Press Releases

WASHINGTON - U.S. Sen. Mark R. Warner (D-VA) joined Sen. Sherrod Brown (D-OH) and 6 of their Senate colleagues in a letter requesting additional information on the Borrower Protection Program that the Consumer Financial Protection Bureau (CFPB) and the Federal Housing Finance Agency (FHFA) announced in April. The agencies’ announcement stated that the CFPB and FHFA would share data under the program but did not say how that data would be used to protect borrowers. The Senators asked the agencies what information they would share and how each agency would use this new program to avoid unnecessary borrower defaults and foreclosures, as well as misinformation, unequal treatment of borrowers, or otherwise address servicers not complying with the law.   

“It is critical that the CFPB and FHFA act quickly to ensure homeowners across the country can access the relief they need during this national emergency. Any delay could result in unnecessary delinquencies and foreclosures that will set consumers back, rather than helping them recover,” wrote the lawmakers.

In addition to Sens. Warner and Brown, the letter was signed by Sens. Jack Reed (D-RI), Elizabeth Warren (D-MA), Brian Schatz (D-HI), Chris Van Hollen (D-MD), Catherine Cortez Masto (D- NV), and Tina Smith (D-MN).

A copy of the letter appears here and below:

 

We are writing regarding the Consumer Financial Protection Bureau (CFPB) and the Federal Housing Finance Agency’s (FHFA) joint announcement of the Borrower Protection Program. The announcement states that the CFPB will share consumer complaint data and analytics with FHFA, and FHFA will provide the CFPB with its internal data on mortgage forbearances, modifications, and other loss mitigation.

Sharing information between your agencies is an important first step to ensure that homeowners are getting the help they need. The CFPB’s supervisory, research, and market monitoring tools and consumer-oriented perspective coupled with FHFA’s loan-level data could provide unique insights into borrowers’ experiences.

But information sharing alone will not protect borrowers. Once information is shared, the CFPB and FHFA must also have plans to use their respective tools and authorities to immediately address trends that indicate borrowers are receiving inaccurate information or unequal treatment, or that servicers are not complying with the law. Timeliness of the CFPB and FHFA’s oversight is critical to avoid unnecessary borrower defaults and foreclosures. Just a few weeks of delay could have disastrous outcomes for consumers who may lose the ability to access an affordable modification after just two months or face foreclosure after four months.

To help us better understand what steps your agencies will take to protect homeowners through the Borrower Protection Program, please respond to the following questions:

1.      It has been more than nine weeks since the COVID-19 national emergency declaration, and borrowers may already have experienced weeks of financial hardship.

a.      When will the CFPB and FHFA first share data under the Borrower Protection Program?  

b.      What specific actions will the CFPB and FHFA take, respectively, if either agency identifies noncompliance or consumer harm both to get consumers accurate information and to address noncompliance? Please list all tools that could be used by each agency.  

2.      Consumer complaint data is an important source of information, but it is not the CFPB’s only tool to monitor consumer harm. In addition to consumer complaint data, what other information will the FHFA receive from the CFPB?

3.      The CFPB has regulatory and supervisory authority over many of the largest mortgage servicers, including depositories with more than $10 billion in assets and nonbank mortgage servicers.

a.      Will the information examined under the Borrower Protection Program show data by loan servicer? If so, how will the CFPB use any servicer-specific data to inform its supervisory activities?

b.      Will any servicer-specific data distinguish between loans in forbearance and delinquent loans? If so, how will the CFPB or FHFA monitor and address disparities in delinquency rates amongst servicers to ensure that those borrowers who are facing a financial hardship and eligible for forbearance can receive it?

c.      To the extent that the CFPB or FHFA receives information or identifies trends among mortgage servicers that do not fall within the CFPB’s supervisory authority, will the CFPB or FHFA communicate those findings to the appropriate regulator to ensure compliance with servicing laws and policies? If not, why not?

4.      Will information provided to the CFPB include borrower demographic information when available, including race, ethnicity, English proficiency, age, or other protected classes under the Fair Housing Act to facilitate fair lending oversight?   

a.      How will the CFPB use any available information to ensure that mortgage servicing policies and practices result in equal treatment for all borrowers? Will the CFPB monitor forbearance rates, delinquency rates, loan modifications, non-retention loss mitigation options, and foreclosures by protected class? 

b.      What tools will the CFPB and FHFA use to address any disparate outcomes?

5.      Will any information provided to either agency include a borrower’s servicemember status, when available, to monitor compliance with the Servicemembers Civil Relief Act (SCRA)? If possible violations of the SCRA are identified, which agency will address those violations? 

6.      Many mortgage servicers service not just Fannie Mae and Freddie Mac loans, but also FHA, VA, USDA, and HUD Section 184 loans, as well as loans in private-label securities. 

a.      Will the CFPB enter into agreements with the other federal agencies, which collectively insure or guarantee more than 25 percent of loans, to share data and inform those agencies’ supervision of their servicers? If not, why not?

b.      Borrowers whose loans are not guaranteed by Fannie Mae or Freddie Mac or insured or guaranteed through a federal program are not assured to receive forbearance or other relief if they face a hardship, and information about outcomes for these borrowers will be limited. How will the Borrower Protection Program protect borrowers whose loans are not guaranteed by Fannie Mae or Freddie Mac or insured or guaranteed through a federal program? 

7.      Will the CFPB and FHFA publish regular, public updates on the Borrower Protection Program to share findings and actions? If not, why not?

It is critical that the CFPB and FHFA act quickly to ensure homeowners across the country can access the relief they need during this national emergency. Any delay could result in unnecessary delinquencies and foreclosures that will set consumers back, rather than helping them recover. Thank you for your prompt attention to this request. 

Sincerely,  

###

WASHINGTON - As tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19, U.S. Sens. Mark R. Warner and Richard Blumenthal (D-CT) and U.S. Reps. Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19.

“This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. Americans are rightly skeptical that their sensitive health data will be kept safe and secure, and as a result, they’re reluctant to participate in contact tracing programs essential to halt the spread of this disease. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Communications technology has obviously played an enormously important role for Americans in coping with and navigating the new reality of COVID-19 and new technology will certainly play an important role in helping to track and combat the spread of this virus. Unfortunately, our health privacy laws have not kept pace with the privacy expectations Americans have come to expect for their sensitive health data,” Warner said. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations could become the new status quo in health care and public health. The credibility – and indeed efficacy – of these technologies depends on public trust.” 

“I’m thankful that our country is blessed with the world’s best innovators and technologists, many of whom I represent in the House, and that they have joined the effort to combat the coronavirus by using technology to control the spread of the virus,” said Eshoo. “As we consider new technologies that collect vast amounts of sensitive personal data, we must not lose site of the civil liberties that define who we are as a nation. I’m proud to join my colleagues to introduce the Public Health Emergency Privacy Act, strong and necessary legislation that protects the privacy of every American while ensuring that innovation can aid important public health efforts.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that swift passage of this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again –  for digital contact tracing to be a worthwhile auxiliary to widespread testing and manual contact tracing.”

“We must use every tool available to us to respond to the COVID-19 pandemic. Contract tracing, along with testing, are the cornerstones of a science-based approach to addressing this historic crisis. We can protect our public health response and personal data privacy,” said DelBene. “I have been calling on the Trump administration and the private sector to adopt data privacy principles since the start of this outbreak. It is time for Congress to lead the way in assuring we have a strong national contact tracing system and that Americans’ personal data is protected. This bill will achieve this mutual goal.”

Eshoo, Schakowsky, and DelBene introduced House legislation with original co-sponsors House Energy and Commerce Committee Vice Chair Yvette Clarke (D-NY), Health Subcommittee Vice Chair G. K. Butterfield (D-NY), and Consumer Protection & Commerce Subcommittee Vice Chair Tony Cárdenas (D-CA).

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Lawyers’ Committee for Civil Rights Under Law, Public Knowledge, New America’s Open Technology Institute, Consumer Reports, Free Press, Electronic Privacy and Information Center (EPIC), Public Citizen, health privacy scholar Frank Pasquale, and privacy scholar Ryan Calo.

“African Americans and other marginalized communities are suffering disproportionately from coronavirus and its economic effects. They do not need further harm from snake oil surveillance tech. This bill protects the most vulnerable—it ensures that any technology used to track the virus is not used to unfairly discriminate in employment, voting, housing, education, and everyday commerce,” said David Brody, Counsel and Senior Fellow for Privacy & Technology at the Lawyers’ Committee for Civil Rights Under Law.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge. 

