Friday, September 16, 2011
Grassley, Franken Win Passage of Common SenseAmendment to Curb Over-Criminalization
WASHINGTON – Senators Chuck Grassley and Al Franken won approval of a common sense amendment that would clarify that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of internet terms of service agreements or non-government employment agreements restricting computer access.
The amendment was accepted by voice vote to the Personal Data Privacy and Security Act that is being considered by the Senate Judiciary Committee.
“When we sit down at home or at work, we check our email, read the news and generally go about our routine. What we don’t know is that we may be in violation of federal criminal law based upon a violation of internet terms of service agreements or employment agreements for misusing computers,” Grassley said. “This is a common sense solution that helps clean up some of the expansive provisions of our criminal code and ensures that innocent computer users are not federal criminals.”
“Our laws should protect people—not turn them into criminals for doing something as basic as checking Facebook or their Fantasy Football scores,” said Franken. “The amendment I introduced with Sen. Grassley does something very simple: it makes sure that if the only thing you’ve done wrong is violate a website’s Terms of Service or your employer’s computer use policy, you can’t be charged with a crime or sued in federal court.”
Under a reading of current law argued in federal court by the Department of Justice, something as simple as checking your personal email account at work may be against the law. By extension, this reading could also make it a federal felony for a father to use his son’s Facebook password to log into the son’s Facebook account and check messages and photos; for a 17 year-old to claim she is 18 in order to sell goods in certain online marketplaces; or even for using instant messenger on a computer at work.
Two recent criminal prosecutions brought by the Justice Department in California that have argued breaching terms of service on websites is a violation of federal law. Legal commentators have criticized these prosecutions as an overreach of the Computer Fraud and Abuse Act. They point out that this expansion of the law could lead to criminalizing any misuse of an internet website terms of service agreement.
Q&A: Federal Regulations
Q: What specific steps can Congress take to reduce federal regulations that undermine job creation?
A: I’ve co-sponsored several bills aimed at the growing regulatory burden and its negative impact on job creation. One would require Congress to give final approval to major, new federal regulations before those regulations could take effect. It’s called the REINS Act, or Regulations from the Executive In Need of Scrutiny Act (S.299). The Constitution vests all legislative power in the Congress yet, year after year, Congress passes legislation that delegates more power to the executive branch without really assessing the full impact of those laws and how that power is used. As a result, federal agencies are increasingly bypassing Congress by imposing new regulations that Congress never intended. The REINS Act would establish greater accountability for major regulations handed down from the executive branch and restore checks and balances in our system of government that have been eroded.
I’ve co-sponsored another bill – the Regulation Moratorium and Jobs Preservation Act of 2011 (S.1438) – that would prohibit federal agencies from taking any significant regulatory action until the unemployment rate falls below 7.8 percent. The unemployment rate was 7.8 percent the day the President took office. Today, it’s 9.1 percent. The moratorium in this proposal would apply to any federal rule or guidance with an effect of $1 million or more on the economy. There were 144 rules with this sort of significant impact proposed in the first six months of 2011.
I’ve also sponsored a bill to prevent the Environmental Protection Agency from regulating dust in rural America while maintaining the protections to public health under the Clean Air Act. I’ve brought the EPA Administrator to Iowa and argued for years now about the ridiculousness of the EPA’s trying to regulate the dust kicked up by a tractor in the field or a car on a gravel road, but the EPA hasn’t given up its effort to regulate rural dust. The Farm Dust Regulation Prevention Act (S.1528) says that the EPA can’t lower the level of dust allowed under what it calls a particulate standard without showing there is a substantial health risk caused by farm dust, and that the lowering of the level allowed has a benefit that’s greater than the economic harm it would cause. The Clean Air Act does not currently differentiate between urban and rural dust, so the bill provides the EPA with a distinction between the two for implementation of air quality standards. It’s unfair and excessive for the EPA to put the kind of expensive, stringent standards it’s been pursuing on rural America.
Q: Why is there so much frustration at the grass roots right now regarding federal regulations?
