The SEC Gets Hacked: What Now?

It was recently revealed that the Securities and Exchange Commission’s (“SEC”) EDGAR database, which is used by public companies to file official documents, was breached.  According to the SEC, trading off of that hacked information may have reaped millions of dollars for the hackers.  While discovering a hack is always startling for a private company, it is downright embarrassing for a government agency that purports to monitor cybersecurity.  As a result, the hack may have long-term impacts on the SEC’s role as a cybersecurity regulator and any litigation it may bring on this topic.

We have recently blogged about statements made by officials at the SEC concerning its plans to police this area.  The statements have been somewhat inconsistent.  At times, the SEC has indicated that they would be bringing enforcement actions against public companies for failures to make accurate cybersecurity disclosures.  Other times, officials have indicated they would take a more hands-off, company-friendly approach.

How will the SEC respond in the wake of its own data breach?  Currently, there remains a mishmash of rules and regulations governing cybersecurity and data breaches, and a void on who is leading the enforcement charge.  No federal regulator has yet stepped forward to firmly take the reins, although the Federal Communications Commission has filed some litigation, and at least one court has granted the Federal Trade Commission regulatory power to impose liability on companies who fail to implement reasonable security measures.  In light of the current breach, the SEC could be gun shy about taking the lead.  However, in time, we expect that the SEC will use this breach as the impetus for playing a bigger role, i.e., claiming that it understands this area better than any other public agency.   As any target of an SEC investigation can attest, the SEC feels strongly about its cybersecurity mission.

But, and it is a big but, the SEC’s credibility has undoubtedly been undermined by this breach, which may impact the SEC’s ability to pursue defendants going forward.  Targeted defendants may point to the SEC’s own data breach to bolster its defense.  What better guiding point to set the standard of care in this area than the SEC itself.  Usually, one of the most difficult aspects of litigating against a government agency is putting that agency on trial.  However, that problem decreases significantly when the government agency sues someone for the exact same wrong that it itself suffered.  Expect interesting evidentiary and discovery challenges as parties try to attack the SEC with this breach.

A Review of the OMB Guidelines Issued to Federal Agencies for Reporting Requirements to Congress That Redefined What Constitutes a “Major” Cybersecurity Incident

With the growing threat of cyberattacks, we thought it would be worthwhile to discuss a late 2016 change in reporting requirements for federal agencies that have suffered a data breach.  The Office of Management and Budget’s (OMB) Memorandum 17-05, issued November 4, 2016, significantly redefined what constitutes a “major” cybersecurity incident that would require federal agencies to notify Congress under the Federal Information Security Modernization Act of 2014 (FISMA).  Agencies are required to notify appropriate Congressional Committees of a “Major Incident” no later than seven days after the date on which the agency determines that it has a “reasonable basis” to conclude that a “Major Incident” has occurred.

Previously, OMB Memorandum 16-03, issued on October 30, 2015, defined a “Major Incident” as one which:

1) Involves information that is classified or otherwise protected under certain categories; and

2) Is not recoverable or not reasonably recoverable within a specified amount of time or is recoverable only with supplemental resources;

3) Has a high or medium functional impact to the mission of an agency; or

4) Involves exfiltration, modification, deletion or unauthorized access to either:

a) 10,000 or more records or users; or

b) any record of special importance.

The 2015 Guidelines enumerated a number of “factors” which would contribute to the determination of whether a breach would constitute a “Major Incident”.  However, this only led to confusion and uncertainty as to when an incident should properly be classified as “Major.”

In an apparent attempt to reduce the level of uncertainty, the 2016 Guidelines now define a “Major Incident” as:

Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. 

OMB did not provide guidance as to how an agency should determine whether an incident is likely to “result in demonstrable harm.”  However, the new Guidelines encourage agencies to reference the Department of Homeland Security’s United States Computer Emergency Readiness Team’s (DHS US-CERT) National Cybersecurity Incident Scoring System (NCISS), and other U.S. government publications, which use the following factors:

  • Functional Impact;
  • Observed Activity;
  • Location of Observed Activity on the network;
  • Actor Characterization;
  • Information Impact: the type of information lost, compromised, or corrupted;
  • Recoverability;
  • Cross-Sector Dependency; and
  • Potential Impact.

