News & Insights


December 18, 2018

Data, Privacy & Security Practice Report – December 18, 2018

Cybersecurity And Data Privacy Oversight In The 116th Congress—This past year, in the wake of multiple consumer data breaches and growing concerns regarding national security-related cyber threats, there has been a significant increase in congressional oversight activity directed toward federal government agencies and private sector industries.   When the 116th Congress convenes in January, the primary House and Senate committees of jurisdiction are expected to maintain a strong focus on these issues from both investigative and legislative standpoints. 

In the Democratic-controlled House of Representatives, key oversight committee leaders, including Judiciary Committee Ranking Member Jerrold Nadler (D-NY), Oversight and Government Reform (“OGR”) Committee Ranking Member Elijah Cummings (D-MD) and Energy & Commerce (“E&C”) Committee Ranking Member Frank Pallone (D-NJ) have made it clear that they plan to focus their investigative and oversight efforts first and foremost on President Trump’s Administration.  In a post-election media interview, Rep. Cummings stated: “The waste, fraud, and abuse is plain to see, and the most important thing for the Oversight Committee to do is to use its authority to obtain documents and witnesses, and actually hold the Trump administration accountable to the American people.”  In addition to enjoying broad jurisdiction and significant investigative resources, these committee leaders will have subpoena authority to compel the production of documents and witness testimony. 

On November 15, in a letter to Acting Attorney General Matthew Whitaker, FBI Director Christopher Wray and DHS Secretary Kirstjen Nielsen, incoming House Judiciary Committee Chairman Nadler announced his intention to “examine existing vulnerabilities in our election infrastructure, the threats posed to that infrastructure by foreign actors, and any systemic impediments to our voting rights,” and requested that the FBI and DHS provide responses to “unanswered” written requests from Committee Members.  Incoming OGR Committee Chairman Cummings has also publicly stated his intention to pursue multiple federal agency inquiries next year and published a list of 64 subpoena motions denied by the Committee during the last Congress. While Democratic oversight committee chairs will certainly target federal agencies’ cybersecurity infrastructure and data privacy protection initiatives, private sector actors could also be the subject of additional investigative inquiries. In response to media reports regarding Facebook’s December 14 announcement of a bug that allowed access to private photos, incoming House Energy and Commerce Committee Chairman Pallone tweeted: “How many more times is Facebook going to compromise its users’ privacy?  I’ll be taking a closer look at this failure, along with the many other issues, in the next Congress.” 

On the Senate side, oversight committees of jurisdiction, including the Committees on Commerce, Finance, and the Judiciary, are also likely to remain active in scrutinizing both federal government agencies and private sector actors on cybersecurity and data privacy issues.  Most recently, in response to Marriott’s November 30 cybersecurity incident announcement, Senate Commerce, Science, and Transportation Committee leaders sent a letter to CEO Arne Sorenson requesting detailed information regarding the incident, and at a recent hearing on Federal Trade Commission (“FTC”) oversight, Subcommittee leaders questioned FTC Commissioners on the status of investigations regarding certain companies’ data privacy and security practices.  Incoming Senate Finance Committee Chairman Charles Grassley (R-IA) is well-known for his in-depth and aggressive oversight of federal agencies, particularly with respect to the Food and Drug Administration (“FDA”), and he has also been very active on legislative and regulatory policy issues concerning foreign cybersecurity threats and intellectual property espionage. Recently, he wrote to FDA Commissioner Scott Gottlieb requesting information on FDA’s efforts to address medical device cybersecurity threats and highlighting concerns raised in a November 1 HHS Office of Inspector General report that found: “FDA’s efforts to address medical device cybersecurity vulnerabilities were susceptible to inefficiencies, unintentional delays, and potentially insufficient analysis.” Sen. Lindsey Graham (R-SC), who will be replacing Grassley as Chairman of the Judiciary Committee, has been an outspoken advocate for legislation to address cyber threats to U.S. infrastructure and recently stated that he would push for “aggressive oversight of the Department of Justice and FBI” as Chairman. 

While these committee leaders will no doubt be faced with competing investigative and legislative priorities in January, recent developments would indicate that cybersecurity and data privacy will feature prominently on committees’ oversight agendas. 

