Returning Congress May Focus on Cybersecurity, Surveillance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The 115th Congress will have a full plate of cybersecurity, email privacy, and surveillance bills when it starts its fall term Sept. 5.

Lawmakers will be considering mandating enhanced cybersecurity protections and best practices for companies, updating a decades-old email privacy law, and continuing an important national security surveillance authority.

CYBERSECURITY
LEGISLATIVE PURPOSE

  • ( H.R. 584, H.R. 2105, H.R. 2481, S. 770, S. 1157) Large-scale cyberattacks in 2017 have put pressure on Congress to pass legislation to help the public- and private-sectors ward off future attacks. Cybersecurity bills in the House and Senate would provide more guidance to small- and medium-sized businesses and update the Vulnerabilities Equities Process (VEP), under which federal government officials decide whether to divulge cybersecurity exploits and inform affected companies.
  •  H.R. 2481 and S. 1157, the PATCH Act, would update the VEP process by making the U.S. government more transparent and accountable when retaining and disclosing cybersecurity vulnerabilities to agencies, intelligence organizations, or the private sector. Under the bills, the Department of Homeland Security would serve as the head of an interagency review board that would create new oversight mechanisms for vulnerability disclosure and retention. The bill has gotten support from tech companies, such as McAfee Inc. and Mozilla Corp., and privacy advocacy groups, including New America’s Open Technology Institute and the Center for Democracy and Technology.
  •  H.R. 584, the Cyber Preparedness Act, would direct the Department of Homeland Security to ensure it shares its cybersecurity information with state, local, and regional centers. The bill would expand grants for statewide cybersecurity threat data dissemination.
  •  H.R. 2105, the NIST Small Business Cybersecurity Act, and S. 770, the MAIN STREET Cybersecurity Act, would ensure that the National Institute of Standards and Technology (NIST) updates its cybersecurity framework to provide small businesses with simplified resources that they can more easily implement.

BILL STATUS

  • House: Rep. Lieu (D-Calif.) introduced H.R. 2481 May 17, and it was referred to the Committee on Oversight and Government Reform. The House passed H.R. 584, by Rep. Donovan (R-N.Y.), by voice vote Jan. 31, and it was referred to the Senate Committee on Homeland Security and Governmental Affairs. The Committee on Science, Space, and Technology approved H.R. 2105, by Rep. Webster (R-Fla.), by voice vote May 2.
  • Senate: Sen. Schatz (D-Hawaii) introduced S. 1157 May 17, and it was referred to the Committee on Homeland Security and Governmental Affairs. The Commerce, Science, and Transportation Committee approved S. 770, by Schatz, by voice vote April 5.

OUTLOOK

  • House: The PATCH Act, H.R. 2481, hasn’t seen any action and other legislative priorities, such as federal surveillance authority renewal and an email privacy law overhaul, may dampen the bill’s prospects this year. However, broad industry support and increasing cybersecurity risks to the government and private-sector may force the House to take up the measure. The NIST Small Business Cybersecurity Act, H.R. 2105, may see House floor action this year because it has bipartisan support and the backing of the U.S. Chamber of Commerce and the National Association of Federal Credit Unions.
  • Senate: The PATCH Act, S. 1157, also hasn’t seen action in the Senate and may face the same fate as the House bill due to other legislative priorities. The Senate may act on the bill if cyberattacks continue or ramp up, causing greater risks to the government or companies. The Senate hasn’t acted on Donovan’s Cyber Preparedness Act, H.R. 584, and it’s unclear if it will take further action this year. The MAIN STREET Cybersecurity Act, S. 770, may see Senate floor action this year because it has bipartisan support and the backing of the National Small Business Association, the U.S. Chamber of Commerce, and the Information Technology Industry Council.
  • Administration: The Trump administration hasn’t taken a position on any of the bills.