The new Guidelines also provide that an incident will be considered “Major” when there is the “unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII . . ..”  While there is some uncertainty, the 100,000 threshold is apparently to be considered in conjunction with the “demonstrable harm” analysis, rather than as a stand-alone test, to determine if an incident is “Major.”

There are a few interesting takeaways from the 2016 Guidelines.  First, it is interesting that OMB concluded that it was necessary to revise the 2015 guidelines, as Memorandum 16-03 had been only released a year earlier.  Second, the new Guidelines increased the threshold for affected user records from 10,000 to 100,000.  OMB likely recognized that some breaches could affect thousands of records, and the smaller threshold might have triggered reporting to Congress for incidents that truly were not “Major”.  Finally, in an effort to clarify the standards for a “Major Incident”, the new Guidelines rely on an undefined term – “demonstrable harm” – and a list of factors just like the earlier Guidelines.  That provides some indication that there is no clear and easy way to determine whether a data breach is a “Major”.  Hopefully, these changes will help provide some clarity for federal agencies and their employees in the long run, but we are left to wait and see if that will be the case.

Two Court Rulings Show Coverage Difficulties for “Fake President” Fraud

A few weeks back, the Insurance Recovery report posted a blog about the difficulty obtaining insurance coverage for “fake president” fraud, which is also known as business e-mail compromise, or social engineering fraud.   Two courts have recently reached opposite holdings on this exact topic, which highlight the difficulty policyholders face when they have been victimized by Fake President Fraud.

The policyholder-favorable of those rulings came out of a New York District Court, where the judge found in favor of coverage for this type of fraud under a crime policy issued by Federal Insurance Company.  Medidata Solutions, Inc. v. Federal Ins. Co., Case No. 15-CV-907 (S.D.N.Y. July 21, 2017). Docket No. 32.  The case was typical of fake president fraud.  In 2014, a fraudster imitating the president of Medidata Solutions, Inc. directed an employee in the accounts payable department to wire money overseas for a company acquisition.  The e-mail included the president’s e-mail address and picture, and copied a fake attorney.  The employee performed some degree of due diligence, corresponding with the fake attorney by e-mail and phone before wiring the money.  However, that employee ultimately wired $4.8 million dollars to a fraudulent account.  Fortunately, the company discovered the fraud before a request to wire another $4.8 million was completed.  Medidata sought coverage under its Federal Insurance Company crime policy, but Federal denied the claim.  Medidata filed suit in February 2015.

The scope of coverage under the policy turned on a computer fraud provision in the crime policy that covered losses that occurred as a result of the “fraudulent entry” or changing of data in the policyholder’s computer system.”  The question then arose: was this a fraudulent entry?  Some courts had previously determined that fake president fraud does not result in a fraudulent entry or act because the company employee voluntarily makes those changes (although at the direction of a fraudulent actor).  Here, though, Judge Andrew Carter Jr. disagreed, holding that the entry was indeed fraudulent because the fraudster used a computer code to alter a series of email messages to make them appear as if they originated from the company’s president.   In that regard, Judge Carter followed the decision in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, Pa., which found such entries to be fraudulent because they violated the integrity of the computer system.  To Judge Carter, it seemed implausible that one would ever find coverage under the narrow view other courts have taken because it would require the fraudster to break into the computer system and wire the money.

But then yesterday, a Michigan District Court reached the exact opposite ruling in American Tooling Center Inc. v. Travelers Casualty and Surety Co., Case No. 5:16-cv-12108, 2017 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, 2017).  There, the fraudster sent e-mails posing as a vendor of the Michigan-based company, asking to forward payments due under a contract between the parties.  The company sent the money, only to discover the money was lost forever.  American Tooling Center sought coverage under its Travelers’ crime policy because it constituted computer fraud, but Travelers denied the claim, arguing that there was not a “direct loss” that was “directly caused by” the use of a computer.

The relevant policy definition defined computer fraud as the use of “any computer” to “fraudulently cause” a “direct loss” by money transfer.  American Tooling and Travelers obviously disagreed about those terms, but the Judge found in favor of Travelers because the term “direct loss” was synonymous with the term immediate, and there were steps in between the fraudulent e-mails and the wiring of money.  In short, the Michigan court would require the exact thing – a fraudster hacking into the computer and sending the money directly – that the New York court found implausible.

