1/23. Rep. Henry Waxman (D-CA), Rep. Diane DeGette (D-CO), and Rep. Jan Schakowsky (D-IL) sent a letter to Target CEO Gregg Steinhafel regarding Target's recent disclosure of a data breach involving millions of customers' credit card, payment card, and other data. This letter is a request for production of documents.

The three Representatives are senior Democratic members of the House Commerce Committee (HCC). They stated that the HCC will hold a hearing "on this breach and the overall impact of data breaches on consumers during the first week in February".

(The Senate Judiciary Committee (SJC) will hold a hearing on Tuesday, February 4, 2014. See, notice.)

They wrote that "This breach is particularly significant because of its unprecedented scope and scale. More than one-fifth of Americans may be affected". They continued that "Questions remain about how exactly this attack was carried out, who was responsible, whether it could have been prevented, how Target responded, and how retailers and customers can protect themselves going forward."

They also requested that Target promptly produce numerous documents.

See also, related stories in this issue titled "Data Breach Bills Introduced", "Target Discloses Data Breach", "Nieman Marcus Announces Data Breach", and "More Data Breach News".

1/27. Representatives and Senators introduced several bills pertaining to data breaches, following Target's disclosure that its information systems were breached, and information on millions of its customers accessed.

Members have been introducing bills, and holding hearings, related to data breaches for many Congresses. However, the Congress has enacted no comprehensive bill.

The legislative response to the Target breach has followed an often repeated pattern in privacy related debates. Democrats have proposed legislation that would expand the federal government's power to regulate the private sector, in the cause of protecting individual privacy. Republicans have responded by arguing that the federal government itself poses significant threats to individual privacy, and have once again proposed legislation directed at privacy incursions involving the government.

There are numerous potential components of data breach bills. There is little consensus on any matters. For example, there is the question what constitutes a serious enough breach to warrant a mandatory notice to affected individuals. There is also the question of timing of such notices. There is also the matter of what must be the contents of such notices. There are also issues regarding whether the Congress should mandate information security practices, and if so, how broadly, and which agencies should have rule making and enforcement authority. There are also questions regarding redundant state data breach laws, preemption of related state laws, and limitations on private rights of action.

While the Congress has not enacted a data breach or information security statute, businesses are already subject to class action litigation. Numerous complaints have been filed against Target; at least one has already been filed against Michaels Stores (Christina Moyer v. Michaels Stores, U.S. District Court (NDIll), D.C. No. 14-cv-561). Businesses that experience breaches are also subject to state enforcement actions. There are also some civil and administrative actions brought by the Federal Trade Commission (FTC) under Section 5 of the FTC Act. See, story titled "FTC Administrative Complaint Asserts Authority to Regulate Data Security Practices" in TLJ Daily E-Mail Alert No. 2,595, September 4, 2013.

Leahy Bill. On January 8, 2014, Sen. Patrick Leahy (D-VT) and three other Senate Democrats introduced S 1897 [LOC | WW], the "Personal Data Privacy and Security Act of 2014".

Sen. Leahy introduced a related bill, with a similar title, in the 110th Congress. That bill was S 495 [LOC | WW], the "Personal Data Privacy and Security Act of 2007".

The other original cosponsors are Sen. Charles Schumer (D-NY), Sen. Al Franken (D-MN), and Sen. Richard Blumenthal (D-CT). All are members of the Senate Judiciary Committee (SJC). As of January 27, one more Senator joined as a cosponsor -- Sen. Robert Menendez (D-NJ).

This is a huge bill (69 pages in PDF) that does more than address data breaches. This bill would create a broad new federal regulatory regime pertaining to data breaches. Also, it would criminalize the concealment of certain data breaches.

However, this bill would also provide for the regulation of information security practices in the private sector. This bill would also expand, and rewrite much of, the Computer Fraud and Abuse Act (CFAA), which is codified at 18 U.S.C. § 1030.

This bill also contains cyber security provisions. It would also add a new section 1030A, titled "Aggravated damage to a critical infrastructure computer".

This bill contains some provisions that President Obama tried, but failed, to have enacted into law in the 112th Congress, and some that the Obama administration has since imposed by administrative process. (The Senate twice rejected that bill. The House did not consider it. The House passed a different cyber security bill, which the Senate did not consider.)

Sen. Leahy (at right) stated that "The recent data breach at Target involving the debit and credit card data of as many as 40 million customers during the Christmas holidays is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our Nation." See, Congressional Record, January 8, 2014, at page S134.

This bill was referred to the SJC. Sen. Leahy added that "Enacting this comprehensive data privacy legislation remains one of my legislative priorities as Chairman of the Judiciary Committee."