Reporter, William Clarkson, Washington, D.C., +1 202 626 8997,

43 Attorneys General Urge Creation Of Database To Combat Synthetic Identity Theft—In a December 10 letter from the National Association of Attorneys General (“NAAG”) to Social Security Administration (“SSA”) Acting Commissioner Nancy Berryhill, the Attorneys General of 43 states urged the SSA to “evaluate and make necessary modifications to [its] database” to combat “synthetic identity theft.”  The NAAG cites the 2015 Data Breach Fraud Impact Report, which estimates $4 to $8 billion in losses between 2014-2018 based on synthetic identity theft, and advises the SSA to prioritize updating its database in light of the passage of the Economic Growth, Regulatory Relief, and Consumer Protection Act (May 24, 2018, Pub. L. 115-174) (“the Act”).

The NAAG letter describes synthetic identity theft as occurring when “identity thieves use real Social Security numbers along with fictitious names and birthdates to manufacture new identities.”  According to the letter, this type of identity theft primarily affects those with newly-issued Social Security numbers, such as minors and immigrants, and could put them at a disadvantage upon entry to financial markets if the identity theft is not rectified.

Section 215 of the Act directs the “Social Security Administration to develop a database to facilitate the verification of a consumer’s information when requested by a certified financial institution.”  The section further stipulates that the verification “shall be provided only with the consumer’s consent and in connection with a credit transaction.”  Currently, no system is in place for real-time identity confirmation in which a financial institution may compare a Social Security number to a true identity.  Accordingly, the NAAG recommends the SSA expeditiously create “verification systems to accept electronic signatures or other verified methods so that financial institutions and others can quickly verify identity, or flag identity theft in real-time.”

Reporter, Julie C. Crawford, Washington D.C., +1 202 661 7814,  

International News

European Union To Push Ahead With Cross-Border Evidence Law—In a move which has drawn fire from industry and civil-liberties groups, the European Union (“EU”) is moving forward with a bill to enable law enforcement authorities to access digital evidence held by private companies in other member states or outside the EU. On December 7, 2018, the bloc’s governing body, the European Council, voted to open negotiations with the European Parliament on the form and content of the final legislative package. A vote is expected by mid-2019, before the next round of European parliamentary elections.

One consequence of the widespread use of modern communications platforms is that a vast amount of personal data, including instant messaging and webmail, is now stored on computer systems owned by software companies and network service providers. When a crime is committed, the evidence stored on such computer systems often plays a critical role in subsequent investigations and prosecutions.

At present, law enforcement’s ability to access data from service providers is substantially limited by the degree to which private companies are willing to cooperate. The introduction of so-called “e-evidence” legislation seeks to turn the tables by creating two new trans-national legal instruments, the European Production Order Certificate (“EPOC”) and the European Preservation Order Certificate (“EPOC-PR”). It is intended that EPOC and EPOC-PR will be direct and mandatory judicial orders issued by law enforcement organisations in EU member states. Crucially, they would compel service providers to disclose data on criminal suspects irrespective of the storage location of the data they request.

The categories of data that may be sought under the EPOC framework are broad. They include the identity of a subscriber or customer (name, date of birth, address, billing or payment data, telephone or email), data related to the commencement and termination of a user access session (date and time of use, log-in to and log-off from the service, IP address), data related to the use of devices and online services (destination and source of messages, device location), and any other data stored in a digital format (text, voice recordings, videos, images). The draft legislation also aims to impose tight deadlines on EPOC respondents, from a standard period of 10 days to as little as six hours in emergency situations. Continuing in the same vein as the GDPR in terms of heavy penalties, failure to comply with an EPOC order carries penalties of up to 2% of worldwide revenue. Given the size of leading tech firms, potential fines could stretch to hundreds of millions of Euros.

Four member states – France, Spain, Ireland and Belgium – voted in favour of progressing the new legislation and opening a dialogue with the EU Parliament. However, according to media reports, several member states, including Germany, the Netherlands, Finland, Hungary, Latvia, the Czech Republic and Greece, refused to back the proposal. The bill has also received criticism from lobbying groups such as the Computer and Communications Industry Association and BSA | The Software Alliance.

A recent EU study of the legal implications of e-evidence (commissioned by the EU Parliament and conducted by the EU’s Policy Department for Citizens’ Rights and Constitutional Affairs) reached similarly critical conclusions. According to lead researcher Martin Böse of Rheinische Friedrich-Wilhelms-Universität in Bonn: [T]he added value of the new cooperation regime (quick and effective access to provider data) is mainly based on the abolition of cooperation obstacles and procedures ensuring effective protection of fundamental rights.”

Reporter, Edward Perkins, London, +44 20 7551 2169,