What are the major takeaways from these rulings?  First, it is always critical to carefully review the language in insurance policies.  The American Tooling Center court distinguished the ruling in Medidata by contrasting the policy language because the Medidata policy did not include the term “direct loss” in its definition of fraud.  To many people, that would be a minor distinction.  But to the Michigan court it meant the difference between there being coverage or not.  We believe that the Medidata court had the proper holding, that the Michigan court should have followed suit, and that Judge Carter’s belief that a computer fraud coverage requirement that a fraudster perform a transfer for there to be coverage is too draconian. And because rulings on this subject have come down all over the place, policyholders that frequently conduct transfers via computer should consider contacting insurance professionals, be it an attorney to interpret the policy, or a broker to determine whether there might be a policy endorsement available specifically aimed at this type of event.

The Remedy for the New Cyber Threat Posing Major Coverage Problems: “Fake President” E-mails

In the last few weeks, we have seen yet another widespread ransomware attack that hit nearly one hundred companies around the world.  It reminded me of a recent request from a client, made just after news broke of the WannaCry ransomware attacks, to review its insurance portfolio to confirm that it was covered for ransomware attack.   The client had that coverage, but I noticed that there was a gaping hole in the policy for another type of common attack that goes by a variety of names – business e-mail compromise, social engineering fraud, and fake president fraud.  What is critical for companies to understand, and few do, is that they must purchase a specific endorsement to obtain this kind of coverage.

These types of attacks are as much identity fraud as they are a cyberattack.  In these kinds of cases, an impostor will pose as a high ranking executive at a company, and command a lower level employee via email to wire money to a client or vendor account.  The employee, so diligently trained to follow orders, will then complete the transaction, unwittingly transferring company funds into a fake account.  After all, what employee would question the company’s CEO, CFO, President, or other superior?

This crime poses significant challenges from a coverage perspective.  The act does not fit cleanly within the typical first party coverages included in cyber policies – it isn’t a data breach, in which information is stolen or compromised and needs to be repaired, and it isn’t a ransomware attack, in which a company has its business shut down.  These types of attacks also aren’t covered by modern crime policies because the action taken – the wiring of money by an employee – is voluntary.  There is no extortion, and no money is stolen.

Courts recently confronted with these situations have routinely denied coverage.  One example can be seen in Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., No. C14-1368RSL, 2016 U.S. Dist. LEXIS 88985 (W.D. Wash. July 8, 2016).  There, a hacker impersonating a vendor of the policyholder directed an employee to change the bank account for future payments to that vendor.  The employee dutifully did so, and the policyholder lost over $700,000 when money was wired to the fraudster’s account.  The crime policy covered computer fraud, but contained an exclusion for “loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.”  Travelers denied coverage because the employee had authorization to input the new bank information to the account, and the District Court agreed, finding that the loss – the transfer of money to the new account – indirectly resulted from the inputting of the new bank information.

In Taylor & Lieberman v. Fed. Ins. Co., 2017 U.S. App. LEXIS 4205 (9th Cir. Mar. 9, 2017), the Ninth Circuit was faced with a similar situation.  There, an accounting firm handled payments and transfers for its clients.  An impostor took control of a client’s e-mail account and sent multiple wire payment instructions to the accounting firm.  The employee wired the money, and did not discover the fraud until the third request to wire money.  The accounting firm sought coverage under its crime policy, which provided coverage for “direct loss sustained by an Insured.”  The Court denied coverage because it determined the accounting firm was seeking recovery for third party losses – those of its clients – and not its own.  That the company might have to indemnify that client for the fraudulent payments was immaterial.

Fortunately, not all cases end with an insurer victory.  But the uncertainty of these results begs the question: how do you insure for these attacks?  The answer is a policy endorsement targeted at these types of attacks.  It is usually added to a company’s crime policy, and will include language such as “the Company will reimburse the Insured for Loss sustained by the Insured Person as a direct or indirect result of Business E-mail Compromise.”  The Policy will then define Business E-mail Compromise, and within that definition it should include reference to coverage for voluntary actions of the insured (who is wiring money under false pretenses).  The policy limits for these endorsements tend to be lower than the policy it is attached to, but any coverage an insured can obtain for this kind of fraud is better than none.

