These separate initiatives come on the heels of the issuance of a “Green Paper” on privacy by the U.S. Department of Commerce Internet Policy Task Force, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework”.  One of the Green Paper’s key proposals is ensuring “nationally consistent security breach notification rules” through a federal commercial data security breach notification law that sets national standards, addresses how to reconcile inconsistent State laws, and authorized enforcement by state authorities. 

In early December, 2010, California State Senator Joe Simitian (D-Palo Alto) introduced a bill that, if enacted, would establish requirements for any notice sent to consumers in the event of a security breach.  The legislation is intended to update Simitian’s landmark 2003 privacy protection which required any business or state agency that loses unencrypted personal information to send a security breach notification letter to consumers whose privacy was compromised and inspired more than 40 states to adopt similar legislation.  The proposed bill requires any breach notice to disclose to consumers details of the security breach, including the types of information that were subject of the breach and the date the breach occurred.  While the bill is intended to compel business or agencies to be more forthcoming with consumers regarding details of any security breach, former Governor Arnold Schwarzenegger vetoed similar proposals in 2009 and 2010, citing lack of proof that the bills would benefit consumers and would be overly burdensome on businesses.

Lawmakers in Virginia introduced legislation in January of this year to expand notification requirements following a breach of security with respect to medical information.  While under current Virginia law, the requirement to provide notice only applies to organizations, corporations or agencies “supported wholly or principally by public funds”, the amended bill would extend the state’s requirement to notify individuals of a breach of their medical information to all individuals and public and private entities.  The bill also allows the state’s Attorney General to impose a civil penalty of up to $150,000 per breach of the security of the system or a series of similar breaches of a similar nature that are discovered in an investigation.

The same day that the Virginia bill was introduced, lawmakers in Oregon proposed House Bill 2851 an amendment to the Oregon Consumer Identity Theft Protection Act.  Oregon is currently one of a majority of states whose breach notification laws do not apply to hard-copy records.  The newly-introduced legislation would close that gap by requiring notice of an unauthorized disclosure of data contained in such hard copies.

While not necessarily inconsistent, the recent proposals in California, Virginia and Oregon make it clear that state regulatory and enforcement schemes in the privacy area have not all achieved a uniform point of evolution.  For many years, California had a security breach notification requirement on its books.  Virginia’s regulation on medical information breaches didn’t cover private entities.  And Oregon did not provide protection for privacy breaches resulting from disclosure of information on hard copy documents.

While the federal government speaks of uniform standards, it is still too early to tell whether those standards will take the form of a detailed, robust notification system, be based on the lowest common denominator among the current state schemes or fall somewhere in between those extremes.  We will continue to follow the ongoing developments, at both the state and federal levels, as this debate will no doubt evolve in the coming months and years.

In October 2009, the France’ high court approved “Loi favorisant la diffusion et la protection de la création sur Internet”, or “HADOPI” (see our previous post: Three Strikes and You’re…OUTTTT! (Of French Cyberspace)).  Now almost one year into the life of the law, results have been mixed. The French government has said that it is prepared to begin issuing warnings and sanctions under the law, but no action has been taken yet. Commentators have questioned the feasibility of the law (e.g., the ease with which offenders can regain access to the Internet), and some original supporters of the legislation have qualified their original support of the law in response to adverse political reaction.

The U.K.’s Digital Economy Act  was enacted on June 8, 2010. Aimed at regulating the access of copyrighted material by end-users, one controversial section of the law establishes a system for identifying users who access illegal materials and for gradually increasing technical restrictions on their Internet access. These restrictions involve initially downgrading the quality of a user’s connection (the hope being that slower upload and download speeds will act as a deterrent to piracy) and culminate in a complete denial of Internet access.

Since the enactment of the DEA, the Office of Communication (Ofcom), an independent regulator and competition authority for the UK communications industries, has developed a protocol/obligations codefor implementing the legislation (but has said that plans to disconnect end-users from the Internet would not come into force until next year). ISPs are tasked with identifying and compiling a list of those end-users believed to be engaging in infringing conduct via a three-stage notification process, which includes sending letters to such end-users (which must include certain “standardized” information in connection with the allegations made against the end-user and what actions such end-user can take both to challenge the allegation and to protect their network). Rights’ holders can also request the ISP to identify those end-users who have breached an Ofcom-defined threshold for continued violation of access to information (i.e., following the third notification to a particular end-user), after which the rights’ holder may petition a court for identification of the user for purposes of initiating litigation.

