Last week, Congress held four hearings to investigate the Equifax data breach, which jeopardized the highly sensitive data of 145 millions Americans. The exposed consumer information includes social security numbers, prior addresses, student loans, credit card numbers, and other pieces of private data compiled into credit reports that determine if a consumer qualifies for employment, loans, or new lines of credit. For days, members of Congress questioned former Equifax CEO Richard Smith as to how the breach could have occurred and what steps the company was taking to protect consumers. Mr. Smith resigned in September after the extent of the breach was fully disclosed. During the hearings, he offered little in terms of solutions on how to protect consumers going forward, but his answers revealed significant problems with our current data security regime that Congress must address.
This past week, Congress demanded answers from former Equifax CEO Richard Smith about what, exactly, went so terribly wrong in his company’s handling of its massive data breach this summer, and to ask how to keep something like this from happening again. Over the course of four hearings in both the Senate and the House, it became clear that the list of "wrongs" is lengthy. But one of the most damning revelations emerged in the aftermath of the breach in the company’s attempts to mitigate harm post-breach. To be clear, we’re not talking about mitigating consumer harm - we’re talking about Equifax protecting itself from accountability through the use of forced arbitration.
An appeal playing out in the 9th Circuit Court of Appeals over mobile phone labeling exposes a phenomenon of great import to the future of technology: corporate use of the First Amendment to ax regulation. The stakes are seemingly rather small in the case of CTIA v. City of Berkeley. It involves a humble municipal ordinance requiring cell phone retailers to disclose the same information about permissible levels of radiofrequency (RF) radiation that the Federal Communications Commission already requires mobile phone manufacturers to reveal in their manuals.
One of our top issues we tackled in 2015 was reforming Section 1201 of the Digital Millennium Copyright Act (DMCA). To recap, Section 1201 makes it illegal to break digital locks in order to access copyrighted works (like the movie on a DVD or software in a device), even for legitimate purposes. Every three years, public interest groups spend time and money petitioning the Copyright Office to exempt certain uses and technologies from this law. The Library of Congress released the most recent decisions for this triennial process in October 2015. One example that affects many people that we have yet to touch on is vehicle use. You may not have thought about how copyright law regulates your car. However, cars are increasingly powered as much by software as they are by motors.
Recently, investigative journalists at the Intercept revealed that Securus, a nationwide provider of phone and video services to jails and prisons, suffered a massive security breach when someone obtained, and then leaked, records of more than 70 million phone calls by prisoners across the country, along with links to downloadable recordings of those calls. Among these calls were records of “at least 14,000 recorded conversations between inmates and attorneys.” In fact, the Intercept claims that Securus has amassed a huge database of federally protected consumer propriety network information (CPNI, or “metadata” containing the number you call, at what time and for how long) and has been storing this data for years. The Intercept also reports that Securus may be selling access to this data to law enforcement investigators.