The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
Regulating Personal Data for National Security
Episode 494 of the Cyberlaw Podcast
The United States is in the process of rolling out a sweeping regulation for personal data transfers. But the rulemaking is getting limited attention, perhaps because it targets transfers to our rivals in the new Cold War – China, Russia, and their allies. Adam Hickey whose old office is drafting the rules, explains the history of the initiative, which stems from endless CFIUS efforts to impose such controls on a company-by-company basis.
Now, with an executive order as the foundation, DOJ has published an advance notice of proposed rulemaking that promises what could be years of slow-motion regulation. Faced with a similar issue – the national security risk posed by connected vehicles, particularly those sourced in China – the Commerce Department has issued a laconic notice whose telegraphic style contrasts sharply with the highly detailed Justice draft.
I take a stab at the riskiest of ventures – predicting the results in two Supreme Court cases about social media regulations adopted by Florida and Texas. Four hours of strong appellate advocacy and a highly engaged Court make predictions risky, but here goes. I divide the Court into two camps – on one hand the Justices (Thomas, Alito, probably Gorsuch) who think that the censorship we should worry about comes from powerful speech-monopolizing platforms and on the other hand the Justices (Kavanagh, the Chief) who see the cases through a lens that values corporate free speech. Many of the remainder (Kagan, Sotomayor, Jackson) see social media content moderation as understandable, consistent with their own biases, and justified, but they're uneasy about the power of large platforms and reluctant to grant a sweeping immunity from regulation to those companies. To my mind, this foretells a decision striking down the laws insofar as they restrict content moderation, but one that won't resolve all the issues raised by the two laws and won't overturn them entirely on the current record. There are too many provisions in those laws that some of the Justices considered reasonable for Netchoice to win a sweeping victory. So I look for an opinion that rejects regulation aimed at "private censorship" but expressly leaves open or even approves other, narrower measures disciplining platform power, leaving the lower courts to deal with them on remand.
Kurt Sanger and I dig into the SEC's amended complaint against Tim Brown and SolarWinds, alleging material misrepresentation with respect to company cybersecurity. The amended complaint tries to bolster the case against the company and its CISO, but at the end of the day it's less than fully persuasive. SolarWinds didn't have the best security, and it was slow to recognize how much harm its compromised software was causing its customers. But the SEC's case for disclosure feels like 20-20 hindsight. Unfortunately, CISOs will now have to spend the next five years trying to guess which intrusions will look material in hindsight.
I cover the National Institute of Standards and Technology's (NIST) release of version 2.0 of the Cybersecurity Framework, particularly its new governance and supply chain features.
Adam reviews the latest update on section 702 of FISA, which likely means the program will stumble zombie-style into 2025, thanks to a certification expected in April. We agree that Silicon Valley is likely to seize on the opportunity to engage in virtue-signaling litigation over the final certification.
Kurt explains the remarkable power of adtech data for intelligence purposes, and Senator Ron Wyden's (D-OR) effort to make sure such data is denied to U.S. agencies but not to China, Russia, and the rest of the world. He also pulls Adam and me into the debate over whether we need a federal backup for cyber insurance. Bruce Schneier thinks we do, but none of us is persuaded.
Finally, Adam and I consider the divide between CISA and GOP election officials. We agree that it has its roots in CISA's imprudent flirtation with election security mission creep, as it moved from assessing the cybersecurity of voting machines to trying to combat "malinformation," otherwise known as true facts that the administration found inconvenient. We wish CISA well in the vital job of protecting voting machines and processes and hope that it will manage in this cycle to stick to its cyber knitting.
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Show Comments (2)