See also, Sen. Leahy's January 8 release.

ObamaCare Data Breach Bills. On January 9, 2014, Sen. John Barrasso (R-WY) and ten other Republican Senators introduced S 1902 [LOC | WW], the "Health Exchange Security and Transparency Act of 2014".

On January 7, Rep. Joe Pitts (R-PA) and numerous House Republicans introduced the companion bill in the House, HR 3811 [LOC | WW], also titled the "Health Exchange Security and Transparency Act of 2014".

The original cosponsors of S 1902 are Sen. Mike Johanns (R-NE), Sen. Tom Coburn (R-OK), Sen. Thad Cochran (R-MS), Sen. Johnny Isakson (R-GA), Sen. Jerry Moran (R-KS), Sen. Orrin Hatch (R-UT), Sen. Deb Fisher (R-NE), Sen. Tim Scott (R-SC), and Sen. Richard Burr (R-NC). As of January 27, there were a total of 24 sponsors -- Republicans all.

As of January 27, there were a total of 76 sponsors of HR 3811 -- all Republicans.

These bills are short and simple. They provide that "Not later than two business days after the discovery of a breach of security of any system maintained by an Exchange established under section 1311 or 1321 of the Patient Protection and Affordable Care Act (42 U.S.C. 18031, 18041) which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of Health and Human Services shall provide notice of such breach to each such individual."

Sen. Johanns (at right) stated in a release that "Personal information is just that -- personal and private ... Americans are being forced to submit a great deal of sensitive data when they sign up for Obamacare, despite misgivings about the website and reports that it is susceptible to hackers. They have a right to know if their private information has been compromised. Our legislation provides that extra layer of protection."

These bills are a simplified version of HR 3795 [LOC | WW], a bill introduced on December 19, 2013 by Rep. Gus Bilrakis (R-FL). That bill is titled the "One Hour Notification Act of 2013" and the "OH No Act of 2013".

Other Bills. On January 15, 2014, Sen. Tom Carper (D-DE) and Sen. Roy Blunt (R-MO) introduced S 1927 [LOC | WW], the "Data Security Act of 2014". This bill is limited in scope, to the extent that it is directed at financial institutions and related entities, and expressly exempts all government entities.

This bill would give various financial regulatory agencies authority to write and enforce "regulations", including rules regarding information security standards, breach notices, and the content of notices.

This bill was referred to the Senate Banking Committee (SBC). Neither Sen. Carper nor Sen. Blunt are members.

On June 20, 2013, Sen. Pat Toomey (R-PA) introduced S 1193 [LOC | WW], the "Data Security and Breach Notification Act of 2013". As of January 27, 2014, there were all total of 8 sponsors. All are Republican, except Sen. Angus King (D-ME), who describes himself as an independent, but who caucuses with Democrats.

This bill exempts financial and related institutions, such as those covered by S 1927.

Notably, this bill includes a strong state law preemption clause.

Moreover, the Toomey bill is narrower than the Leahy bill as to what data breaches must be disclosed to the impacted individuals.

Under the Leahy bill, a company must give notice of a breach if it believes that "sensitive personally identifiable information" has been either "accessed, or acquired" (emphasis added). It is irrelevant whether or not there has been, of whether the company believes or not that there will be, identity theft or actual financial harm.

Under the Toomey bill, the company must give notice only when the information has been both accessed and acquired, and it believes that there has been or will be identity theft or actual financial harm.

S 1193 was referred to the Senate Commerce Committee (SCC). Sen. Toomey is not a member. However, five of the cosponsors are members.

1/27. The Target Corporation disclosed in a release on December 19, 2013 that it experienced "unauthorized access to payment card data". Target is a large U.S. based discount retailer that uses a bullseye trademark.

It added that "Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access".

Target CEO Gregg Steinhafel stated in a release on December 20 that "We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn't mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service."

Sen. Patrick Leahy (D-VT) stated in a release that "I am troubled by the revelation that Target suffered a major data security breach involving 40 million credit and debit cards used to pay for purchases at its stores. This data security breach is just the latest in a series of breaches that have impacted the privacy of millions of American consumers in recent years. It is also an important reminder that the Congress must act to develop a comprehensive national strategy to improve the nation's cybersecurity."

He added that "I have worked for many years to enact Federal data privacy legislation that would better protect American consumers and businesses from cybercrime", and "I will continue to closely monitor the ongoing investigation and to work with others in Congress to enact meaningful data privacy legislation in the new year."

New York Attorney General Eric Schneiderman stated in a release that following Target's disclosure, "I urged Target to offer affected New Yorkers one year of free credit monitoring to ensure they are not victims of identity theft. I'm pleased to report that, just a short time ago, Target agreed to our request."

