Privacy and Data Security in the Trump Administration
Privacy and data security issues were prominent in the campaign. Allegations were even made that Russia was behind the DNC hack.
Despite it being front and center in the campaign, cyber security did not generate specific policies from the Trump campaign. One thing Donald Trump did promise was a top to bottom review of US cyber defense and security led by government, law enforcement, and private sector experts. He also committed to establishing a Justice Department task force to coordinate responses to cyber attacks and a cyber review team to audit existing government IT systems.
Another area on which the President-elect spoke was the need to clamp down on the theft of US intellectual property, especially by foreign nations and competitors. Tools already exist to do that, of course: Economic Espionage Act of 1996. Congress, which earlier this year enacted the Defend Trade Secrets Act, is likely to respond favorably to any additional resources or authorities the new administration might seek for this purpose.
Related to cyber security were Mr. Trump’s comments on encryption during Apple’s dispute with the Justice Department in the wake of the San Bernardino terrorist attack. Trump sided strongly with law enforcement, and we can expect Congress to return to the subject of encryption in the coming session. Whether anything happens legislatively is uncertain, and some in Congress want to await the pending report of the National Academy of Science on encryption, which will remain a highly contentious issue. Still, Candidate Trump’s comments show where he stands. One wildcard in the debate may be how weakened is FBI Director Jim Comey, who has been leading the charge on encryption issues for law enforcement.
Also due for legislative consideration in 2017 is the renewal of section 702 surveillance authority under the FISA Amendments Act, which is due to sunset at the end of the year. Trump is likely to take a much more pro-surveillance position than either the current administration or Secretary Clinton might have taken. Privacy advocates in both parties are likely to press for changes in the law, but at this point the odds would be against them.
Either on its own or in conjunction with the section 702 debate, Congress is likely to return to consideration of ECPA reform. The House passed the E-mail Privacy Act unanimously this Congress, but it stalled in the Senate due to privacy groups’ opposition to an amendment sought by Senator Cornyn. The must-pass section 702 legislation is likely to provide a vehicle for e-mail privacy and related ECPA reform legislation if it does not move on its own.
Also in the mix on these issues is consideration of legislation clarifying and modernizing how domestic law enforcement accesses data across national borders. Legislation addressing that issue enjoys prominent support in Congress and may well get taken up in conjunction with ECPA reform or get lumped in with that in the context of section 702 renewal.
And the House Judiciary Committee is already moving ahead with a hearing scheduled to consider protecting geolocation data, setting up another area of dispute between law enforcement and privacy advocates.
Also in the mix legislatively will be proposals on how firms deal with data breaches and theft of information. The recently disclosed hack of Yahoo and the DNC hack have again raised the profile of data breach issues. While there is consensus that something should be done, disagreement remains on the details, including whether a federal law should preempt state data breach laws. There is little reason to expect that the disagreements can be bridged or that legislation will in fact move forward.
Finally and briefly, among other issues that Congress is likely to look at, though on which a legislative solution is unlikely are:
1) how to address distributed denial of service attacks, and the inter-related topic of the growth of the Internet of Things, on which several committees have already scheduled hearings in the wake of the recent significant DDOS attack. At this stage, Congress is likely to seek to continue to build its level of understanding of the issues here rather than act on anything;
2) how to address the recruitment of terrorists and the spread of violent extremism through social media; and
3) the implementation of last year’s Cybersecurity Information Sharing Act by the Department of Homeland Security.
One final point: the key players on these issues are likely to remain the same. One possible change would have Senate Judiciary ranking member Pat Leahy, just reelected, move to become ranking member of the Appropriations Committee, which could open the door for Senator Feinstein to become ranking member of the Judiciary Committee. She would be more sympathetic to law enforcement and less aligned with the privacy advocates than Senator Leahy has been. However, her move might allow tech-friendly Senator Mark Warner to become vice chairman of the Intelligence Committee, of which Senator Richard Burr will remain as chairman after his reelection.