A: A tidal wave of new regulations is hitting the private sector, especially in health care, energy and the financial areas. In 2010 alone, 3,573 new federal rules were finalized. Unlike taxes and spending, the costs that the private sector pays to comply with federal regulations are not accounted for in the federal budget process. For employers, the uncertainty about what the real impact and cost of these regulations will be – on top of uncertainty about how taxes could go up -- makes it much harder to move forward with investments and the kind of economic activity that retains and creates jobs. In January, the President announced a comprehensive review of government regulations that are outdated or just don’t work. There was hope that concrete action by the administration could make a difference. Unfortunately, the regulatory rollback based on the review, announced in August, might be too weak to make a dent, especially in the face of emerging regulations, such as those stemming from the 2010 health care law. Congress needs to stay on top of the regulatory process in the executive branch, meeting its responsibilities for congressional oversight, and take legislative action to make the regulatory system less burdensome on America’s economy.
Friday, September 16, 2011
Prepared Statement of Ranking Member Chuck Grassley
Senate Committee on the Judiciary Committee
Executive Business Meeting, Thursday, September 15, 2011
Both S.1151, the Personal Data Privacy and Security Act and S.1408, the Data Breach Notification Act will have a major impact on the way private sector businesses operate. I’m concerned that given over 9 percent unemployment and a renewed focus in Washington on creating jobs, this legislation may have the opposite effect.
While we’ve focused on protecting information, we’ve not focused on protecting jobs. This bill will likely drive up costs through even more burdensome regulations. A company that hasn’t even suffered a breach may find itself unable to afford compliance with this bill’s new requirements. Small businesses, which create most of the jobs in this country, may end up closing, or at least not hiring, when they’ve done nothing wrong. We need to be smart with new regulatory burdens to ensure that consumers are truly protected, while fostering economic growth and not stifling it
To address these concerns, there are a number of amendments filed to both bills, including several that I have filed. My amendments to S.1151 impact both the criminal and data breach portions of the bill.
Before discussing the bills, I want to reiterate a concern I raised last week regarding the Committee’s approach to Cybersecurity legislation. Specifically, both Majority Leader Reid and Minority Leader McConnell have committed to a working group approach to deal with cybersecurity legislation. The approach is designed to allow the various committees with overlapping or concurrent jurisdiction to work together and develop bi-partisan cybersecurity legislation.
So far, the working group approach has worked, with various committees agreeing to meet and discuss issues. However, in staff discussions with other committees, like Commerce, there was some surprise that the Judiciary Committee was already marking up cybersecurity and data breach legislation, since we’ve all agreed to take part in the working groups.
I just want to say that while I respect this committee’s jurisdiction to discuss these matters, I—like Majority Leader Reid and Minority Leader McConnell—want a comprehensive bipartisan cybersecurity bill. I’m concerned that by marking-up this bill that touches on areas that may overlap with other committees, we could hinder the working group approach.
That said, on the criminal side of this bill, I have two amendments I intend to offer. The first was circulated last week and involves the mandatory minimum sentence for violations of aggravated damage to a critical infrastructure computer. This 3-year mandatory minimum penalty was requested by the White House as part of President Obama’s cybersecurity proposal.
Second, I circulated a new amendment this week and am pleased to have Senator Franken as a cosponsor. This amendment would modify the Computer Fraud and Abuse Act to address concerns raised by two recent criminal prosecutions brought by the Justice Department.
I think many Americans would be shocked to hear that every day, they may be violating federal criminal law without knowing it, simply by violating website service agreements or employee computer access agreements.
The Grassley-Franken amendment we’ll be offering today simply clarifies that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of internet terms of service agreements or non-government employment agreements restricting computer access. It’s a common sense amendment that helps clean up some of the expansive provisions of our criminal code.
I also have amendments to the data breach portions of S.1151. We must protect the personal and financial information of individuals collected in company databases. I stated last week that solving this problem is something everyone supports. However, determining how to do this in a way that balances the interests of both consumers and businesses makes for a difficult task.
We must work to not overburden small and large businesses with new, costly regulations. Notice requirements must be constructive. Notice should not include burdensome requirements where there is little or no risk of identity theft.
The enforcement and liability provisions shouldn’t create the potential for abuse from overzealous prosecution. The provisions in this bill run the risk of abuse and inconsistent enforcement. These and other issues need to be resolved.
Today, the bill we consider has in some ways improved over previous versions. However, it has expanded in other areas and this gives me concern.
I am pleased to see that the manager’s amendment has removed the Federal Trade Commission’s authority to modify the definition of sensitive personal information. However, problems still remain.
A broad definition will impact small businesses, which are subject to the same strict liability requirements and high penalties as large businesses, but without the same large resources. At a time when we’re working to create jobs, these burdensome requirements will be a step in the wrong direction.