Target added in an update on January 13 that "it was determined last week that certain guest information, including names, mailing addresses, phone numbers or email addresses, was also taken".

Steinhafel stated in a January 13 CNBC interview [32 minutes] that the breach involved malicious software on point of sale devices at Target store check outs. He said that "there was malware installed on our point of sale registers".

The January 23 letter from House Commerce Committee (HCC) Democrats asks for, among other things, all documents "relating to the Kaptoxa malware, or to point-of-sale system security or any other information security systems implicated in this breach".

1/22. On January 22, 2014, Neiman Marcus, a posh department store chain, announced in a release that "some of our customers' payment cards were used fraudulently after making purchases at our stores".

It elaborated that "While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively attempted to collect or "scrape" payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware. To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently."

It added that "Customers that shopped online do not appear to have been impacted" and "PINs were never at risk because we do not use PIN pads in our stores".

Neiman Marcus placed a notice at the top of its web site's entry page.

1/25. On January 25, 2014, Michaels Stores, an arts and crafts retailer, announced in a release that "We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack." Michaels Stores placed a notice at the top of its web site's entry page.

1/27. For early and technical reporting of data breaches, see Krebs on Security. See for example, December 18, 2013 story titled "Target Investigating Data Breach", January 15 story titled "A First Look at the Target Intrusion, Malware", January 16 story titled "A Closer Look at the Target Malware, Part II", and January 25 story titled "Card Breaches at Michaels Stores".

Tech Law Journal publishes a free access web site and a subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year for a single recipient. There are discounts for subscribers with multiple recipients.

Free one month trial subscriptions are available. Also, free subscriptions are available for federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until two months after writing.

For information about subscriptions, see subscription information page.

Tech Law Journal now accepts credit card payments. See, TLJ credit card payments page.

TLJ is published by David Carney
Contact: 202-364-8882.
carney at techlawjournal dot com
3034 Newark St. NW, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998-2014 David Carney. All rights reserved.

The House will meet on January 27-29. See, 2014 House calendar. On Monday, the House will meet at 12:00 NOON for morning hour, and at 2:00 PM for legislative business. The House will consider several non-technology related items. Votes will be postponed until 6:30 PM. See, Rep. Cantor's schedule.

The Senate will meet at 2:00 PM.

The House will meet at 10:00 AM for morning hour, and at 12:00 NOON for legislative business. The House will consider non-technology related items. See, Rep. Cantor's schedule.

8:30 AM - 5:00 PM. The Internet Education Foundation (IEF) will host its annual State of the Net Conference. See, conference web site. Location: Newseum.

Day one of a three day event titled "2014 Cyberseucurity Innovation Forum". See, notice. Location: Baltimore Convention Center, 1 West Pratt, Baltimore, MD.

9:00 - 10:30 AM. The Information Technology & Innovation Foundation (ITIF) will host a panel discussion titled "Enhancing University-Industry R&D Partnerships". The speakers will be Joe Allen, Jane Muir (Association of University Technology Managers), Diane Palmintera (Innovation Associates) Karen Zaderej (AxoGen), Pearl Huang (GlaxoSmithKline), and Lisa Kuuttila (University of New Mexico). Free. Open to the public. See, notice. Location: Room 122, Cannon Building, Capitol Hill.

9:00 AM - 2:00 PM. The Brookings Institute will host an event titled "The 20th Anniversary of NAFTA and the Future of Free Trade". The speakers will include Robert Zoellick (USTR during second Bush administration), Carla Hills (USTR during first Bush adminstration), Mickey Kantor (USTR during Clinton adminstration), and John Weekes (Chief Negotiator, Canada). See, notice. Location: Ronald Reagan Building, 1300 Pennsylvania Ave., NW.

10:00 AM. The Senate Foreign Relations Committee (SFRC) will hold a hearing on several nominations, including Sen. Max Baucus (D-MT) to be Ambassador to the People's Republic of China. See, notice. Location: Room 419, Dirksen Building.

10:00 AM. The Senate Energy and Natural Resources Committee will hold a hearing on S 1600, the "Critical Minerals Policy Act of 2013". The witnesses will be David Danielson (Assistant Secretary, Department of Energy), Larry Meinert (USGS's Mineral Resources Program Coordinator), Robert Latiff (George Mason University), Jim Sims (Molycorp, Inc.), David Isaacs (Semiconductor Industry Association), Bob Swenson (Alaska Department of Natural Resources), Jennifer Thomas (Alliance of Automobile Manufacturers), and Roderick Eggert (Colorado School of Mines). Webcast. See, notice. Location: Room 366, Dirksen Building.