There are a few important takeaways on this issue.  First, check your insurance policies for language that may suggest coverage in this area, and read the language closely.  You will want to make sure your company is covered when money is sent by employees as a result of fraud.  If you do not see such language, ask your broker to get you options to add this endorsement to one of your policies.  Second, confirm that the policy endorsement you obtain is broad enough to subsume the acts you are seeking to cover.  The worst case scenario would be purchasing an endorsement that fails to cover the fraudulent actions for which you are hoping to obtain insurance.  Finally, train your employees for these types of situations.  A simple 30 minute training on how to identify tells that reveal these schemes may help your company avoid hundreds of thousands of dollars in losses by avoiding this situation altogether.

The Ninth Circuit Holds that California’s Anti-Hacking Law, Penal Code Section 502, does not Proscribe Unauthorized “Access” to a Database; Rather, the Section Prohibits Unauthorized Use, Copying, or Manipulation of Information in the Database

California’s Computer Data Access And Fraud Act, Cal. Pen. Code, § 502 (“CDAFA”) is a state law analog to the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”).  Both are aimed at fighting unauthorized intrusions into electronic data (for a primer on these statutes, see “Strategies For Businesses Protecting Electronic Data Within California” here).  (See Craigslist Inc. v. 3Taps Inc. (N.D. Cal. 2013) 942 F.Supp.2d 962, 968 [identifying the CDAFA as a state law corollary to the federal statute].)

However, at least according to one federal court, there is a significant difference between the California and federal statute.  (United States v. Christensen (9th Cir. 2016) 828 F.3d 763, 789.)  By way of background, the CFAA requires that a defendant access a protected computer “without authorization.”  (18 U.S.C. § 1030(a)(5)(A)-(C); see also LVRC Holdings LLC v. Brekka (9th Cir. 2009) 581 F.3d 1127, 1133.)  Thus, the focus of a purported violation of the CFAA is whether an alleged hacker has accessed a computer without authorization or has exceeded a specific authorized access.  The CFAA is not applicable to a person who is authorized to access a computer or parts of the computer but who, in so doing, misuses or misappropriates information.  (United States v. Nosal, (9th Cir. 2012) 676 F.3d 854, 863-864.)

Section 502(c) of the CDAFA lists a number of violations with the following language as a precondition:  “[k]nowingly accesses and without permission . . . .”  Thus, the section provides that a person who commits, inter alia, any of the following acts is guilty of a public offense:

(1)       [k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data;

(2)       [k]nowingly accesses and without permission takes, copies, or makes use of any data from computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network;


(4)       [k]nowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network, computer system, or computer network;  . . .

(Emphasis added.)

In United States v. Christensen, supra, 828 F.3d 763, concerning particular identity theft jury instructions, the criminal defendant relied upon United States v. Nosal, supra, 676 F.3d at pp. 864, and claimed that a section 502(c)(2) violation requires that use of a computer or database be “unauthorized.”  The defendant asserted error because the trial court did not so instruct the jury.  However, the court of appeals rejected the argument.

The federal court ruled that “access,” as used throughout California’s section 502(c), in contrast to the federal CFAA, does not require “unauthorized” access to a computer, but merely requires knowing access.  (Id. at p. 789.)  According to the court, what makes access unlawful under section 502(c)(2), is that an alleged hacker “without permission takes, copies or makes use of” data on the computer.  (Ibid.)  “A plain reading of the statute demonstrates that its focus is on unauthorized taking or use of information.”  (Ibid.; emphasis added.)  It does not criminalize unauthorized access to a computer, database or data.  In sum, the court held:  “We conclude that the term ‘access’ as defined in the California statute includes logging into a database with a valid password and subsequently taking, copying or using the information in the database improperly.”  (Ibid.)

There is currently a split of authority in the California courts on the issue which Christensen addressed.  Christensen itself acknowledged this split.  (Ibid.)  On the one hand, there is Chrisman v. City of Los Angeles (2007) 155 Cal.App.4th 29, 34-35, in which the Court of Appeal held that unauthorized “access” meant “breaking into a computer.”  On the other hand, there is Gilbert v. City of Sunnyvale (2005) 130 Cal.App.4th 1264, 1281, in which the Court of Appeal emphasized that “[k]nowingly accessing and without permission making use of any data from a computer system” is a crime under section 502.  The Gilbert court did not discuss unauthorized access to a computer or database.