EMAIL PRIVACY
LEGISLATIVE PURPOSE

  • (H.R. 387, S. 1654, S. 1657, S. 1671) These bills would amend the Electronic Communications Privacy Act, a 1986 law passed before the internet and email became prevalent. They include provisions that would require warrants for access to all stored communications except in certain limited circumstances.
  •  A U.S. Court of Appeals for the Second Circuit decision in Microsoft v. United States brought ECPA warrant issues to the forefront this year when the court ruled that the Stored Communications Act—part of ECPA—couldn’t be used to compel Microsoft to turn over emails stored on servers in Ireland without a warrant. The Second Circuit called on Congress to update the law to better protect privacy interests and law enforcement access to data stored abroad.
  •  H.R. 387 and S. 1654, the Email Privacy Act, would require warrants for access to stored communications by eliminating an ECPA provision allowing less stringent requirements for emails held for more than 180 days.
  •  S. 1657, the ECPA Modernization Act, is similar to S. 1654 but includes further protections for historical and real-time geolocation information. It would prohibit the use of communication and geolocation data obtained in violation of ECPA, and would require notice within 10 days to individuals whose electronic communications were sought under a warrant.
  •  S. 1671, the International Communications Privacy Act (ICPA), also includes the warrant requirement for stored communications no matter where the data is stored. Under the bill, U.S. law enforcement agencies would be able to obtain communications of foreign nationals located outside the U.S. under certain circumstances.
  •  ICPA also includes language that would instruct Congress, the Department of Justice, and the U.S. Trade Representative to pursue trade deals and other initiatives that don’t include data localization requirements.

BILL STATUS

  • House: The House passed H.R. 387, by Rep. Yoder (R-Kan.), by voice vote Feb. 6, and it was referred to the Senate Judiciary Committee.
  • Senate: Sen. Lee (R-Utah) introduced S. 1654 July 27 and it was referred to the Judiciary Committee. Lee introduced S. 1657 July 27, and it was referred to Judiciary. Sen. Hatch (R-Utah) introduced S. 1671 July 27, and it was referred to the Judiciary Committee.

OUTLOOK

  • Senate: S. 1654, the companion legislation to the House-passed bill, has the best chance of advancing in the Senate this year. However, the Email Privacy Act died in the Senate last year due to objections from Sen. Cornyn (R-Texas). The bill died after Cornyn pushed for language that would have expanded the FBI’s use of national security letters to access stored communications. It is unclear whether Cornyn or other senators would try to advance such language this year.
  • Administration: President Trump hasn’t taken a position on any of the bills. The Department of Justice has supported updates to ECPA, such as a requirement for email service providers subject to U.S. jurisdiction to turn over data no matter where the provider chooses to store it, similar to language in S. 1671. However, the DOJ hasn’t backed a specific bill and is looking to the U.S. Supreme Court to overturn the Second Circuit’s Microsoft decision.

FISA REAUTHORIZATION
LEGISLATIVE PURPOSE

  • ( S. 1297) The Foreign Intelligence Surveillance Act (FISA) gives the National Security Agency authority to conduct electronic and physical surveillance on foreign targets. Section 702 of the law specifically authorizes government collection of digital communications of foreign citizens outside of the U.S. from internet service and other communications providers. The authority is set to expire Dec. 31.
  •   S. 1297 would reauthorize Section 702 permanently. Lawmakers are weighing other approaches, such as legislation that would temporarily renew the authority and add privacy protections, but no other bills have been introduced.
  •   Tech companies, such as Facebook Inc., Microsoft Corp., and Alphabet Inc.'s Google, have called for more transparency and privacy protections in the Section 702 process. Privacy advocates, including the American Civil Liberties Union and FreedomWorks LLC, have rallied against the Senate bill, saying it would allow the U.S. government to conduct surveillance on U.S. citizens without a warrant.

BILL STATUS

  • House: No reauthorization bill has been introduced in the House.
  • Senate: Sen. Cotton (R-Ark.) introduced S. 1297 June 6, and it was referred to the Judiciary Committee.

OUTLOOK

  • House: Although no bill has been introduced, House lawmakers probably will act before the end of the year to prevent the surveillance authority from expiring.
  • Senate: S. 1297 has broad support from Republicans on the Select Committee on Intelligence, including Chairman Burr (N.C.). Democrats, including Intelligence Committee ranking member Feinstein (Calif.) and Sen. Franken (Minn.), have argued for a sunset provision to ensure regular review of the surveillance authority to make sure privacy protections are maintained. Republicans and Democrats agree that FISA Section 702 is an important surveillance tool, and the main question is likely to be whether to reauthorize it temporarily or permanently.
  • Administration: President Trump has called for a “clean reauthorization” of the expiring surveillance provisions without a sunset provision. Trump’s homeland security and counterterrorism adviser, Tom Bossert, has also backed Cotton’s bill.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security