10:00 AM. The Senate Judiciary Committee (SJC) will hold a hearing on six nominees for the U.S. District Court (DAriz). See, notice. Location: Room 226, Dirksen Building.

10:00 AM - 12:00 NOON. The Senate Banking Committee will hold a hearing titled "Oversight and Reauthorization of the Export-Import Bank of the U.S.". See, notice. Location: Room 538, Dirksen Building.

12:15 - 1:45 PM. The New America Foundation (NAF) will host a discussion of the book [Amazon] titled "The Loudest Voice in the Room: How the Brilliant, Bombastic Roger Ailes Built Fox News -- and Divided a Country". The speakers will be Gabriel Sherman (the author), Amy Mitchell (Pew Research Center), and Franklin Foer (New Republic). Webcast. Free. Open to the public. See, notice. Location: NAF, Suite 400, 1899 L St., NW.

2:00 PM. The House Judiciary Committee's Subcommittee on Courts, Intellectual Property, and the Internet will hold a hearing titled "The Scope of Fair Use". See, notice. Location: Room 2141, Rayburn Building.

6:00 - 9:15 PM. The DC Bar Association will host a presentation titled "Introduction to Export Controls". The speakers will be Carol Kalinoski and Thomas Scott (Ladner & Associates). The price to attend ranges from $89 to $129. CLE credits. For more information, call 202-626-3488. The DC Bar has a history of barring reporters from its events. See, notice. Location: DC Bar Conference Center, 1101 K St., NW.

9:00 PM. President Obama will give a speech titled "State of the Union". Webcast. Location: House of Representatives.

Deadline to submit comments to the U.S. Patent and Trademark Office (USPTO) in response to its notice in the Federal Register (FR) that proposes to amend its rules to implement Title I of the "Patent Law Treaties Implementation Act of 2012", regarding industrial designs. See, FR, Vol. 78, No. 230, November 29, 2013, at Pages 71869-71902. See also, stories titled "Senate Judiciary Committee Approves Patent Law Treaties Implementation Act" in TLJ Daily E-Mail Alert No. 2,452, September 20, 2012. and "Obama Signs Patent Law Treaties Implementation Act" in TLJ Daily E-Mail Alert No. 2,494, December 19, 2012.

The House will meet at 9:00 AM for legislative business. The House will consider non-technology related items. See, Rep. Cantor's schedule.

Day one of a three day event titled "House Republican Issues Conference".

Day two of a three day event titled "2014 Cyberseucurity Innovation Forum". See, notice. Location: Baltimore Convention Center, 1 West Pratt, Baltimore, MD.

10:00 AM. The Senate Judiciary Committee (SJC) will hold a hearing titled "Oversight of the Department of Justice". The witness will be Attorney General Eric Holder. See, notice. Location: Room 226, Dirksen Building.

10:00 AM. The Senate Intelligence Committee (SIC) will hold a hearing titled "Current and Projected National Security Threats Against the United States". Open to the public. See, notice. Location: Room 106, Hart Building.

1:00 - 2:30 PM. The American Bar Association (ABA) will host a webcast panel discussion titled "Surviving a Hart-Scott-Rodino Act Second Request". The speakers will be Ian Conner (Kirkland & Ellis), Karen Kazmerzak (Sidley Austin), Jennifer Schwab (FTC, Bureau of Competition, Mergers IV Section), and Kevin Yingling (Google). Prices vary. CLE credits. See, notice.

The House will not meet. See, Rep. Cantor's schedule.

Day two of a three day event titled "House Republican Issues Conference".

Day three of a three day event titled "2014 Cyberseucurity Innovation Forum". See, notice. Location: Baltimore Convention Center, 1 West Pratt, Baltimore, MD.

9:00 AM - 3:00 PM. The U.S. China Economic and Security Review Commission (USCESRC) will hold a hearing titled "China’s Military Modernization and its Implications for the United States". Free. Open to the public. See, notice. Location: Room 608, Dirksen Building.

10:00 AM. The Senate Finance Committee (SFC) will hold a hearing on the nomination of Karen Dynan to be Assistant Secretary of the Treasury for Economic Policy. See, notice. Location: Room 215, Dirksen Building.

10:00 AM. The Senate Judiciary Committee (SJC) will hold an executive business meeting. The agenda includes several non-technology related bills. See, notice. Location: Room 226, Dirksen Building.

11:00 AM - 12:00 NOON. The Heritage Foundation (HF) will host an event titled "The Devil Inside the Beltway: The Shocking Exposé of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business". The speaker will be Michael Dougherty, author of a book with the same title. Free. Open to the public. Webcast. See, notice. Location: HF, 214 Massachusetts Ave., NE.

