with the FBI forces Congress to act on encryption. Most observers agree that CISA was signed into law once the massive hack at the Office of Personnel Management was made public, so the Apple case may have a similar effect on lawmakers. Beyond that, look for states legislatures to take the lead. n