“OTI welcomes this effort to protect privacy as lawmakers consider pandemic response plans that gather vast quantities of data. The bill would establish strong safeguards that would prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“When it comes to tracking and collecting people’s data, we want to make sure there are basic protections for people’s privacy, and this bill is a positive step to establish the trust and balance that’s needed. The bill smartly requires that data collected to fight coronavirus can only be used for public health purposes – and nothing else. Importantly, the bill ensures an individual's right to seek redress for violations, and it bars against the use of pre-dispute arbitration agreements. These measures will help individuals trust contact-tracing or proximity-tracing programs, and they can serve as a model for more comprehensive protections down the road,” said Justin Brookman, Director of Consumer Privacy and Technology Policy for Consumer Reports.

“Digital contact tracing and exposure notification systems may be important tools in combating the spread of coronavirus. But they must be deployed responsibly and with adequate safeguards that protect the privacy and civil rights of the people that use them. The Public Health Emergency Privacy Act is a serious effort at ensuring our rights are protected while giving public health officials the tools they need to track and notify those exposed to COVID-19. These rules must apply to everyone using these systems, whether that’s state or local governments, employers, or other tech companies. This bill protects the civil rights of the most vulnerable essential workers, the disproportionately Black and Latinx people most exposed to the virus, and will help ensure they’re not also subject to invasive and unnecessary surveillance that will linger long after this crisis passes,” said Gaurav Laroia, Senior Policy Counsel with Free Press.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC). 

“What we need more than anything during this global emergency is to feel less vulnerable, to be sure not just that our health is protected, but that our rights are protected as well. This bill will ensure that whatever technological innovation emerges during the pandemic, we will feel safer knowing that our rights to privacy, to our day in court and to access to the ballot box won’t be threatened,” said Robert Weissman, President of Public Citizen.

 “This bill establishes critical protections for patients whose health data is released in the context of the public health emergency. To build a trusted data infrastructure, the US needs to ensure that any entity which accesses such data is held accountable and does not abuse the public trust. The Public Health Emergency  Privacy Act is a big step in the right direction,” said Frank Pasquale, Piper & Marbury Professor of Law at University of Maryland Carey School of Law. 

“This draft legislation addresses two of my biggest privacy concerns about the use of technology and information to respond to COVID-19. As the Act makes clear, the emergency health data of Americans should only be used to fight the pandemic and should never be used to discriminate or deny opportunity,” said Ryan Calo, Lane Powell & D. Wayne Gittinger Endowed Professor at University of Washington School of Law.

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) urged Vice President Mike Pence to take steps to both combat online misinformation related to the coronavirus outbreak and to correct false and misleading statements by the President and other members of the Administration, in the interest of public health. This letter follows reports of widespread misinformation on social media about the novel coronavirus (COVID-19) – from conspiracies about the virus’ inception, to false claims about products that were said to provide immunity or cures.

“I am deeply concerned that despite the seriousness of the novel coronavirus (COVID-19) outbreak, your coronavirus taskforce and members of the Administration have failed to consistently counter the significant amount of misinformation conveyed to the American public. In many instances, we have seen misinformation spread by those seeking to profit from untested and potentially dangerous products misrepresented as effective treatments for the virus,” wrote Sen. Warner. “Of even greater concern, false or misleading information has also come directly from prominent members of the Administration, up to and including the President.”

“The President’s injudicious and false statements could gravely undermine ongoing public health efforts to contain the outbreak. His statements directly conflict with the advice and recommendations of your own coordinated federal response and leading public health experts and will likely exacerbate economic uncertainty and discourage individuals from seeking needed care. To date, I am not aware of any steps your Administration has taken to publicly correct this false narrative,” he continued. “Simply put – this conflicting messaging and misinformation will weaken our ability to respond to COVID-19 and significantly undermine ongoing public health efforts. I strongly encourage you to publicly withdraw and correct President Trump’s statements and other false statements made by members of the Administration. In addition I ask that, moving forward, the coronavirus taskforce proactively monitor and develop a comprehensive strategy to counter widespread misinformation, including campaigns by foreign actors or parties seeking to profit from fraudulent health treatments. Information conveyed to the public must accurately reflect the latest guidance from public health experts and other authorities.”

Around the world, the novel coronavirus has sickened more than 113,000 people and killed more than 4,000 people to date. In the Commonwealth of Virginia alone, there have been nine identified cases of the virus. 

In his letter, Sen. Warner noted that the President’s false statements “stoke and legitimize already widespread online misinformation concerning the virus.”  He also highlighted indications “that at least some of the misinformation is derived from, or at least amplified by, malicious foreign actors.”

A copy of the letter is available here and below. A list of Sen. Warner’s work on coronavirus is available here.

 

The Honorable Michael R. Pence

Vice President of the United States of America

The White House

1600 Pennsylvania Avenue, NW

Washington, D.C. 20500

Dear Vice President Pence:

I am deeply concerned that despite the seriousness of the novel coronavirus (COVID-19) outbreak, your coronavirus taskforce and members of the Administration have failed to consistently counter the significant amount of misinformation conveyed to the American public. In many instances, we have seen misinformation spread by those seeking to profit from untested and potentially dangerous products misrepresented as effective treatments for the virus.[1] Of even greater concern, false or misleading information has also come directly from prominent members of the Administration, up to and including the President. I believe that, left unaddressed, this misinformation and conflicting messaging will undermine our ability to respond to COVID-19 by reducing public confidence in ongoing public health efforts, creating economic uncertainty and causing the public to respond in counterproductive ways.

As you know, the novel coronavirus (COVID-19) has sickened more than 118,000 people around the world, and killed more than 4,200 people to date.[2] While this situation is rapidly evolving in the United States, the Centers for Disease Control and Prevention (CDC) has said the potential public health threat posed by COVID-19 is very high.[3] It is essential that the Administration communicate timely and accurate information to the American public. This should include a coordinated effort to address potentially harmful misinformation spread through social media and other sources.

On March 4, 2020, during a phone call televised to millions of viewers, President Donald J. Trump indicated that Americans who fear they may have COVID-19 should continue going to work and not seek medical care, and told viewers that the World Health Organization’s (WHO) estimates of the virus’ deadliness were false.[4] In addition, on February 26, 2020 the President carelessly downplayed the seriousness of this outbreak by telling the American public that COVID-19 cases in the U.S. were “going very substantially down, not up” and that the existing 15 cases in the U.S. “is going to be down to close to zero” in two days.[5] As you know, cases have increased exponentially since that time.

The President’s injudicious and false statements could gravely undermine ongoing public health efforts to contain the outbreak. His statements directly conflict with the advice and recommendations of your own coordinated federal response and leading public health experts and will likely exacerbate economic uncertainty and discourage individuals from seeking needed care. To date, I am not aware of any steps your Administration has taken to publicly correct this false narrative.

In addition, such remarks stoke and legitimize already widespread online misinformation concerning the virus. There are indications that at least some of the misinformation is derived from, or at least amplified by, malicious foreign actors.[6] Additional misleading statements from members of the Administration, combined with intentional falsehoods pushed by these malicious actors, will only make matters worse.

Successfully combatting COVID-19 will require that public officials, health care providers and the American public act in a coordinated and responsible manner and, should the need arise, follow recommendations of public health experts to social distance, self-quarantine and take additional safety measures. This will not be possible if the Administration does not take proactive steps to counter false information and consistently relay trusted, accurate and timely information to the American public.

Simply put – this conflicting messaging and misinformation will weaken our ability to respond to COVID-19 and significantly undermine ongoing public health efforts. I strongly encourage you to publicly withdraw and correct President Trump’s statements and other false statements made by members of the Administration. In addition I ask that, moving forward, the coronavirus taskforce proactively monitor and develop a comprehensive strategy to counter widespread misinformation, including campaigns by foreign actors or parties seeking to profit from fraudulent health treatments. Information conveyed to the public must accurately reflect the latest guidance from public health experts and other authorities. Thank you for your attention to this request and I look forward to your response.                                               

Sincerely,

 

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and John Kennedy (R-LA), members of the Senate Banking Committee, released a statement today, ahead of Supreme Court arguments in Liu v. SEC, a case challenging the Securities and Exchange Commission’s (SEC) enforcement powers to seek disgorgement on behalf of defrauded investors:

“Today’s argument in Liu v. SEC highlights the critical importance of affirming the SEC’s ability to protect investors through its disgorgement authority. Disgorgement authority is an essential enforcement tool that deters violations of our securities laws, protects Main Street investors, and helps compensate hard-working Americans who are victims of financial scams. Since the Court’s 2017 decision in Kokesh v. SEC, the SEC has forgone an estimated $1.1 billion in proceeds on behalf of harmed investors – a number that will only grow if the Supreme Court sides with the petitioners in this case – putting more money in the pockets of scammers and fraudsters while leaving ripped-off investors holding the bag. While we strongly believe that the SEC has the legal authority to seek disgorgement in civil actions, uncertainty from this case underscores the importance of congressional action to better protect harmed investors. In the Senate, we have introduced bipartisan legislation that would affirm the SEC’s disgorgement authority and expand its toolkit to increase financial recovery for harmed investors. The House passed similar legislation last year. We urge our colleagues in the Senate to act now by taking up this bipartisan effort,” said the two Senators.