2:00 - 4:00 PM. The Department of Homeland Security's (DHS) Data Privacy and Integrity Advisory Committee will hold an on site and webcast meeting. Open to the public. See, notice in the Federal Register, Vol. 78, No. 240, December 13, 2013, at Pages 75930-75931. Location: __.

2:30 PM. The Senate Intelligence Committee (SIC) will hold a closed hearing on undisclosed matters. See, notice. Location: Room 219, Hart Building.

3:00 - 5:00 PM. The National Economists Club (NEC) and the Embassy of Japan will host an event titled "The Relative Significance of EPAs in Asia-Pacific". The speaker will be Kenichi Kawasaki (National Graduate Institute for Policy Studies). He will address quantitative estimates of the economic impacts of tariff removals and reductions of non-tariff measures for the U.S., Japan, People's Republic of China, and other countries. He will address the Trans Pacific Partnership (TPP) and Regional Comprehensive Economic Partnership (RCEP) negotiations. Free. Open to the public. Registration by January 29 required. A reception will follow the program. See, notice. Location: Japanese Information and Cultural Center, Suite 100, 1150 18th St., NW.

Deadline to submit to the U.S. International Trade Commission (USITC) pre-hearing briefs and statements in advance of its February 13, 2014 hearing regarding preparation of a report for Congressional committees regarding India's industrial policies that create barriers to U.S. imports and investment. See, notice in the Federal Register, Vol. 78, No. 172, September 5, 2013, at Pages 54677-54678. This proceeding is Investigation No. 332-543.

The House will not meet. See, Rep. Cantor's schedule.

Day three of a three day event titled "House Republican Issues Conference".

Deadline to submit comments to the U.S. Patent and Trademark Office (USPTO) in response to its notice in the Federal Register (FR) requesting comments on how to study the diversity of patent applicants. Section 29 of the America Invents Act (AIA), which was HR 1249 [LOC | WW] in the 112th Congress, requires the USPTO to "establish methods for studying the diversity of patent applicants, including those applicants who are minorities, women, or veterans". The USPTO previously published a methodology. This notice asks for comments on further questions. See, FR, Vol. 78, No. 231, December 2, 2013, at Pages 72064-72065.

The House will meet the week of February 3-7. See, 2014 House calendar.

Deadline to submit initial comments to the Federal Communications Commission (FCC) in response to its Notice of Proposed Rulemaking (NPRM) regarding regulation of wireless tower siting. The FCC adopted and released this NPRM on September 26, 2013. This NPRM is FCC 13-122 in WT Docket Nos. 13-238 and 13-32, and WC Docket No. 11-59. See, notice in the Federal Register, Vol. 78, No. 234, December 5, 2013, at Pages 73144-73169.

Deadline to submit reply comments to the Federal Communications Commission (FCC) in response its Public Notice (DA 13-2415 in WC Docket No. 13-306) requesting comments regarding the Public Knowledge's (PK) December 11, 2013 Petition for Declaratory Ruling that under 47 U.S.C. § 222 (1) non-aggregate call records that have been purged of personal identifiers but that leave customers’ individual characteristics intact are protected as individually identifiable customer proprietary network information (CPNI), and (2) telecommunications providers, are prohibited from selling or sharing such records with third parties without customers’ consent. See, story titled "PK Asks FCC to Stop AT&T and Other Telcos from Selling Anonymized Call Record Data" in TLJ Daily E-Mail Alert No. 2,622, December 18, 2013.

Effective date of the Department of Energy's (DOE) Federal Energy Regulatory Commission's (FERC) final rule titled "Version 5 Critical Infrastructure Protection Reliability Standards", which pertains to cyber security of the bulk electric system. See, notice in the Federal Register , Vol. 78, No. 232, December 3, 2013, at pages Pages 72755-72787.

9:30 AM - 3:00 PM. The Department of Health and Human Services' (DHHS) Office of the National Coordinator for Health Information Technology's (ONC/HIT) HIT Policy Committee will meet. See, DHHS notice and notice in the Federal Register, Vol. 78, No. 243, December 18, 2013, at Page 76627. Location: __.

10:15 AM. The Senate Judiciary Committee (SJC) will hold a hearing titled "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime". The witnesses will be John Mulligan (Target Corporation), Delara Derakhshani (Consumers Union), Edith Ramirez (FTC Chairman), William Noonan (U.S. Secret Service), and Mythili Raman (acting AAG for the DOJ's Criminal Division). Webcast. See, notice. Location: Room 226, Dirksen Building.