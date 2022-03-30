Privacy
With More States Passing Privacy Legislation, Pressure for Federal Preemption Law Grows
Emerging state-level privacy bills have common threads with existing ones in California, Colorado and Virginia.
WASHINGTON, March 30, 2022 – As the federal government has yet to set comprehensive privacy legislation, states going their own way are finding some success following the California, Colorado, and Virginia consumer protection models.
Despite repeated calls from experts to address concerns surrounding consumer protection laws related to privacy, Congress has still not passed any legislation that would set a single, federal standards that Big Tech companies would have to adhere to.
Laura Ripso Vandruff, a partner with Kelley Drye – a law firm that handles consumer class action defenses, real estate, and manufacturing law – said during an event hosted by his firm on Thursday that emerging state-level privacy bills have common threads with existing ones. The longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.
California, Colorado, and Virginia have successfully implemented their own laws, Utah’s legislature has sent a bill to Republican Gov. Spencer Cox to sign into law, and Oklahoma’s congressional House voted overwhelmingly in favor of a privacy law that will now pass to the Senate.
Florida, Massachusetts, New York, and Connecticut are some of the states that are also working on bills to address consume privacy, though they have not gained as much momentum.
“The bills that are being introduced and that have some traction are not necessarily copycat bills, but they have many common elements [with California, Colorado, and Virginia’s laws],” Kelley Drye partner Laura Ripso Vandruff said. “Things like opt-in for processing of sensitive data, opt-out for targeted advertising, [and] sales profiling. So, new consumer rights for access, affordability, deletion, correction, exclusion, categories of data or even categories of entities,” Ripso Vandruff said. She also pointed to private right of action, meaning that private citizens could seek punitive damages to compensate them against companies that violated their privacy rights.
Paul Singer, also a partner with Kelley Drye, noted that the bills that attempt more original strategies experience less success when it comes time to vote on them. “I think we are seeing that the bills that that take some of these more unique approaches are the ones that tend to be kind of stalling out, whereas the ones that are following some of the similar trends that we saw in Virginia and Utah are the ones that seem to be moving.”
Patchwork of privacy legislation will be challenge
But Singer said the longer the federal government delays addressing privacy legislation, the greater the burden of compliance will be for companies.
“As more state laws pass, [the more you are] dealing with a patchwork [of laws],” Singer said. “Trying to figure out compliance among these laws is going to get increasingly challenging as you go from four laws, to 14, to 40.”
Status of state legislation in progress
The New York Privacy Act, which would impose a distinctive duty of loyalty and care on companies collecting consumer data and called for regular data protection assessments, at least annually, is stuck in committee. Though there is still time, as New York’s legislative session does not adjourn until June, the bill has made little progress; it failed to pass in the 2021 legislative session and was reintroduced in January of 2022.
Tennessee legislative session ended before it could pass its bill, which featured a unique “safe harbor” clause for entities in compliance with the NIST Privacy Framework. This would protect entities that reasonably comply with the NIST framework, but this clause has specifically faced push-back from entities such as Commonsense Media, who have argued that the framework should not be viewed as an alternative to the privacy bill, as it does not provide enough guidance to companies on how to responsibly handle consumer data.
Florida’s House Bill 9 is not advancing at this time, though it did pass in the House on March 2. This delay is likely in part due to its broad private right of action rules that would give citizens wide-ranging opportunities to pursue damages – as opposed to California’s narrowly defined private right of action which only would allow its citizens to seek damages in the event of data breaches. Florida’s private right of action would allow consumers to file suit against companies for a few reasons, including not deleting consumers’ data upon request, sharing or selling consumers’ data after a consumer has opted out, or sharing or selling the data of a consumer who is less than 16 years old, without consent.
Though some bills have met resistance, Singer added that consumers should not be too discouraged by partisan politics. “Do not assume that privacy is a partisan issue,” he said, pointing to Utah’s bill as an example of bipartisan success. “The reality is, is that privacy and the issues underlying is both a very Republican and a very Democratic issue, but maybe for different reasons.”
Singer explained that Republicans are often more concerned about how mass data collection can be used to manipulate consumers, whereas Democrats are often specifically concerned about the potential damage mass data collection can have on young people.
“Ultimately, they are getting at some of the same underlying issues with two different objectives, perhaps that have a lot of overlap, and it is going to continue to be that way.”
Robocall
FCC Directs ‘Robocall Facilitators’ to Remove Illegal Traffic or Face Call Block
The three letters are the latest in the FCC’s ongoing crackdown on illegal call traffic.
WASHINGTON, March 23, 2022 – The Federal Communications Commission sent letters to three voice service providers Tuesday to quit allowing illegal robocall traffic on their networks within 48 hours or have their traffic blocked – raising the total number of such letters sent to more than a dozen since last year.