Sens. Warner and Kennedy last year introduced the Securities Fraud Enforcement and Investor Compensation Act, bipartisan legislation that would give the SEC power to seek restitution for Main Street investors harmed by securities fraud. The bill would give the SEC a broader range of tools to seek compensation for investors who’ve lost money to Ponzi schemes and other investment scams. 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement after federal prosecutors today charged four Chinese intelligence officers with hacking Equifax in one of the largest data breaches in history:

“I’m glad the DOJ has moved to formally indict the Chinese intelligence officers associated with the hack of Equifax. For years, the Chinese government has targeted western commercial firms. It is disappointing that despite a lot of rhetoric President Trump’s recent agreement with China does nothing to address this specific issue.

“That said, the indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack. A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure. The legislation I have with Senator Warren would subject data brokers to a higher standard of care and is an important first step in data protection.”

Sen. Warner has been outspoken about the importance of protecting consumers from data theft by employing adequate cybersecurity practices. He has previously introduced legislation to hold large credit reporting agencies – including Equifax – accountable for data breaches involving sensitive consumer data.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), co-chair of the bipartisan Senate Cybersecurity Caucus, urged the Defense Health Agency to remove sensitive medical data belonging to servicemembers exposed online, where it remains vulnerable due to insecure data practices at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center.

“As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans,” wrote Sen. Warner. “The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others.”

He continued, “We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices.”

In September 2019, Sen. Warner sought answers from TridentUSA Health Services regarding reports that many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. Following that letter, the images were removed but millions of records were left online. Nearly two months later, Sen. Warner called out the U.S. Department of Health and Human Services (HHS) for its failure to act following the exposure.

Since the letter to HHS, 16 systems, 31 million images and 1.5 million exam records have been removed from the internet. However, a significant number of personally identifiable and sensitive medical information belonging to servicemembers remains online, due to unsecured Army PACS.

In his letter to the Assistant Secretary, Sen. Warner asked the agency to remediate the situation immediately and posed the following questions for Assistant Secretary Thomas McCaffery:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.  

A copy of the letter can be found here and below.

 

Mr. Thomas McCaffery

Assistant Secretary of Defense for Health Affairs

Defense Health Agency

7700 Arlington Boulevard

Falls Church, VA 22042

Dear Mr. McCaffery,

As the healthcare sector becomes increasingly reliant on technology to deliver essential services to patients, it also faces rising threats from malicious actors that seek to compromise the personally identifiable and other sensitive information of Americans. As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans. It is with great alarm that I recently learned that unsecured Picture and Archiving Servers (PACS) at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center have left personally identifiable and sensitive medical information available online for anyone with a DICOM viewer to find.

Following a report  in September of 2019 highlighting the exposure of sensitive medical images belonging to millions of American through unsecured PACS, I wrote letters  to two healthcare entities that controlled the PACS, and those images were removed. However, millions of records remained online. The following month, I wrote  to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) regarding the remaining exposure of the personally identifiable information belonging to 6 million American patients. Since that letter, 16 systems, 31 million images and 1.5 million exam records were removed from the internet. However, I recently learned that a significant number of medical records belonging to servicemembers remain online. This information was discovered by the German researchers at Greenbone Networks, who accessed the information using German IP addresses; this itself should have triggered alarms by the hospital information security systems.

The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others. We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices. To better understand how this happened, I would like information about your organization’s oversight of the information security practices at military hospitals, particularly at Ft. Belvoir Medical Center and Womack Army Medical Center.

I ask that you immediately remediate this situation, and remove the vulnerable PACS from open access to the internet. To understand how these records have been exposed and accessed repeatedly by a German IP address, please also answer the following questions:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.

Given the gravity of this issue, I would appreciate a response within two weeks.

Sincerely,

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Sen. Deb Fischer (R-NE) announced two new bipartisan co-sponsors for their legislation to protect consumers from being tricked into giving away their personal data online. Sens. Amy Klobuchar (D-MN) and John Thune (R-SD), two senior members of the Senate Commerce Committee, have co-sponsored the Warner-Fischer legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.

“Whether you bought Christmas gifts online, downloaded a new messaging app, or tried to navigate a major browser’s byzantine privacy settings, chances are you were a victim of a dark pattern. In fact, if you wanted to score that extra discount at checkout, these design tactics most likely manipulated you into handing over more than just your email address to get that deal,” Sen. Warner. “I’m grateful to have the support of Sen. Klobuchar and Sen. Thune on this important bill to make sure Americans have more transparency about, and control over, their interactions online.”

“Nearly every time Americans use a new app on our smart phones or browse social media from our laptops, we run into dark patterns. These unethical tricks online platforms use as they battle to capture attention and manipulate users must be stopped. I am pleased to have expanded bipartisan support for this legislation that combats risks to consumer choice and privacy online,” said Sen. Fischer.

“Dark patterns are manipulative tactics used to trick consumers into sharing their personal data. These tactics undermine consumers’ autonomy and privacy, yet they are becoming pervasive on many online platforms,” said Sen. Klobuchar. “This legislation would help prevent the major online platforms from using such manipulative tactics to mislead consumers, and it would prohibit behavioral experiments on users without their informed consent.”

“We live in an environment where large online operators often deploy manipulative practices or ‘dark patterns’ to obtain consent to collect user data, so I’m glad this bills takes meaningful steps to advance consumer transparency,” said Sen. Thune. “I particularly applaud the provisions of this bill that require large online operators to be more transparent about when users are subject to behavioral or psychological research for the purpose of promoting engagement on their platforms. I want to thank Sens. Warner and Fischer for leading this effort, and I’m glad to join them and Sen. Klobuchar in cosponsoring this important legislation.”

The bipartisan Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative dark pattern behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. Specifically, the legislation:

  • Enables the creation of a professional standards body, which can register with the Federal Trade Commission (FTC), to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body, providing updated guidance to platforms on design practices that impair user autonomy, decision-making, or choice, positioning the FTC to act as a regulatory backstop.
  • Prohibits segmenting consumers for the purposes of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare. 
  • Prohibits user design intended to create compulsive usage among children under the age of 13 years old.
  • Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

Sen. Warner has been raising concerns about the implications of social media companies’ reliance on dark patterns for several years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on News Feeds.

Sen. Warner is also recognized as one of Congress’ leading voices in an ongoing public debate around social media and user privacy. He has written and introduced a series of bipartisan bills designed to protect consumers and promote competition in social media. The Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act will require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers, and how it is being leveraged by the platform for profit.? The Honest Ads Act will help prevent foreign interference in future elections and improve the transparency of online political advertisements. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act is a bipartisan bill to encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) released the following statement after President Trump signed into law a bill sponsored by Sen. Warner to crack down on illegal robocall scams:

“The truth is, folks in Virginia and across the nation are sick and tired of receiving unsolicited robocalls at all hours of the day,” said Sen. Warner. “These calls are intrusive and often set up by scammers looking to pray on vulnerable individuals. I’m proud to have sponsored this legislation and am very excited to see it signed into law so that it can start giving individuals some peace of mind. Personally, I know I won’t miss these annoying robocalls, and I have a feeling other Virginians won’t either.”

The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act gives regulators more time to find scammers, increases civil forfeiture penalties for those who are caught, requires service providers to adopt call authentication and blocking, and brings relevant federal agencies and state attorneys general together to address impediments to criminal prosecution of robocallers who intentionally break laws. Sen. Warner sponsored the Senate version of the bill, which passed the Senate in 97-1 vote in May 2019. After the House passed an amended version of the bill earlier this month, the Senate unanimously voted to send the bill to the President’s desk for signature on December 18.

