Blog Rss FeedBlog Rss FeedBDShttp://mediatechlaw.loeb.com/?view=rsshttp://mediatechlaw.loeb.com/blog.aspx?entry=140House Cybersecurity Information-Sharing Bill Provides Immunity Provisions for Reporting Companieshttp://mediatechlaw.loeb.com/housepassescyberintelligencesharingprotectionact/The U.S. House of Representatives passed an amended version of the Cyber Intelligence Sharing and Protection Act (CISPA), with a 288-127 vote. The current version of CISPA (H.R. 624) would provide private-sector companies with protection from liability for sharing information on cyber-threats with federal government agencies. With the passage of this bill, the House attempts to resolve the problem of President Barack Obama’s Cybersecurity Executive Order not providing any liability protection to reporting companies. (Read our alert on President Obama’s Executive Order here.) The bill provides both criminal and civil immunity for corporations sharing information with government agencies, as long as they act “in good faith.” The amended version defines a lack of good faith as including “any act or omission taken with intent to injure, defraud or otherwise endanger any individual, government entity, private entity or utility.” It also requires the Director of National Intelligence to establish procedures to permit “elements of the intelligence community” to share cyber-threat information, including classified information, with U.S. companies and utilities.

CISPA expressly limits the federal government’s use of cyber-threat information to only cybersecurity purposes and for the investigation and prosecution of cybersecurity crimes (as well as the prevention of death or serious bodily injury to individuals and various threats against children), and specifically prohibits the government from searching cybersecurity information for any other purpose. The federal government also may not use sensitive personal information (defined to include a number of categories containing information that can be used to identify individuals, including tax returns, medical and educational records, firearms sales records, library circulation records and patron lists, and book sales records), except in accordance with established policies and procedures to protect the private and confidential nature of this information. The bill mandates that the Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, establish these policies and procedures.

While CISPA immunizes private-sector companies from liability, it also establishes a private right of action in federal court for actual or statutory damages for any person “adversely affected” by the government’s willful or intentional violation of the express restrictions on the protection, disclosure, and use of the shared information.

The recent amendments to the House version of CISPA were aimed at satisfying concerns about protection of individual privacy – including those expressed by President Barack Obama in a statement released prior to the bill’s passage. The President, however, has expressed grave concerns about this bill in its present form and has threatened to veto the bill because it does not require private-sector organizations sharing information “to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” and affords broad immunity to the sharing companies. The amended version now goes to the Senate for consideration.

]]>Wed, 15 May 2013 10:23:57 GMThttp://mediatechlaw.loeb.com/blog.aspx?entry=139Commissioner Edith Ramirez Elevated to Chair of Federal Trade Commissionhttp://mediatechlaw.loeb.com/commissionerramirezchairftc/
Read our full alert on the appointment of Ramirez to chair of the FTC here.]]>Tue, 05 Mar 2013 17:21:22 GMThttp://mediatechlaw.loeb.com/blog.aspx?entry=138Two California Privacy Bills Introduced http://mediatechlaw.loeb.com/twocaliforniaprivacybillsintroduced/Assembly Bill 257 which addresses mobile privacy. The bill would codify many of the best practices proposed by the California Attorney General in her report titled “Privacy on the Go: Recommendations for the Mobile Ecosystem,” such as requiring mobile apps to have a privacy policy; allowing consumers to access their own personally identifiable information (PII) that the app collects and retains; provide a supplemental privacy policy with enhanced measures if an app collects PII that is not essential to the app’s basic function; providing a special notice if the app accesses text messages, call logs, the camera, dialer or microphone, or collects location, financial, or medical information or passwords. The bill also would require advertising networks that deliver ads through a mobile application to obtain prior express consent before displaying an ad and before accessing PII; use application-specific or temporary device identifiers rather than unchangeable device-specific identifiers; and transmit user data securely, using encryption for permanent unique device identifiers and personal information.

A few weeks after the California Attorney General published her best practices for mobile privacy, members of the advertising industry sent her a letter expressing their concerns, calling her recommendations “unworkable.” Since that time, the FTC released its own mobile privacy guidelines titled “Mobile Privacy Disclosures: Building Trust Through Transparency” (which we summarized in an alert). The FTC also issued guidance for mobile security: http://business.ftc.gov/documents/bus83-mobile-app-developers-start-security.

California Assemblyman Ed Chau introduced Assembly Bill 242 which would amend California’s Online Privacy Protection Act by requiring that privacy policies be no more than 100 words long, be written in clear and concise language that an eighth grader could read, and indicate whether PII may be sold or shared with others, and how and with whom the information may be shared.]]>Wed, 13 Feb 2013 10:49:20 GMT