Not surprisingly, the DEA has been subject to criticism from many perspectives.  Certain commentators have claimed that the complete denial of Internet service may violate existing European Union principles and regulations intended to preserve EU residents’ “basic rights and freedoms”, one of which is the right to access and use the Internet, and say that even worse is the manner in which the act was passed into law (which ISPs claim was rushed through Parliament with insufficient scrutiny). Further criticism focuses on the fact that the DEA provides only for an independent, limited appeals process for end-users who believe they have been wrongly accused of copyright infringement (as opposed to due process in a judicial proceeding). Consumer rights groups have raised concerns that an innocent user who has not encrypted her wireless network may be sanctioned if others access the network to engage in authorized conduct.  In addition, some have predicted that the threat of disconnection may alienate the most avid legalbuyers of entertainment content, encouraging them to switch to anonymized, encrypted alternatives so as not to reveal their identity.  Lastly, because the DEA only applies to ISPs with more than 400,000 customers, one consequenceof the law could be a flight of consumers to smaller ISPs, placing the larger ISPs at a commercial disadvantage.

Many major ISPs have recently spoken out against the DEA.  TalkTalk and British Telecom (the UK’s largest providers of broadband to homes) have initiated legal challenges, with their core claim being that the DEA conflicts with existing European Union regulations relating to individual privacy and electronics communications directives, as well as e-commerce directives.  They have also raised concerns about the role of ISPs in policing the Internet (i.e., that ISP’s are mere conduits of content and should not be held responsible for traffic on their services). 

Many reporters and commentators have also started to speculate about the practical ramifications of the DEA.  These include concerns that the increased costs borne by ISPs in identifying and notifying infringing users may be passed onto subscribers, raising access costs across the board.  Additionally, there is speculation that additional taxesmay be imposed on ISPs for transmission of pirated content by their subscribers.  Finally, the potential ramifications of long-term end-user tracking (e.g., data retention issues) have raised additional privacy concerns.

Reception of the three-strikes legislation, or graduated response, has been mixed elsewhere in the European Union and around the world.  In some countries, such as Belgium and Singapore, active or proposed legislation has tried to establish administrative oversight of illegal access to copyrighted material. In others, such as Germany, the government has taken a more laissez-faire approach by asking individual ISPs to handle content regulation and restriction without active government intervention.  

The point of restriction of content access varies as well. Graduated response, such as the process promulgated by HADOPI, puts the onus upon the individual end-user (i.e., if the end-user infringes upon copyright and accesses copyrighted material, she suffers the potential sanction of denial of Internet service). In other proposals, this remedy is rejected in favor of putting the burden on ISPs: the service provider must actively block websites known to provide copyrighted material illegally. Yet other proposed regulations include targeting the website itself and have imposed (or have tried to impose) sanctions against individual websites for their presence within a certain country.

These alternate approaches clearly reveal the competing, deeply-rooted political philosophies and interests engaged in the debate.  Is digital piracy something that should be primarily policed by the government through stringent regulatory schemes?  Or should the responsibility fall to commercial stakeholders, such as content owners and ISPs?  How does one resolve the competing interests between content owners (who seek the most stringent protections available) and ISPs (who may view themselves as a passive provider of a basic service, not an active enforcement agency)?  And will innocent end-users find that they are adversely impacted by the actions of true infringers?

While there may be universal agreement that infringing activity must be inhibited, it is unlikely that a single, unified approach to the problem will emerge any time soon.  However, through trial and error and the experience of “early adapter” nations such as France and the UK, it is possible that a consensus will emerge on a scheme that achieves a balance among the concerns and interests of the various stakeholders.

We will obviously keep an eye on future developments in this area of the law and relevant industry practices.

The House bill was prompted by a series of embarrassing leaks of government-held data on everything from nuclear facilities to Army officers’ Social Security numbers to confidential congressional ethics investigations.  Those ethics panel leaks were labeled by the Recording Industry Association of America as “a powerful catalyst to enact real reforms to protect consumers.”  A recent report revealing the troubling degree of insecurity in federal government file transfers will probably only add urgency to the debate on the Senate bill.  The study, titled “Why Encrypt? Federal File Transfer Report,” was released on May 11, 2010 by MeriTalk, a government IT network, in conjunction with Axway, a company specializing in business-to-business integration software.  The report surveyed 200 federal IT and information security professionals.  It found that an alarming number of these personnel use unsafe file-transfer methods, including physical media (66%), FTP (60%), and personal email accounts like Gmail or Yahoo (52%).  Although 80% claimed their agency had adequate transfer-security policies, only 58% said employees were aware of those policies, and just 42% said such policies were consistently followed. 