The TRACED Act:

  • Broadens the authority of the Federal Communications Commission (FCC) to levy civil penalties of up to $10,000 per call on people who intentionally flout telemarketing restrictions.
  • Extends the window for the FCC to catch and take civil enforcement action against intentional violations to four years after a robocall is placed. Under current law, the FCC has only one year to do so, and the FCC has told the committee that “even a one-year longer statute of limitations for enforcement” would improve enforcement against violators.
  • Brings together the Department of Justice, FCC, Federal Trade Commission, Department of Commerce, Department of State, Department of Homeland Security, the Consumer Financial Protection Bureau, and other relevant federal agencies, as well as state attorneys general and other non-federal entities to identify and report to Congress on improving deterrence and criminal prosecution at the federal and state level of robocall scams.
  • Requires voice service providers to adopt call authentication technologies, enabling a telephone carrier to verify that incoming calls are legitimate before they reach consumers’ phones.
  • Directs the FCC to initiate a rulemaking to help protect subscribers from receiving unwanted calls or texts from callers.
  • Directs the FCC to initiate a rulemaking process to protect consumers from “one-ring” scams.
  • Requires the FCC to establish a working group to issue best practices to prevent hospitals from receiving illegal robocalls.

 

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the Department of Health and Human Services (HHS) regarding a proposed rule by the Centers for Medicare and Medicaid Services (CMS) that would require CMS-funded health plans (including ACA marketplace plans) to allow patients to access their personal health information electronically through third-party consumer applications. In his letter, Sen. Warner urged HHS to include clear standards and defined controls for accessing patient data in order to address the potential for misuse of these interoperability features.

“In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information,” wrote Sen. Warner. “It is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.”

“Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users,” he continued. “As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used.”

Under the proposed Interoperability and Patient Access rule, CMS would require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through open application programing interfaces (APIs). APIs would allow third-party software applications to connect to, process, and make the data available to patients.

In the letter, Sen. Warner emphasized the importance of allowing patients to easily access their health information. He also noted the similarities between the proposed rule and the ACCESS Act – bipartisan legislation introduced by Sen. Warner that would promote market-based competition among social media platforms by requiring the largest social media companies to make user data portable, and their services interoperable, with other platforms. The ACCESS Act would also allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Additionally, Sen. Warner urged that, at a minimum, the final rule include the following standards:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Sen. Warner has been a longtime critic of poor cybersecurity practices that compromise Americans’ personal information. Last week, Sen. Warner raised concern with HSS’ failure to act, following a mass exposure of sensitive medical images and information by health organizations. In September, he wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

The Honorable Alex M. Azar II

Department of Health and Human Services

Office of the Secretary

200 Independence Avenue, S.W.

Washington, D.C. 20201

 

Dear Secretary Azar:

I am writing regarding the proposed rule from the Center for Medicare and Medicaid Services (CMS) on Interoperability and Patient Access that would enable third party consumer applications to access sensitive patient and health plan data through application programming interfaces (APIs) [1]. I share the goals of advancing interoperability in patient health information and believe that – implemented appropriately – this proposal could represent a significant step in that direction. However, I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information.

Congress passed the 21st Century Cures Act (P.L. 114-255) with a key objective of improving the protected exchange of electronic health records across the care continuum. Notably, Section 4003 and 4004 included specific provisions to establish a trusted health information exchange framework and reduce information blocking; it stated that there should be regulation over unreasonable practices to interfere with, prevent, or materially discourage access, exchange, or use of a patient’s electronic health records. While your agency has taken substantial steps to implement fundamental aspects of this legislation, it is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.

In your proposed rule CMS would specifically require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through an open application programming interface (API). Data should be made available through an API so that third party software applications can connect to, process, and make the data available to patients.

I agree that patients should have an ability to easily acquire their health information. The rule is in many ways consistent with bipartisan legislation I have introduced in Congress – the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, which requires our nation’s largest social media companies to make user data portable, and make their services interoperable with other platforms.

Common to both my bill and the proposed rule is a recognition that consumers should have a right to possess their data – and share it with authorized third parties that will protect it. Both proposals also seek to address the control over consumer data that incumbents wield, often to the detriment of new, innovative providers. Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users.

 As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used. Such standards in a final rule should include at a minimum:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Thank you for your consideration your commitment to advancing interoperability to improve patient care. I believe the outline I have shared would strengthen and ensure the rule achieves its intended purpose.  It is my hope and belief that we can achieve both a higher level of interoperability and patient access to their data, as well as, strong protections for that information. I look forward to continued work with you on this important issue and our shared goals.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, today raised concern with the U.S. Department of Health and Human Services (HHS)’s failure to act, following a mass exposure of sensitive medical images and information by health organizations. In a letter to the HHS Director of the Office for Civil Rights, Sen. Warner identified this exposure as damaging to individual and national security, as this kind of information can be used to target individuals and to spread malware across organizations.

“I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it,” wrote Sen. Warner. “As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.”

“These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization,” he continued. “In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected.”

On September 17th, a report revealed that millions of Americans had their private medical images exposed online, due to unsecured picture archiving and communication servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM) protocol. Along with the medical images, these PACS also exposed the names and social security numbers of those affected, leaving this information open to anyone with basic computer expertise, as these required no authentication to access or download.

This exposure was uncovered by German researchers, who contacted the German Federal Office for Information Security (BSI). BSI then alerted the United States Computer Emergency Readiness Team (US-CERT), who confirmed the exposure and reached out to HHS. However, if they received this information, HHS has failed to act on it, even failing to list TridentUSA Health Services – one of the main companies responsible for the exposure – on its breach portal website.

In his letter to Director Roger Severino, Sen. Warner also raised alarm with the fact that TridentUSA Health Services successfully completed an HHS Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audit in March 2019, while patient images were actively accessible online.

Sen. Warner also posed the follow questions for HHS regarding the incident, and its current cybersecurity requirements and procedures:

  1. Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
    1. If so, what actions were taken to address the issue?
  2. What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
    1. Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
  3. What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
  4. Please describe your information security audit process.
  5. Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that compromise Americans’ personal information. In September, Sen. Warner wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Mr. Roger Severino                                                                

Director, Office for Civil Rights

Department of Health and Human Services

200 Independence Ave SW

Washington, DC 20201

Dear Director Severino,

As the health care industry increasingly harnesses internet connectivity and software, including machine learning systems, to improve patient care, a long overdue focus on data privacy and information security has come into sharper focus. This is particularly evident in light of reports that sensitive medical records of potentially millions of Americans were recently exposed online – and that your agency has done little to address this issue. Prompting even greater concern, one of the companies that left the data exposed online also successfully completed one of your Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audits in March. I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it. As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients, without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.

On September 17th ProPublica published a shocking report that the sensitive medical images of millions of American patients were exposed online through unsecured picture and archiving and communications servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM), protocol. The publicly-accessible information that had been accessed from Germany included MRI’s, X-rays, and CT scans, as well as names and social security numbers of the patients. The 13.7 million images found on the internet required absolutely no authentication to access or download. As of writing this letter, there are 779 million image records attached to 21.6 million patient records, impacting an estimated 5 million patients in 22 states. The largest system accessed holds 61 million diagnostic images attached to 1.23 million exam records of American patients and remains available on the internet.

In late August, German researchers initiated an investigation to determine the global accessibility and remote access capabilities of PACS. On September 9th, the researchers concluded their two week inquiry and submitted their findings to the German Federal Office for Information Security (BSI). By September 17th, BSI had addressed the affected systems which were removed from the internet prior to the publishing of the ProPublica report.

After US-CERT was notified of the problem by BSI, US-CERT contacted the German researchers at Greenbone Networks, confirming they received the data on September 20th. US-CERT stated the agency would convey the information to the U.S. Department of Health and Human Services (HHS). According to the researchers, however, there has been no further communication from US-CERT or HHS, even though data privacy authorities from other countries like France and the UK contacted Greenbone Networks following the publication of ProPublica’s report.

On September 23rd, I wrote to TridentUSA Health Services expressing my concern regarding the issues raised in the ProPublica report, and pointed out that MobilexUSA, a TridentUSA Health Services affiliate, was identified as controlling one of the unsecured PACS. On October 15th, the German researchers demonstrated to my office a number of US-based PACS have open ports, supporting unencrypted communications protocols, exposing images to the internet like chest X-rays and mammograms, and identifying details like names and social security numbers. Those images and medical records continue to be accessible.

These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected. The researchers who discovered the flaw in the DICOM protocol were able to use a polyglot file, which can contain more than one stream of data with different file formats, and hide the malicious code in the scan. In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization.

