Crowell & Moring

President announces cybersecurity action plan; Congress passes Judicial Redress Act; French DPA notice provides compliance guidance; and FCC set to enforce CPNI rules.

President Obama Announces Cybersecurity Action Plan

The President announced his Cybersecurity National Action Plan (CNAP) this week, with a FY 2017 Budget proposal that includes $19 billion on CNAP initiatives – a 35 increase in cybersecurity spending over his FY 2016 budget. While the CNAP focuses on the private sector’s role in shoring up the nation’s cybersecurity, it contemplates only voluntary activities and does not impose obligations on the private sector. The CNAP includes plans to expand support for critical infrastructure, improve cyber hygiene, enhance cyber incident response, establish the Commission on Enhancing National Cybersecurity, modernize government IT and governance, and develop cybersecurity technology and workplace skills. To read more about the proposals and what it means for companies, please see our Client Alert on the CNAP.

Congress Passes Judicial Redress Act

The House of Representatives on February 10 passed the Judicial Redress Act with the Senate’s amendments. The bill would allow European Union (EU) citizens the ability to sue certain U.S. government agencies for civil damages for the unauthorized disclosure of their personal data. The Senate amendment added a clause allowing the Attorney General to revoke EU citizens’ court access if the EU or an EU Member State fails to permit the transfer of personal data for commercial purposes. The amendment was originally met with some frustration in Europe, but its lasting effect remains unknown.

The Judicial Redress Act now moves to the President’s desk to be signed into law. Its passage is a prerequisite of the U.S.-EU “umbrella agreement” which is intended to allow U.S. and EU law enforcement agencies to share data while providing significant privacy protections for the shared data. In addition, though the Judicial Redress Act was not a prerequisite for the passage of the U.S.-EU Safe Harbor replacement (named the EU-U.S. Privacy Shield) per se, its passage was expected to be seen favorably in Europe as trust is rebuilt with regard to commercial data flows. Passage of the Judicial Redress Act is expected to smooth the path for final acceptance of the EU-U.S. Privacy Shield by the EU.

French DPA Notice Provides Compliance Guidance

A recent compliance notice from the French data protection authority (CNIL) provides guidance to companies operating under the French data privacy law. The CNIL publicly issued a notice to Facebook demanding that the company bring a number of alleged French data protection law violations into compliance within three months or risk possible sanctions. Though the allegations cover practices from cookie placement to consent issues, notably the CNIL alleges that Facebook continues to rely on the invalidated U.S.-EU Safe Harbor. In the notice, the CNIL points to Facebook’s privacy statement which still mentions Safe Harbor (despite the fact that it also mentions Facebook’s use of EU Standard Contractual Clauses). For more information on what the Facebook notice means for other companies processing personal data of French citizens, please see our previous blog post on the CNIL action against Facebook.

FCC Set to Enforce CPNI Rules

The Federal Communications Commission (FCC) issued an enforcement advisory on Customer Proprietary Network Information (CPNI) compliance and the FCC’s plans to enforce the rules, including the annual certification requirement. CPNI data includes sensitive personal information such as phone numbers of calls made/received; frequency, duration, and timing of calls; and services purchased. The CPNI rules were originally issued by the FCC to protect the privacy of CPNI and to ensure that CPNI is adequately protected with technical safeguards implemented by providers.

Telecommunications carriers and interconnected VoIP providers subject to the CPNI rules must file a CPNI certification each year – due this year on March 1. The FCC’s advisory lists a number of frequent filing deficiencies that providers should avoid, including:

  • Failing to have the officer sign the certification;
  • Failing to provide a statement explaining how the provider’s operating procedures ensure compliance with the rules (as opposed to simply stating that the provider has adopted procedures);
  • Failing to state whether any actions were taken against data brokers; and
  • Failing to state clearly whether any customer complaints regarding unauthorized release of CPNI were received.

The FCC has provided an annual certification template, attached to the advisory, to assist providers with the complete submission of their certification. Providers should take heed of the FCC’s enforcement warning, avoid the common mistakes, and may wish to use the FCC’s certification template. The warning is likely a sign of enforcement actions to come.

Failure to comply with the CPNI rules, including annual certification, may subject providers to enforcement actions which can include money forfeitures of up to $160,000 per violation or each day of continuing violation, up to $1,575,000. False statements or misrepresentations made to the FCC may also be punishable by fine or imprisonment under Title 18 of the U.S. Code.