As lawmakers explore options following last week's congressional appearances by Facebook CEO Mark Zuckerberg, key senators say upcoming actions of social media companies would determine the course of any new legislation, including one that would require “online companies” to report a “data breach” within 72 hours.
“That all depends on Facebook and other social media platforms,” Sen. John Kennedy (R-LA) told Inside Cybersecurity of chances for a forthcoming bill he plans to introduce with Sen. Amy Klobuchar (D-MN). “The companies know their business better than we do. I’m hoping they will step forward and say, ‘we’re on it, and here’s what we’re planning to do to enhance privacy protection.’ If that doesn’t happen, I think you’ll see an effort in Congress to do it for them.”
Language for the Kennedy-Klobuchar bill, which Kennedy said they’re “still working on,” is eagerly awaited since it could have implications across industries as policymakers grapple with how to define a “data breach” -- and as data-breach notification legislation in the House has snagged due to disagreements among different industry sectors over how to handle third parties and other issues.
Sens. Patrick Leahy (D-VT) and Ron Wyden (D-OR) said Democrats are mulling possible legislation following the hearings in House and Senate Committees last week and are hoping to discuss options this week.
But Sen. Dianne Feinstein of California, the top Democrat on the Judiciary Committee, cautioned that while the hearings provided "a lot of food for thought," there probably would not be a legislative push "right away."
"It's not easy for us to begin regulating" in this area, Feinstein told Inside Cybersecurity. "It will be interesting to see what changes Mr. Zuckerberg makes over the next month." She said that could indicate where the policy needs are that lawmakers could try to address.
“All of these incidents add up to the fact that there is value in having a streamlined approach to what data breach is and what it means,” said Norma Krayem, senior policy advisor and co-chair of the cybersecurity and privacy team for Holland and Knight. “We've spent many a year trying to get legislation done. We need to take the time to have a thoughtful approach as to what the legislation should include, and we should do it now."
Facebook has disputed the characterization of consulting firm Cambridge Analytica’s acquisition of more than 80 million Facebook users’ data -- which may have been used by Russia and its allies to interfere in the 2016 presidential election -- as a data breach.
The company has said “no systems were infiltrated” and that psychology professor Aleksandr Kogan, “gained access to the information in a legitimate way” by getting users to sign up for an app he had deployed but broke the rules of its platform by passing that data to Cambridge Analytica.
But Kennedy disagrees.
"I consider it a breach,” Kennedy said. “Because it was authorized, in the sense that the professor was allowed to deploy an app which gathered data, but then, I understand the professor transferred that data to a third party, and that was in violation of the rules, and my guess is there's other Cambridge Analytica type situations out there, and I noticed Mr. Zuckerberg, in our hearing, didn't say how many apps had been audited.”
In 2011, Facebook reached an agreement with the Federal Trade Commission that required it to audit apps with access to user data to ensure appropriate privacy protections.
During the Senate hearing where Zuckerberg testified before members of the Judiciary and Commerce committees, Sen. Richard Blumenthal (D-CT) pointed to terms of service that Kogan’s app outlined for Facebook, which explicitly say users’ data could be sold.
Zuckerberg responded that he had not seen the terms of service and that “it certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.”
Kennedy said if the Cambridge Analytica incident had happened with a law in place such as the one he plans to propose with Klobuchar, Facebook would have had to report it to the FTC within 72 hours.
Reached for comment, Facebook spokesman Andy Stone said Facebook uses the National Institute of Standards and Technology cybersecurity framework, and that the company would adhere to deadlines soon to be set by the relevant House and Senate committees for responding to requests for regulatory proposals and answering other questions officially posed by committee members.
A spokesman for Senate Majority Leader Mitch McConnell (R-KY) said GOP leadership would wait to see what the Judiciary and Commerce committees decide to do before engaging on the issue. -- Mariam Baksh (firstname.lastname@example.org) and Charlie Mitchell (email@example.com)
Editor's note: This article has been adjusted to reflect that the Cambridge Analytica incident is reportedly under investigation for possible ties to Russian attempts to influence the outcome of the 2016 election.