In their response to my letter, TridentUSA Health Services noted that they successfully completed the Department of Health and Human Services audits, confirming compliance with the HIPAA Security Rule, the last of which concluded in March 2019, while patient images were accessible online.

While the information security lapses by the medical companies using the PACS are clear, it is unclear how your agency has addressed this issue. As of the writing of this letter, TridentUSA Health Services is not included on your breach portal website, and I have seen no evidence that, once contacted by US-CERT, you acted on that information in any meaningful way.

To understand how such an enormous oversight in your organization has allowed medical companies to leave insecure ports open to the internet and accessed repeatedly by a German IP address, I ask that you answer the following questions:

1.      Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
a.      If so, what actions were taken to address the issue?
2.      What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
a.      Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
3.      What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
4.      Please describe your information security audit process.
5.      Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

The American people deserve to have their sensitive private information protected and their government held accountable for enforcing the rules in place to keep that information private. I hope that you will share what immediate actions you are taking, along with answering the questions above. I look forward to hearing your response no later than November 18, 2019.

Sincerely,

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Josh Hawley (R-MO) and Richard Blumenthal (D-CT) will introduce the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, bipartisan legislation that will encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

“Social media has enormous benefits. But, as we've seen, the tremendous dominance of a handful of large platforms also has major downsides – including few options for consumers who want to use social media to connect with friends, store their photos or just watch cat videos, but who face a marketplace with just a few major players and little in the way of real competition,” said Sen. Warner, a former technology entrepreneur and venture capitalist. “As a former cell phone guy, I saw what a game-changer number portability was for that industry. By making it easier for social media users to easily move their data or to continue to communicate with their friends after switching platforms, startups will be able to compete on equal terms with the biggest social media companies. And empowering trusted custodial companies to step in on behalf of users to better manage their accounts across different platforms will help balance the playing field between consumers and companies. In other words – by enabling portability, interoperability, and delegatability, this bill will help put consumers in the driver’s seat when it comes to how and where they use social media.”

“Your data is your property. Period. Consumers should have the flexibility to choose new online platforms without artificial barriers to entry. This bill creates long-overdue requirements that will boost competition and give consumers the power to move their data from one service to another,” said Sen. Hawley.

“The exclusive dominance of Facebook and Google have crowded out the meaningful competition that is needed to protect online privacy and promote technological innovation. As we learned in the Microsoft antitrust case, interoperability and portability are powerful tools to restrain anti-competitive behaviors and promote innovative new companies. The bipartisan ACCESS Act would empower consumers to finally stand up to Big Tech and move their data to services that respect their rights,” said Sen. Blumenthal.

Online communications platforms have become vital to the economic and social fabric of the nation, but network effects and consumer lock-in have entrenched a select number of companies’ dominance in the digital market and enhanced their control over consumer data. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act would increase market competition, encourage innovation, and increase consumer choice by requiring large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

  • Make their services interoperable with competing communications platforms.
  • Permit users to easily port their personal data in a structured, commonly used and machine-readable format.
  • Allow users to delegate trusted custodial services, which are required to act in a user’s best interests through a strong duty of care, with the task of managing their account settings, content, and online interactions. 

“One very real nightmare scenario for the future of the internet is users facing a meaningless choice among a few fully-integrated silos of technology, and the end of independent innovation and creativity. We all need to prevent that from happening. This legislation could help us take a huge step forward towards a better internet future,” said Chris Riley, Director of Public Policy at the Mozilla Corporation.

“Markets work when consumers have a choice and know what's going on. The ACCESS Act is an important step toward reestablishing this dynamic in the market for tech services. We must get back to the conditions that make markets work: when consumers know what they give a firm and what they get in return; and if they don't like the deal, they can take their business elsewhere. By giving consumers the ability to delegate decisions to organizations working on their behalf, the ACCESS Act gives consumers some hope that they can understand what they are giving up and getting in the opaque world that the tech firms have created. By mandating portability, it also gives them a realistic option of switching to another provider,” said Paul Romer, New York University Professor of Economics and Nobel Prize winner in Economics.

“We’re thrilled to see a concrete legislative proposal to provide interoperability for consumers. Built on a solid foundation of privacy and security protections, interoperability enables users to communicate across networks promoting competition among social media platforms. Interoperability ensures that users benefit from increased competition, and it helps new competitors grow by reaching users that are locked-in to their current provider. Senator Warner’s interoperability bill lays out an excellent, practical framework for making interoperability a reality while preserving a role for states to go even further,” said Charlotte Slaiman, Senior Policy Counsel at Public Knowledge.

“All of us at USV believe in decentralized, emergent, market driven innovation. The shared communications infrastructure of the open Internet and a vibrant competitive market triggered the Cambrian explosion of new Web services we all now enjoy. But today, a small number of companies capitalize on their exclusive control over our data - the data we contribute as we interact with their services - to dominate markets, stifling competition and limiting consumer choice. While this is widely understood, most policy makers propose prescriptive regulation that would only further entrench the dominant platforms. The ACCESS Act targets the specific market failure - exclusive control over consumer data - that has led to the consolidation of market power on the Web. Ensuring that consumers have access to their data is an elegant way to restore competition without burdensome regulation,” said Brad Burnham, Partner and Co-Founder at Union Square Ventures.

Previously, Sens. Warner and Hawley have partnered on the DASHBOARD Act, legislation to require data harvesting companies such as social media platforms to disclose how they are monetizing consumer data, as well as the Do Not Track Act, which would allow users to opt out of non-essential data collection, modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list. 

A section-by-section summary of the bill is available here. Bill text is available here.

###

 

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Marco Rubio (R-FL), member of the Senate Select Committee on Intelligence, have expressed concern over the growing threat posed by deepfakes – sophisticated audio and video technologies that allow users to create fake audio and/or video files that falsely depict someone saying or doing something. In letters to 11 social media companies, including Facebook, Twitter, and YouTube, Sens. Warner and Rubio urged the platforms to develop industry standards for sharing, removing, archiving, and confronting the sharing of synthetic content as soon as possible, in light of foreign threats to the upcoming U.S. election. The letters also encouraged the platforms to develop clear policies to ensure their platforms are not exploited to spread disinformation or misinformation, including through authenticating media, labeling and archiving synthetic media content, and providing access to qualified outside researchers.

“As concerning as deepfakes and other multimedia manipulation techniques are for the subjects whose actions are falsely portrayed, deepfakes pose an especially grave threat to the public’s trust in the information it consumes; particularly images, and video and audio recordings posted online,” wrote the Senators. “If the public can no longer trust recorded events or images, it will have a corrosive impact on our democracy.”

“Despite numerous conversations, meetings, and public testimony acknowledging your responsibilities to the public, there has been limited progress in creating industry-wide standards on the pressing issue of deepfakes and synthetic media,” they continued. “Having a clear strategy and policy in place for authenticating media, and slowing the pace at which disinformation spreads, can help blunt some of these risks.  Similarly, establishing clear policies for the labeling and archiving of synthetic media can aid digital media literacy efforts and assist researchers in tracking disinformation campaigns, particularly from foreign entities and governments seeking to undermine our democracy.”

Deepfake technologies allow users to superimpose existing images and videos onto unrelated images or videos, essentially giving users the ability to create false and defamatory content that can be easily spread on social media.

In their letters to Facebook, Twitter, YouTube, Reddit, LinkedIn, Tumblr, Snapchat, Imgur, TikTok, Pinterest, and Twitch, the Senators emphasized that more than two-thirds of Americans get their news from social media sites, and stressed that online media platforms must assume a heightened responsibility for safeguarding public confidence. They also posed the following series of questions about each company’s ability to prevent, detect, and address deepfakes and other synthetic media:

  1. What is your company’s current policy regarding whether users can post intentionally misleading, synthetic or fabricated media?
  2. Does your company currently have the technical ability to detect intentionally misleading or fabricated media, such as deepfakes? If so, how do you archive this problematic content for better re-identification in the future?
  3. Will your company make available archived fabricated media to qualified outside researchers working to develop new methods of tracking and identifying such content?  If so, what partnerships does your company currently have in place?  Will your company maintain a separate, publicly accessible archive for this content?
  4. If the victim of a possible deepfake informs you that a recording is intentionally misleading or fabricated, how will your company adjudicate those claims or notify other potential victims?
  5. If your company determines that a media file hosted by your company is intentionally misleading or fabricated, how will you make clear to users that you have either removed or replaced that problematic content?
  6. Given that deepfakes may attract views that could drive algorithmic promotion, how will your company and its algorithms respond to, and downplay, deepfakes posted on your platform?
  7. What is your company’s policy for dealing with the posting and promotion of media content that is wholly fabricated, such as untrue articles posing as real news, in an effort to mislead the public? 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the CEO of TridentUSA Health Services today to ask about the company’s data security practices as they relate to Health Insurance Portability and Accountability Act (HIPAA) compliance. The letter comes in light of a report that MobileXUSA – an affiliate of TridentUSA Health Services – left an unencrypted server online, exposing the medical data of millions of Americans.