Christensen rejected Chrisman and ruled consistently with Gilbert.  It seems that the Christensen holding (as well as Gilbert) is the more textually grounded ruling.  The statutory phrase in section 502 “without permission” modifies the taking or use of information in a database and not the initial access of the computer or database itself.  How the California Supreme Court may resolve the issue, if and when presented, remains to be seen.

*This blog post was assisted by Gabriella S. Perez, a 3rd year student at Loyola Law School

SEC Urges Investment Firms to Better Prepare for Ransomware Attacks

On May 17, 2017, the SEC’s Office of Compliance Inspection and Examination (“OCIE”) issued a risk alert urging broker-dealers, investment advisors and investment companies to safeguard themselves against ransomware in light of the recent global “WannaCry” ransomware attack that impacted entities in over one hundred countries, including Britain’s health system and major companies such as FedEx and Telefonia.

The OCIE examined 75 SEC registered firms to assess “industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.”  The OCIE focused on these firms’ cyber-risk assessment, penetration testing, and system maintenance, and found that:

  • 5% of the broker-dealers and 26% of advisers and funds did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and potential business consequences;
  • 5% of broker-dealers and 57% of investment advisers and funds did not conduct penetration tests and vulnerability scans on critical information systems;
  • 10% of the broker-dealers and 4% of investment advisers and funds had not updated a number of critical and high-risk patches to maintain the integrity and security of their information systems even though these firms had a process in place for regular system maintenance.

Given that the WannyCry ransomware attack might have been conducted by a breach via Microsoft Desktop Protocol or Windows Server Message Block version 1, the alert encouraged firms to evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.  The OCIE alert also directed firms to review the alert published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team, U.S. Cert Alert TA 17-132A, about actions firms might consider in reaction to the latest ransomware incident.

The OCIE’s risk alert and examination of 75 SEC registered firms underscores the fact that the SEC is making cybersecurity and cybersecurity practices (and thus cybersecurity disclosures) undertaken by public companies one of its primary focuses.  As Nossaman reported in its May 11, 2017 blog, “because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit” for the SEC.

Settlement in Home Depot Class Action Provides Data Security Corporate Governance Framework for Companies

The latest settlement in Home Depot’s data breach litigation provides a data security framework for corporate governance that may be used by other companies as a template.  Based on claims arising from a massive data breach in 2014 involving 56 million credit cards, Home Depot Inc. recently settled both a shareholder derivative action and a class action filed by financial institutions.  Both settlements were filed and approved by the U.S. District Court for the Northern District of Georgia.  As part of a third settlement of a direct consumer class action in 2016, Home Depot had already agreed to set up a $19.5 million fund to reimburse its affected consumers, and to hire a chief information security officer (CISO).

The recent settlement in In re: The Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 15-cv-02999 provided nine corporate governance provisions that focus on corporate reform in data security, and were designed to improve Home Depot’s ability to prevent and respond to future attacks.  Home Depot and its board of directors agreed to:

(i) document the duties and responsibilities of the newly-hired CISO;

(ii) periodically conduct tabletop cyber exercises to validate the Home Depot’s processes and procedures, test the readiness of its response capabilities, raise organizational awareness and train its personnel, and create remediation plans for issues and problem areas;

(iii) monitor and periodically assess key indicators of compromise on computer network endpoints;

(iv) maintain and periodically assess the Company’s partnership with a dark web mining service to search for confidential Home Depot information;

(v) maintain an executive-level committee focused on the Company’s data security;

(vi) receive periodic reports from management regarding the amount of the Company’s IT budget and what percentage of the IT budget is spent on cybersecurity measures;

(vii) maintain an incident response team and an incident response plan;

(viii) maintain membership in at least one information sharing program; and

(ix) retain their own IT, data and security experts and consultants as they deem necessary.