This bill requires notice when there’s a significant risk that a breach may or has resulted in “identity theft, economic loss or harm, or physical harm.” There’s enough vagueness and breadth to cover situations that may not encompass what the drafters intended. Given the penalties at stake, the incentive will be to err on the side of over-notification.
Thus, it is not unreasonable for me and others to be alarmed at the possibility of consumer over-notification that becomes counterproductive to what we seek to accomplish.
I’m also concerned that the safe harbor is in name only. An over-worked Federal Trade Commission may find the easiest thing for a company to do in most instances is issue notice.
Further, I think it is troubling that this bill takes a “one size fits all” approach in requiring businesses to implement data security programs. What works for one large company will not necessarily work for a small company.
I also have amendments to S.1408, the Data Breach Notification Act and many of my concerns with that bill are similar to those with S.1151. I hope we can come together on these amendments and ensure that we aren’t unduly burdening American businesses with further unnecessary regulations that will hinder job growth by stifling innovation.
We have a lot of work to do. Thank you.
Johanns, Grassley Seek EPA Support of Farm Dust Bill
WASHINGTON – U.S. Sens. Mike Johanns (R-Neb.) and Chuck Grassley (R-Iowa) today asked Environmental Protection Agency (EPA) Administrator Lisa Jackson to provide certainty and put action behind her words of support for farmers and ranchers concerned about the potential regulation of farm dust. Johanns has introduced, and Grassley has co-sponsored, a bill that would prohibit EPA farm dust regulation. In a letter to Jackson, the senators outlined conflicting statements made by EPA and requested her support for the bill as a way to provide clarity to the agency's position.
"EPA won't hesitate to tell farmers not to worry about farm dust regulations, but when pressed further, all we hear are intentionally vague statements and mixed signals," Johanns said. "Their claims that they have no plans to regulate farm dust conflict with their statements that they're not able to distinguish farm dust from other regulated dust. If regulation of farm dust truly is a myth, as Administrator Jackson has suggested, she should debunk that myth once and for all by supporting my bill. Farmers and ranchers would applaud her for providing this certainty."
"The EPA has been giving conflicting answers and having it both ways on the dust issue for long enough. It's time for Administrator Jackson to set the record straight and put the word out to the employees of the EPA that agriculture dust is off the table," Grassley said. "When soybeans are at the right moisture level, they need to be combined, and if God determined that the wind is going to blow that day, there’s absolutely nothing a farmer can do. Dust happens."
The letter to Administrator Jackson can be found here.
EPA's April 2011 Policy Assessment for the Review of the Particulate Matter National Ambient Air Quality Standards recommends doubling the severity of dust regulation. Despite this, Administrator Jackson has been reported as telling farmers any contention that EPA plans to regulate farm dust is a "myth."
However, EPA Assistant Administrator Gina McCarthy stated in an April letter that EPA's air quality standards are "not focused on any specific category of sources or any particular activity (including activities related to agriculture or rural roads)."
The Johanns-Grassley bill would thus enable EPA to consider the source of particulate matter and prohibit the agency from regulating farm dust.
Grassley Presses the IRS on Whistleblower Program After Report Outlines Challenges
WASHINGTON -- Sen. Chuck Grassley of Iowa today wrote to the IRS commissioner, asking a series of questions designed to help the agency improve its whistleblower operation to encourage people with information about big-dollar tax cheating to come forward and lead to the substantial recovery of tax dollars for the U.S. treasury. Grassley’s letter came after the Government Accountability Office released a report describing the barriers to complete success for the whistleblower program.
“The GAO has done a good service by providing a road map for how the IRS can improve the IRS whistleblower program and go after big-dollar tax cheating,” Grassley wrote in his letter to IRS Commissioner Douglas Shulman. “Now the challenge is for the IRS and Treasury to make the changes needed to provide assurance to existing and future whistleblowers so they’re not discouraged by the time needed to process their claims or by the issuance of rules that contradict well-established rules for compensation of non-tax whistleblowers. The vast majority of taxpayers are honest. They’re the ones who benefit from a successful whistleblower program. More tax compliance means more fairness for hardworking families who pay what they owe.”
Grassley wrote the 2006 law improving the IRS whistleblower office. He modeled the whistleblower improvements after the successful 1986 whistleblower amendments to the federal False Claims Act, which have brought back more than $27 billion to the federal treasury and deterred even more fraudulent activity.
The text of Grassley’s letter is available here. The text of Grassley’s comment on the GAO report is available here.