“It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required,” wrote Sen. Warner. “While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.”

According to recent reports, many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. As part of the report, researchers identified 187 servers in the U.S. – including that of MobileXUSA – that were unprotected by passwords or basic security precautions.

In the letter to TridentUSA Health Services, Sen. Warner stressed the importance of protecting Americans’ privacy and personal health information. He also posed the following questions for TridentUSA Health Services:

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that have led to the compromise of Americans’ personal information. Last week, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. He also introduced legislation earlier this year to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Andrei Soran, CEO

TridentUSA Health Services

930 Ridgebrook Rd.

Sparks Glencoe, MD 21152

Dear Mr. Soran,

It has come to my attention that one of your affiliated companies, MobileXUSA, recently left an unencrypted server online, exposing sensitive medical images and health data of Americans. According to recent reporting, researchers found 13.7 million data sets and 303.1 million images in medical image storage systems have been freely accessible online with no authentication requirements to access or download the images.  This left the MRI’s, X-rays, and CT scans of millions of Americans exposed on the internet, not because of a breach, but simply because they were stored on 187 unprotected picture archiving and communication servers (PACS) including yours.  Additionally, along with the sensitive medical images, according to the research, your server displayed the names of more than a million patients. 

My colleagues and I in the Senate have been concerned about negligent cybersecurity practices in the health care space for a long time. Cybersecurity risks within the health care sector represent a growing threat, with 285 breaches reported between January and June of this year.  According to one report, there has been at least one healthcare-related data breach a day since 2016.  Just recently, the Senate Cybersecurity Caucus, of which I am a co-founder, convened a briefing that focused on healthcare and cybersecurity, particularly on the security of healthcare records which further highlighted the need for more robust cyber hygiene practices, and possibly additional standards.

It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required. While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.

To better understand how exactly millions of private medical scans were left open on the internet, I would appreciate your answers to the following questions:  

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

It is critical that the privacy of the individual– including their personal health information – is appropriately protected.  I look forward to hearing your response by October 9th, 2019. Any further questions can be directed to Leisel Bogan in my office at Leisel_Bogan@warner.senate.gov

Sincerely,

###

 

WASHINGTON – U.S. Sens. Mark R. Warner and Tim Kaine (D-VA) are urging the Consumer Product Safety Commission (CPSC) to launch a public safety campaign to educate the public about the dangers of beach umbrellas. The popular beach accessories can quickly become hazards when propelled by wind through the air, as has happened on several occasions in recent years, as in 2016, when Lottie Michelle Belk was struck in the torso and killed while vacationing in Virginia Beach with her family. Last month, a toddler was nearly impaled by a flying beach umbrella in North Myrtle Beach, S.C.

Today’s letter to Acting CPSC Chairwoman Ann Marie Buerkle is a follow-up to one the Senators sent in May along with Sens. Bob Menendez and Cory Booker (both D-NJ) regarding the documented safety risks posed by beach umbrellas. In a June response, the CPSC noted that an estimated 2,800 beach umbrella-related injuries were treated in emergency departments nationwide from 2010 to 2018. Despite that, the CPSC also noted that it currently does not regulate the safety of beach umbrellas and is unaware of any voluntary standards specifically for beach umbrellas. Today, the four lawmakers urged the U.S. Consumer Product Safety Commission (CSPC) to take more aggressive action to protect beachgoers from the dangers of wind-swept beach umbrellas that can cause serious injury or even death. 

“As Americans flock to the beach this summer season, we believe it is imperative that the CPSC ensure that a day at the beach isn’t turned into a day at the emergency room,” the Senators wrote.  

The lawmakers mentioned other notable CPSC public education campaigns that have proven successful in changing people’s behavior and encouraging greater precaution. Specifically, they pointed to the 2010 “Safe Sleep Campaign” to educate parents and caregivers about how best to make nurseries safe; the 2015 “Anchor It!” campaign to warn of the dangers of furniture tip-overs; the annual July 4th fireworks safety campaign; and a 2017 alert to the public of fidget spinner choking hazards.  

The Senators also pressed CPSC on whether it has considered the efficacy of a weighted system or other safety measures that could be taken to reduce the risk of umbrellas becoming airborne and endangering beach-goers.                                               

Full text of the letter is below and a copy can be found here.

 

July 29, 2019

Ann Marie Buerkle

Acting Chair, U.S. Consumer Product Safety Commission

4330 East West Highway

Bethesda, MD 20814

Dear Chairman Buerkle,

We write in the wake of your June 7, 2019 response to our May 2, 2019 letter regarding the documented safety risks posed by beach umbrellas. Your letter stated that, over the nine-year period from 2010-2018, an estimated 2,800 people sought treatment in emergency rooms for injuries related to beach umbrellas. A majority of those injuries were caused by a wind-blown beach umbrella. As we noted in our letter, unsafe beach umbrellas have even proved fatal to our constituents. 

As Americans flock to the beach this summer season, we believe it is imperative that the CPSC ensure that a day at the beach isn’t turned into a day at the emergency room. To that end, we write to specifically ask that the Consumer Product Safety Commission (CPSC) launch a public safety campaign to educate the public about the dangers of beach umbrellas. In addition, we write with additional follow-up questions regarding whether the Commission considered the efficacy of certain design or technical changes to beach umbrellas.

As your letter acknowledges, there is currently no CPSC-led public education campaign on the dangers of beach umbrellas. Yet, a July 6, 2019 tweet and Instagram post from the CPSC’s social media accounts remind consumers to properly stake their beach umbrellas.  We were pleased to see the CPSC take the issue of beach umbrella safety seriously. Notably, your June 7 letter states: “CPSC technical staff believes that an information sheet on the potential hazards could be developed.” We agree, and formally request that the CPSC develop safety and educational resources for the public. As you know, the CPSC has a history of such public safety campaigns.

In 2010, the CPSC implemented the “Safe Sleep Campaign” in part to “educate parents and caregivers about the most effective ways to make a nursey safe.”  In 2015, the CPSC launched “Anchor It!”, a national public safety campaign to educate the public about the dangers of furniture tip-overs.  In addition, every July 4th the CPSC reminds the public of the dangers of fireworks.  In August 2017, the CPSC went so far as to warn the public of the dangers of fidget spinners, stating that the popular toys pose a choking hazard.  Surely, the dangers of a beach umbrella turned flying spear – and the large number, and often gruesome nature, of these incidents – warrant the attention of the Commission. 

Your June 7 letter stated that “[t]echnical staff does not believe a safety standard would have a substantial effect on injuries from beach umbrellas incidents.” The letter states that the CPSC considered requiring a performance standard, requiring umbrellas to “contain venting”, the development of a staking requirement, and the development of a warning label system. Your letter does not however indicate whether the CPSC considered the efficacy of a weighted system, or any other alternative system options. To that end, we request responses to the following questions:

1.      Has the CPSC considered whether a weighted system or another alternative, could best mitigate the risk of a wind-blown beach umbrella?

2.      What information would factor into a decision as to whether the CPSC would recommend a weighted system or an additional or alternative safety feature for beach umbrellas? 

3.      Is the CPSC aware of any instance where an umbrella secured with a weighted system caused an injury?

We appreciate CPSC’s willingness to consider this issue and look forward hearing back from you by August 30, 2019.  Should you have further questions please contact Shelby Boxenbaum in Senator Menendez’s office at 202-224-4744.  

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Banking Committee, issued the following statement after regulators and the credit bureau Equifax reached a $700 million settlement over a 2017 data breach that compromised the personal information of more than 145 million Americans:

Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Sen. Warner is the leading sponsor along with Sen. Elizabeth Warren (D-MA) of legislation that would hold Equifax and other credit reporting agencies (CRAs) accountable for data breaches. The Data Breach Prevention and Compensation Act would provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs. Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information.

Companion legislation is sponsored in the House of Representatives by Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL).