It will be worth staying tuned to see whether these damning statistics will convince the entire Senate to bolster federal file-transfer security — and raise awareness about the issue — by passing the Secure Federal File Sharing Act.  One might also wonder whether these legislative developments would influence private-sector policymakers — in corporations and other institutions — to follow the federal government’s lead in banning P2P software use. 

In any event, P2P security initiatives in the private sector may get a direct boost from the federal government through “The P2P Cyber Protection and Informed User Act”, introduced by Senators John Thune (R-SD) and Amy Klobuchar (D-MN). 

If the Secure Federal File Sharing Act seeks to protect the government and the public alike from the dangers of data leaks within federal networks, the Thune-Klobuchar legislation seeks to protect all individual users of P2P software from inadvertently exposing their own private files to the public.  Thune saidhis bill will take aim at “the privacy and security threats associated with” P2P file-sharing.  Klobuchar explained to the Minneapolis Star Tribune that “without proper precautions, P2P software can allow anyone on the network to gain access to all the files on your computer, not just the ones you intend to share.”  She said that because such software often “allow[s] access to private financial or family records, it’s an invitation to identity thieves and sexual predators.” 

The Klobuchar-Thune bill, whose companion legislation has already been passed in the House as the “Informed P2P User Act” (H.R. 1319), includes two major components.  First, it would require all P2P software to provide a user with “clear and conspicuous” notice of the program’s function, and obtain the user’s consent, before the software is downloaded or installed.  Second, the bill would make it illegal to prevent a user from blocking, disabling, or removing P2P software.  The bill would bestow enforcement authority upon the FTC, which in February 2010 notified about 100 private and public organizations that they had suffered P2P-based data breaches.    

It would be worth speculating on whether this wider regulation of P2P software could ultimately have a chilling effect on the general public’s use of programs like uTorrent, Shareaza, Ares, Limewire, and BitComet.  If so, one might imagine that content owners may get behind the bill in an effort to stem the losses from P2P-based infringement.  The bill has received support from the RIAA, the Direct Marketing Association, Stop Child Predators, and 41 state attorneys general.     

Stay tuned.

**  Nathaniel Fintz, a summer associate with the Firm, assisted in the preparation of this post.

If adopted, the new Act would bar government employees and contractors from downloading, installing or even using P2P file sharing software, such as LimeWire, without official approval.  In response to the most recent leak, the bill would also require the White House to develop rules for employees working on home or personal computers.  In order to use file sharing networks, an agency head or CIO would have to make a special request to use the P2P software.  Furthermore, agencies would be obliged to establish P2P use policies, require that employees and contractors comply with them, and then create security mechanisms to detect and remove prohibited software. 

In 2004, the White House Office of Management and Budget advised federal agencies simply not to use any P2P software.  As evidenced by the most recent embarrassment, this “advice” was not sufficient and now hopes that putting the prohibition into federal law will grant it much greater weight.  Critics of P2P software complain that personal data including social security numbers, medical records and tax returns are being shared because users are unaware of how the software operates, primarily because inadvertent filing sharing occurs (for example, when a user wants to share music or video files from a specific location or folder on his/her PC, a variety of other personal data and files, in all different formats, may also be shared). 

Security industry experts appearing at Congressional hearings earlier this year testified that file sharing software has resulted in the release of personally identifiable information associated with members of the U.S. Military, including social security number of master sergeants, medical records and even surveillance photos.  In addition, information accidentally released from a Fortune 100 company included thousands of e-mails, contact addresses, phone numbers and passcodes.  Rep. Towns’ goal is to “put a referee on the field” in terms of regulating use of such software in response to what he deems as the file-sharing industry’s unwillingness and/or inability to ensure user safety.  It appears he will also dedicate resources to encourage the government to launch a national consumer education campaign about the dangers associated with the use file-sharing software. 

Rep. Towns also proposed that the Federal Communications Commission and Federal Trade Commission look to aid in preventing this growing problem.  Right now, however, it is unclear what kind of influence is statutorily granted to the FCC, if any at all. 

Regardless, it will also be very interesting to see if or when the specter of enacting this new bill into law will affect future P2P file sharing program use in the commercial sector, or lead to additional policy and regulatory initiatives in the area.

*  Kari Hirsch, who recently joined the DigitalHHR team, contributed to the preparation of this post.