E-Commerce Law Week, Issue 620

Congress Flexes Its Muscles On Cybersecurity

The U.S. Senate, by unanimous consent, passed S. 3611, the “Intelligence Authorization Act for Fiscal Year 2010,” which would require government agencies engaged in "cybersecurity programs" to make regular privacy assessments of those programs and report on them to Congress.  Section 336 of the bill, if enacted into law, would establish more congressional oversight over cybersecurity activities through notifications from the White House, independent audits and reviews, and reports from heads of agencies and their inspectors general.  That section also requires reports on the sharing of cyber-threat information with the private sector.  And, notably, it asks for reports on ways cybersecurity might be improved -- including "data retention requirements."  The House version of the authorization bill (H.R. 2701), which passed the House on February 26, contains an almost identical provision, so it is likely the language will remain largely intact when the bills are reconciled in conference.

One More Breach Notification Bill Arrives For the Endless Debutante Ball

The Data Security and Breach Notification Act of 2010 (S. 3742) made its debut before the Senate Committee on Commerce, Science and Technology on August 5.  As introduced by Committee Chairman John D. Rockefeller (D-WV) and Sen. Mark Pryor (D-AR), the bill would require companies and not-for-profits to establish security measures to protect the personal information of consumers, notify both the Federal Trade Commission and affected individuals in the event of a security breach, and provide affected individuals with free credit reporting and identity theft services.  Businesses already in compliance with similar regulations (such as rules under the Health Insurance Portability and Accountability Act) would be deemed in compliance with the new regulations.  S. 3742 joins several similar bills pending before Congress, with none anywhere close to final passage.  These include the Personal Data Privacy and Security Act of 2009 (S. 1490), approved by the Senate Judiciary Committee, the Data Security Act of 2010 (S.3579), introduced in the Senate Banking Committee, and the Data Accountability and Trust Act (H.R. 2221), approved by the House and referred to the Senate last December.

Israeli Banks Receive Instructions on Safe Socializing

Businesses looking for ways to increase efficiency and reach out to the public see a lot to like in Web 2.0 applications and social networking sites.  As employers around the world are also discovering, however, the security and privacy issues that accompany those potential boons can be quite confounding.  On July 28, the Israeli Supervisor of Banks sent a letter to Israeli banks and credit card companies outlining key concerns about the Web 2.0 platform and specifically blogs and social networking like Twitter, Facebook, YouTube, LinkedIn, and MySpace.  The letter requires financial institutions to take certain actions to mitigate risks to the security and privacy of employee and customer data posed by the use of such online social networking sites by bank employees.  Financial institutions must assess the overall dangers, preferably using an outside expert on social networks, create a security policy for the use of such networks, and establish a strategy for enforcing the new security parameters.  The requirements laid out in the July 28 letter are in addition to those set forth by the Supervisor of Banks in Proper Conduct of Banking Business Regulation No. 357, Information Technology Management, as well as other applicable laws and regulations.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.