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) issued the following statement regarding the Federal Trade Commission’s reported decision to approve a $5 billion settlement with Facebook for violating a 2011 consent decree requiring the company to enact privacy reforms:  

“Given Facebook’s repeated privacy violations, it is clear that fundamental structural reforms are required. With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it’s time for Congress to act.”

Last year, Sen. Warner called on the social media companies to work with Congress and provide feedback on ideas he put forward in a white paper discussing potential policy solutions to challenges surrounding social media, privacy, and data security. He has introduced several bipartisan bills to improve transparency, privacy, and accountability on social media. The Honest Ads Act, introduced with Sens. Amy Klobuchar (D-MN) and Lindsey Graham (R-SC), would prevent foreign actors from influencing our elections by ensuring that political ads sold online are covered by the same rules as ads sold on TV, radio, and satellite. The DETOUR Act, introduced in April with Sen. Deb Fischer (R-NE), would prohibit large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data. The most recent bill, the DASHBOARD Act, was introduced weeks ago with Sen. Josh Hawley (R-MO), and would require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers, and how it is being leveraged by the platform for profit.

Sen. Warner plans to introduce additional legislation in the coming weeks.

###?

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Josh Hawley (R-MO) will introduce the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act, bipartisan legislation that will require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers, and how it is being leveraged by the platform for profit.

“For years, social media companies have told consumers that their products are free to the user. But that’s not true – you are paying with your data instead of your wallet,” said Sen. Warner. “But the overall lack of transparency and disclosure in this market have made it impossible for users to know what they’re giving up, who else their data is being shared with, or what it’s worth to the platform. Our bipartisan bill will allow consumers to understand the true value of the data they are providing to the platforms, which will encourage competition and allow antitrust enforcers to identify potentially anticompetitive practices.”

“When a big tech company says its product is free, consumers are the ones being sold. These 'free' products track everything we do so tech companies can sell our information to the highest bidder and use it to target us with creepy ads,” said Sen. Hawley. “Even worse, tech companies do their best to hide how much consumer data is worth and to whom it is sold. This bipartisan legislation gives consumers control of their data and will show them how much these 'free' services actually cost.”

As user data increasingly represents one of the most valuable, albeit intangible, assets held by technology firms, shining light on how this data is collected, retained, monetized, and protected, is critical. The DASHBOARD Act will:

  • Require commercial data operators (defined as services with over 100 million monthly active users) to disclose types of data collected as well as regularly provide their users with an assessment of the value of that data.
  • Require commercial data operators to file an annual report on the aggregate value of user data they’ve collected, as well as contracts with third parties involving data collection.
  • Require commercial data operators to allow users to delete all, or individual fields, of data collected – and disclose to users all the ways in which their data is being used. including any uses not directly related to the online service for which the data was originally collected.
  • Empower the SEC to develop methodologies for calculating data value, while encouraging the agency to facilitate flexibility to enable businesses to adopt methodologies that reflect the different uses, sectors, and business models.

The DASHBOARD Act is the second tech-focused bill Hawley and Warner have partnered on. The first was Hawley’s Do Not Track Act, which would be modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list and allow users to opt out of non-essential data collection.

A section-by-section summary of the bill is available here. Bill text is available here.

 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) has introduced several amendments to the annual defense authorization bill, including one that would build on his legislation, Ensuring Safe Housing for Our Military Act, most of which was included in the base text, by adding additional measures to improve privatized military housing.

Following reports of health hazards in privatized military housing in bases across the Commonwealth and the country, Sen. Warner has advocated on behalf of servicemembers and their families, and recently introduced an amendment to establish an advisory group to help the Department of Defense strengthen accountability and oversight in military housing. The amendment was offered in the FY20 National Defense Authorization Act (NDAA), the legislative vehicle that provides support for our servicemembers and sets the national security priorities for the United States.

“Servicemembers and their families sacrifice so much for this country. That’s why we’ve got to make things right for military families who, too often, have been subjected to subpar and sometimes dangerous living conditions. This includes making sure that the health and well-being of our nation’s servicemembers and their families are part of our national security priorities,” said Sen. Warner.

The amendment would also require the Secretaries of the Navy, Air Force, and Army to issue standard mold assessments, remediation’s and procedures in their agreements with privatized housing companies. Sens. Tim Kaine (D-VA) and Dianne Feinstein (D-CA) joined Sen. Warner in introducing the amendment, which comes on the heels of Sen. Warner’s letter to Acting Secretary of Defense Patrick Shanahan, urging the Department of Defense (DoD) to establish an advisory group to address the prevalent health and environmental hazards in privatized military housing.

To protect U.S. innovation and combat technology threats, Sen. Warner filed a bipartisan amendment with Sen. Marco Rubio (R-FL) to establish an Office of Critical Technologies within the Executive Office of the President. The office would be responsible for coordinating a whole-of-government approach to protect the U.S. from state-sponsored technology theft and risks to critical supply chains. The amendment is based on the bipartisan legislation introduced by Sens. Warner and Rubio that would combat technology threats from China. Sen. Warner also introduced a bipartisan amendment with Sen. Crapo to strengthen the intelligence support to protect our supply chain from growing adversary threats.

“In the 20th century, the U.S. pioneered many groundbreaking technological advancements, and today, countries like China are using every tool in their arsenal to try to diminish U.S. leadership, set the standards for technologies like 5G, and dominate key technologies. In order to confront this challenge, the United States must push forward a coherent strategy to protect our technological edge and preserve American leadership,” continued Sen. Warner.

In a move to further defend national security and respond to emerging cyber-threats, Sen. Warner also introduced a series of amendments that would revamp the security clearance process, assess cyber threat detection and encourage the DoD to work with the Federal Communications Commission (FCC) to identify new spectrum for reallocation for 5G services.

“To ensure the U.S. can hire trusted professionals to tackle the emerging threats in cyber and technology, we must modernize our outdated security clearance system. While we’ve already seen an encouraging drop in individuals waiting on a background check, there is still more work to be done,” concluded Sen. Warner. 

The security clearance reform language is based on legislation introduced by Vice Chair Warner, and unanimously approved in the Intelligence Authorization Act (IAA) for Fiscal Years 2018-2020. Text for the cyber threat assessment amendment can be found here.

Sen. Warner also introduced amendments to improve the quality in information submitted in background investigation requests, ensure DoD has the funding flexibility to perform the personnel vetting mission, and ensure the new Defense Counterintelligence and Security Agency adequately protects the millions of pieces of personally identifiable information it will hold as the government’s primary investigative service provider.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), a former technology entrepreneur and venture capitalist, joined Sen. Josh Hawley (R-MO) in co-sponsoring the Do Not Track Act, bipartisan legislation to give control over personal data back to users. Similar to the national “Do Not Call” list, the Do Not Track Act gives every person the power to block online companies from collecting any data beyond what is necessary for the companies’ online services.

“Unfortunately, as our technology continues to evolve, so do the avenues for consumer exploitation,” said Sen. Warner. “In the age of the internet, user information is an incredibly valuable asset and Americans deserve to have more control over who can collect it and how they can use it. This legislation will give power back to users and allow them to decide who can and cannot access their private data.”

“Big tech companies collect incredible amounts of deeply personal, private data from people without giving them the option to meaningfully consent. They have gotten incredibly rich by employing creepy surveillance tactics on their users, but too often the extent of this data extraction is only known after a tech company irresponsibly handles the data and leaks it all over the internet. The American people didn't sign up for this, so I'm introducing this legislation to finally give them control over their personal information online,” said Sen. Hawley.

The sheer enormity of data big tech companies extract, and the unscrupulous ways they use that data, is distressing. These companies track user locations and spy on their internet history – even when they are told not to. In March, a senior official at Google admitted, under oath, that Google still tracks a user’s geolocation hundreds of times a day even after that person turns off “location history.” Facebook even collects data on people who don’t have a Facebook account. These companies and others exploit this harvested data to build massive profiles on users and then rake in hundreds of billions of dollars monetizing that data.

For years, industry groups promoted a program called “Do Not Track” to give users control, and the FTC endorsed the program in 2010. However, the program was voluntary, and tech giants that built their businesses around exploiting data refused to voluntarily comply. This bill would give Do Not Track legal force and expand it to cover all internet activity, not just browser-based activity. It would do this by:

  • Creating a program similar to the national Do Not Call list that gives every person the power, at a touch of a button, to block online companies from collecting any data beyond what is indispensable to the companies’ online services.
  • Prohibiting companies from profiling Americans who activate Do Not Track.
  • Banning discrimination against people who activate Do Not Track.
  • Banning companies from transferring data to other companies when a user activates Do Not Track unless the first company is an intended intermediary.
  • Forcing internet companies to disclose to users their rights under this legislation.
  • Imposing strict penalties for violating these provisions.