The Home Depot shareholder derivative settlement agreement offers a valuable example of cybersecurity-focused corporate governance practices to all companies, including consumer-facing retailers, for implementing data breach protections and conducting post-breach remedial actions.  Additionally, companies should consider using tools such as Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA), designed to assess privacy and security frameworks, are also important in identifying risks and implementing necessary processes to meet regulatory and business expectations.

SEC Hints that Enforcement Actions on Lax Cybersecurity Might Be Coming

With the confirmation of Jay Clayton as the Chair of the Securities and Exchange Commission, comments made last month by the Acting Enforcement Director, Stephanie Avakian, regarding the importance of accurate reporting in the area of cybersecurity, and consequences of inaccurate reporting, may get lost.  At a speech last month, Ms. Avakian, on behalf of the SEC, told an audience of corporate attorneys, “We’ve not brought an action in that space.  Could I see a circumstance where we do?  Absolutely.” Ms. Avakian softened these comments later in the speech, however, suggesting the SEC was not looking to second-guess good faith disclosure decisions.

Going forward, though, how should public companies react to Ms. Avakian’s statements?  With at least some degree of caution.  After all, the SEC has a history of honing in on an area of interest and filing lawsuits in waves.  Take the glut of lawsuits filed in the mid-2000s regarding backdated stock options, for example.  What started as a compensation system used by thousands of companies turned into a key target for the SEC’s Enforcement Division, with dozens of civil lawsuits filed, and a number of officers and directors going to prison in related criminal actions.  Cybersecurity reporting is obviously not the same stock option backdating.  However, like backdating it has been repeatedly described as an area of focus for the SEC.  And because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit.  Hackers are not going away, and it is likely that every company will be compromised at some point.  So what will happen if the Enforcement Division decides to look closely at the disclosures of public companies after hacking events?

No one knows for sure.  There is no reason to believe that companies that take good faith measures will be the target of an enforcement action.  But one can look to the FCC’s pursuit of companies that it believes failed to take proper steps to secure its data for a hint at what may come.  These companies, such as Wyndham Hotels, thought they had taken good faith cybersecurity measures, and still ended up in the crosshairs.  For now, the only recourse public companies can take is to review their reporting disclosures for accuracy and keep an eye on how the SEC handles matters going forward.

Broadband Internet Service Providers no Longer Subject to FCC Privacy Rules Preventing them from Selling Private Consumer Information

Both the House (215-205) and Senate (50-48) have voted to revoke the Federal Communication Commission’s (FCC) broadband privacy rules which would have forced broadband Internet Service Providers (ISPs), such as Verizon, Comcast and Charter, to obtain affirmative “opt-in” consent from consumers to use and share their personal sensitive information.  Sensitive information includes things such as precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage and the content of communications.  The regulations would have also required ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared.  The FCC proposed the new regulations in March, 2016, and formally adopted them in October, 2016, just days before the presidential election.  President Trump dealt the FCC regulations their final blow by repealing the online privacy rules on April 3rd.

Proponents of the regulations claim that reversing the regulations opens the door for ISPs to sell customer data to third parties and leaves a gaping hole in federal privacy protections.  The proposed regulations would have subjected broadband ISPs to the privacy requirements of Section 222 of the Communications  Act.  That, say opponents of the regulations, was an overstep of the FCC’s authority and such opponents claim further that the FCC does not have the right to regulate ISPs at all.  Prior to such regulations ISPs had never had special privacy rules specifically applicable to them.  The FCC defended its right to implement privacy rules specific to ISPs by claiming that ISPs were actually common carriers, similar to utility providers, of which the FCC does have the authority to regulate over.  Common carriers are subject to Title 2 of the Communications Act.   Opponents of the regulations argue that in addition to overstepping their jurisdiction, the FCC seemed to be picking winners and losers in the marketplace, because while ISPs and websites, such as Google or Facebook, both compete for online generated consumer data, only ISPs would be subject to the proposed regulations.

The vote in Congress to revoke the proposed regulations was primarily drawn on party lines with Democrats in the House and Senate unanimously voting to keep the privacy rules in place and all Senate Republicans and all but 15 House Republicans voting to eliminate the rules. The current FCC Chairman, Ajit Pai, was also in agreement with Republicans, arguing that ISPs should not face stricter rules than website operators. Pai was in the commission minority when the proposed regulations were passed last year.