The letters sent to thinQ Technologies, Airespring, and Hello Hello Miami demand the companies investigate the illegal traffic its call clients are pushing on their networks and notify the agency of the steps taken to deal with it within 14 days of the date of the letters.
The FCC said it discovered the traffic during investigations with the Traceback Consortium, which yielded more than a dozen cease and desist letters being mailed out. The agency said in a Tuesday press release that the other letter recipients have so far told the agency they are taking steps to stop the flow of such traffic.
In the case of thinQ, the FCC said the North Carolina Department of Justice flagged the company as a source of illegal robocall traffic. The agency has previously noted that it has been working with state attorneys general to combat the robocall issue.
The agency has made tackling the robocall issue central to its mandate. Last June, large voice service providers were required to put into place measures to block the illegal robot calls, which can often result in Americans being scammed. The regulator measures are part of the regime known as the Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using Tokens (STIR/SHAKEN), which require providers to validate calls.
Last month, the agency proposed fining telemarketing company Interstate Brokers of America $45 million for violations of its robocall rules.
Late last year, the commission ruled that small voice service providers that don’t own their own networks must comply with the new stringent robocall rules by June 2022 instead of June 2023, citing the higher volume of illegal traffic coming from them.
Cybersecurity
Cyber Notification Bill Critical, But Won’t Stop Bad Actors Entirely, Says Senator
Congress recently passed legislation including a requirement for critical infrastructure entities to notify government on cyber attacks.
WASHINGTON, March 15, 2022 – Mandatory cyber attack reporting is critical to keeping up cyber defenses against potential Russian attacks, a U.S. senator said, following the passing by Congress of legislation that would require certain companies to report such attacks within 72 hours.
But Senator Mark Warner, D-Virginia, and a former State Department cyber expert, said the bill will not stop bad actors entirely.
“We probably cannot be 100 percent effective on keeping the bad guys out,” Warner said Monday during a Center for Strategic and International Studies event discussing the Russian invasion of Ukraine. “We shouldn’t aim for 100 percent perfection on defense, but what we should aim for is this information sharing, so that we could then share with the private sector.”
The Cyber Incident Reporting for Critical Infrastructure Act of 2022, part of a larger budget bill, requires certain critical infrastructure owners, including in the communications, energy and healthcare sector, and operators to notify the Cybersecurity and Infrastructure Security Agency of cybersecurity on attack incidents in certain circumstances. It was passed by both chambers and President Joe Biden is expected to sign the bill into law soon.
The bill’s passing comes after a year of high-profile cyber attacks that targeted software companies, a meat producer and an oil transport firm. Following those attacks, lawmakers and cyber officials urged Congress to push the bill forward. Late last year, Secretary of State Antony Blinken announced the department intends to create a new cyber bureau to help tackle the growing challenge of cyber warfare.
It also comes as Russia continues its war in Ukraine, which some have suspected will ramp up global cyber attacks.
‘Shields up’
Chris Painter, president of the Global Forum on Cyber Expertise Foundation and former coordinator for cyber issues at the State Department, agreed with Warner on Monday, saying that he thinks “that we will see that [cybersecurity attack capability] is being held in reserve, so I think shields up is really the right approach for the U.S.
“With a dedicated adversary like Russia,” Painter said “you could be very good at defense, [but] they’re still going to get in.”
Warner, who said the notification requirement is a “giant step forward,” said the bill doesn’t “want to hold the company accountable, [but] we do want to go after malware actors.” He added this is about being resilient in the face of incoming attacks.
But in a January congressional hearing about cybersecurity, Ross Nodurft of the Alliance for Digital Innovation, warned Congress against an “overly prescriptive definition of a [cybersecurity] incident” to avoid running the risk of “receiving so many notifications that the incidents which are truly severe are missed or effectively drowned out due to the frequency of reporting.”
Cybersecurity
Justin Reilly: Rising Ransomware Threats on Schools Require Better Approach to Cybersecurity
Ransomeware attacks are a costly lesson for educators.
Since the advent of the pandemic, education has been in a state of vulnerable flux. The rapid embrace of technology, sparked by the need to introduce remote learning, has given many educators whiplash. They need time to normalize, but recent trends threaten their ability to do so.
Against the backdrop of technological chaos, opportunistic hackers have been targeting schools with heightened fervor, causing harmful delays and disruptions on both a systemic and financial level. It’s time for schools to start getting proactive about cybersecurity, or they risk paying a hefty tuition to learn why they should have acted sooner.
Education technology use is surging across the nation. A recent study showed ed-tech up 52 percent over pre-pandemic levels, with U.S. school districts using nearly 1,500 different digital tools on average each month. While these digital tools possess the power to ultimately streamline and transform classroom management for the better, teachers are still feeling overwhelmed by the number of technology solutions they’re being asked to implement.
This issue is being exacerbated by many tech-resistant districts and teachers being forced to catch up all at once. When the pandemic hit, using devices and technology in the classroom was no longer an option – learning quickly needed to be online and accessible. By now, the dam has fully broken on tech adoption and we’re only likely to see these trends accelerate. Of course, as other sectors have seen firsthand over the last two years, these unchecked developments often cast unsavory shadows.
An appealing target for hackers
School districts were already an appealing target for hackers ahead of the pandemic, but the rapid adoption of technology – often outstripping security measures equal to these digital strides – has effectively chummed the waters for malicious elements looking for a “soft” target.
Cyberattacks against school districts went up by 18 percent in 2020, the height of the pandemic. The trend has continued since and isn’t expected to slow down in 2022. Among attacks against school districts, ransomware – an attack that locks users out of files on their own systems and then demands ransom money to return their rightful access – is by far the most common variety.
Just a few weeks into 2022, there were already multiple major headlines involving ransomware targeting school districts. The biggest story was the hacking of education website service provider FinalSite, which shut down the websites of 5,000 schools and colleges. Another story involved the cancellation of classes for 75,000 students after the Albuquerque Public Schools district fell victim to a ransomware attack it had been fending off for several weeks.
Yet another case, also in New Mexico, affected the town of Truth & Consequences. The town suffered a cyberattack just after Christmas and, as of mid-January, had still not regained control of its computer systems.
There’s no time left for district leaders to drag their feet on cybersecurity. It can be tough, especially given budget challenges, but the gap between digital advancement and lacking cybersecurity presents too great of a risk for schools.
Make cybersecurity a priority in hiring
So what can school districts do to prepare? The first step is to make cybersecurity a proper priority – and that includes budgeting and hiring. Many schools still don’t have dedicated cybersecurity officers, instead relying on – in many cases at best – a CIO who happens to be tech-savvy.
This is starting to turn around in light of recent events, with more and more schools hiring chief cybersecurity officers and point-persons. Keeping up with this trend will be critical for setting a strong foundation.
Budgeting will always be a challenge, of course, seeing as many school districts still don’t have any budget at all dedicated to cybersecurity. This needs to change, but some schools have started getting creative on this front in the meantime. One possibility is to fold cybersecurity efforts into operating budgets. Another timely approach is to capitalize on new and improved “cyber grants” being offered by federal and local governments to meet this increasing need.
The most important thing is simply not to be ad hoc about cybersecurity. School districts can proactively gather data to find out where their needs are, what the wants are from teachers, and how they can properly address them. It’s far better to start gathering this data early rather than wait until it’s too late.
Consider this: schools can either make the investment now or pay much more a short way down the road. Should a school or district become the victim of ransomware, they’ll have to pay both to resolve the immediate crisis and for cybersecurity upgrades, all of which will have been unbudgeted and leave them reeling long after the attack. The norms of education are changing, and priorities need to change with them.
Justin Reilly is the CEO of Impero Software, which offers a virtual private network solution for schools and also serves more than half of the Fortune 100. This Expert Opinion is exclusive to Broadband Breakfast.
Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views reflected in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.
Recent
- With More States Passing Privacy Legislation, Pressure for Federal Preemption Law Grows
- TikTok and Snapchat Parental Control, DOJ Endorses Antitrust Legislation, Senate Passes Competes Act
- NTIA Urging Partnerships with Local Broadband Officials for Infrastructure Money
- Johnny Kampis: New ISP Taxes Will Not Help America Build Back Better
- Report Finds New Small Businesses Concerned Big Tech Regulation Will Impact Them
- Clearwave to Buy RG Fiber, Washington Broadband Survey, Michigan Approves $250M for Broadband
Signup for Broadband Breakfast
Trending
-
#broadbandlive3 months ago
Broadband Breakfast for Lunch on January 12, 2022 — The Agenda of Internet and Tech Stakeholders
-
Artificial Intelligence3 months ago
Henry Kissinger: AI Will Prompt Consideration of What it Means to Be Human
-
Broadband Roundup2 months ago
Microsoft App Store Rules, California Defers on Sprint 3G Phase-Out, Samsung’s New IoT Guy
-
Broadband Roundup4 months ago
CaptionCall $40 Million Settlement, World Bank Broadband in Rwanda, Tribal Broadband Money Not Enough
-
Broadband Roundup2 months ago
‘Buy American’ Waiver Request, AT&T Cuts Dividend for Builds, Jamestown Municipal Broadband Program
-
Broadband Roundup2 months ago
AT&T Speeds Tiers, Wisconsin Governor on Broadband Assistance, Broadband as Public Utility
-
Broadband Roundup2 months ago
More From Emergency Connectivity Fund, Rootmetrics Says AT&T Leads, Applause for House Passing Chips Act
-
Satellite3 months ago
Starlink Download Speeds Fell Below New Federal Broadband Standard in Q3, Ookla Data Show