Under the Do Not Track Act, users would have several options to enroll, including a one-time click in the settings on their browser or downloading a simple app.

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of a breach to a system used by one of Quest’s contractors.

“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach,” Sen. Warner wrote in his letter to Stephen Rusckowski, Chairman, President and CEO of Quest Diagnostics.

Earlier this year, Sen. Warner sent letters to multiple health care associations and government agencies including the Food and Drug Administration, Department of Health and Human Services, Centers for Medicare and Medicaid Services, and National Institute of Standards and Technology, seeking more information about steps being taken to reduce cyber vulnerabilities in the health care industry, which has become a growing target for cyberattackers. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care sector, and conveyed his desire to work alongside stakeholders to develop strategies that strengthen information security.

In today’s letter to Quest, Sen. Warner asked the company to provide additional information regarding the breach and the company’s processes for selecting and monitoring sub-contractors and vendors.

The full text of the letter appears below. A copy of the letter is available here.

 

Mr. Stephen H. Rusckowski

Chairman, President and Chief Executive Officer

Quest Diagnostics                  

500 Plaza Drive          

Secaucus, NJ 0709

Dear Mr. Rusckowski,

On Monday June 3rd it was publicly reported that the data of an estimated 11.9 million of your customers were exposed by one of your bill collection vendors, American Medical Collection Agency (ACMA). According to your SEC filing, between August 1st 2018 and March 30th 2019, an unauthorized user had access to American Medical Collection Agency’s systems and data that included credit card numbers and bank account information, medical information, and other sensitive personal information like social security numbers. A statement by ACMA noted that the company was made aware of the breach by a security compliance firm that works with credit card companies. An internal review was then conducted by ACMA, which took down the web payments page, and notified law enforcement.

While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach.  One set of major vendor breaches in the last year were caused by a third-party administrator for health insurance companies, and impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health. 

In February of this year I queried a number of health care stakeholders seeking input on how we might improve cybersecurity in the health care industry. As I work with stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector, I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies, and what you plan to do about your other vendors, given the vulnerability and information security failures of this one.

Having long been an advocate for transparency and reporting of data breach information, I commend your reporting and handling of the breach notification, but I am still concerned with the third party evaluation and monitoring process.

To gain a better understanding of this situation, I would appreciate answers to the following questions:

1.      Please describe your third-party vendor information security vetting process.

2.      If you secure a contract with a third-party to collect information from your customers, do you have a process for evaluating the standards used by that entity, the sub-supplier, to secure their information systems?

3.      What are your third-party vendor security and risk assessment requirements?

4.      What are your third-party requirements for how customer information is processed and stored?

5.      What are your third-party vendor requirements for data encryption?

6.      How are you ensuring that your other third-party vendors like ACMA are not similarly vulnerable to point of sale malware or other information security vulnerabilities?

Thank you for your attention to this important issue. I look forward to your response in the next two weeks.

Sincerely,

Mark R. Warner

United State Senator

 

###

WASHINGTON, D.C. — Today, the Senate overwhelmingly passed bipartisan legislation cosponsored by U.S. Senators Mark R. Warner and Tim Kaine to crack down on illegal robocall scams. The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act gives regulators more time to find scammers, increases civil forfeiture penalties for those who are caught, requires service providers to adopt call authentication and blocking, and brings relevant federal agencies and state attorneys general together to address impediments to criminal prosecution of robocallers who intentionally break laws.

“Americans are sick and tired of receiving fraudulent robocalls,” said the Senators. “We are proud the Senate passed this bill to help protect consumers from scams and ensure those behind these illegal robocalls are held accountable.”

One report estimated the number of spam calls will grow from nearly 30 percent of all phone calls last year to 45 percent of all calls this year. The TRACED Act gives the FCC more flexibility to enforce rules in the short term, while setting in motion consultations to increase prosecutions of violations, which often require international cooperation. 

The bill now heads to the House for consideration.

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Elizabeth Warren (D-MA), along with Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL), reintroduced legislation today to hold large credit reporting agencies (CRAs) – including Equifax – accountable for data breaches involving sensitive consumer data. The Data Breach Prevention and Compensation Act will provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs.

“It’s been nearly two years since hackers accessed the personal information of more than 143 million Americans, yet thousands of individuals continue to grapple with the effects of this massive breach,” said Sen. Warner. “As personal data becomes more and more valuable in today’s information economy, and the scale and impact to consumers of mega-breaches increase, there needs to be increased consequences for companies like Equifax that mishandle or neglect to properly safeguard consumer data. By imposing strict penalties for data breaches and facilitating compensations for affected Americans, this legislation will increase accountability and help ensure that credit reporting agencies actively prioritize the security of sensitive consumer information.”

“It's been over a year and a half since Equifax opened to the doors to hackers who stole the personal data of more than half the adults in the country, and this new report shows that Equifax still has a long way to fix the problem it created,” said Sen. Warren. “Our bill, which would hold companies like Equifax accountable for failing to protect consumer data, would compensate consumers injured by these breaches and help ensure that they never happen again.”

In September 2017, Equifax announced that hackers had accessed and stolen sensitive personal information, including Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers, belonging to more than 143 million Americans – a number later revised up to 145.5 million people. The breach highlighted that CRAs like Equifax retain vast amounts of data on millions of Americans but often lack adequate safeguards against hackers. Since 2013, Equifax has reported at least four separate hacks in which sensitive personal information was compromised.

The Data Breach Prevention and Compensation Act would:

· Establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs.
· Impose mandatory, strict liability penalties for breaches involving consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. Under this bill, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans' personal information.
· Ensure a robust recovery for affected consumers by requiring the FTC to use 50% of its penalty to compensate consumers.
· Increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.
· Enhance FTC enforcement by giving the FTC civil penalty authority under the Gramm-Leach-Bliley Act.

Additionally, Sens. Warren and Warner, and Rep. Krishnamoorthi, in a new analysis of Consumer Financial Protection Bureau (CFPB) consumer complaints, revealed that consumers filed more than 52,000 complaints related to Equifax in the 18 months following the announcement of the Equifax breach – nearly double the number from the same period before the breach was announced. The report shows how Equifax continues to fail affected consumers by neglecting to provide adequate responses to consumer complaints, including by refusing to remove incorrect information from credit reports. The lawmakers also sent the report to the FTC and CFPB, requesting that the agencies take action.

The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:

"This bill requires the FTC to provide much-needed oversight of the credit bureaus for data security. It also imposes real and meaningful penalties when the credit bureaus, who hold our most sensitive financial information, fail to adequately protect that information. I commend Senator Warren, Senator Warner, and Congressmen Cummings and Krishnamoorthi for their continuing efforts to prevent another massive security failure like the Equifax data breach," said National Consumer Law Center Staff Attorney, Chi Chi Wu.

"A concrete response to a serious problem facing American consumers. The ongoing risk of data breach and identity theft have reached epidemic proportions. We clearly need more expertise in the federal government to address this challenge. We hope the Senate will more forward this important and timely effort to safeguard American consumers and Internet users,” said Electronic Privacy Information Center President and Executive Director, Marc Rotenberg

“Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans. That’s why U.S. PIRG commends Senator Warner, Senator Warren, and Congressmen Cummings and Krishnamoorthi for reintroducing the Data Breach Prevention and Compensation Act. The bill provides strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data,” said U.S. PIRG Consumer Campaign Director, Mike Litt.

"Making the companies that collect and sell consumers’ personal information liable when they fail to secure it is a necessary step in ensuring our privacy rights,” said Former Chief Technologist at the FTC, Ashkan Soltani.

More statements of support are available here. More information about this bill can be found here. For text of the bill, click here.

###

WASHINGTON – With summer vacation season just around the corner, Sens. Mark R. Warner and Tim Kaine (both D-VA) are drawing attention to an unexpected danger to beachgoers: flying beach umbrellas. Essential staples of many family vacations, the popular beach accessories can quickly become hazards when propelled by wind through the air, as has happened on several occasions in recent years, most tragically in 2016, when Lottie Michelle Belk of Chester, Va. was struck in the torso and killed while vacationing in Virginia Beach with her family. Today, Virginia’s Senators were joined by their colleagues from New Jersey, Sens. Bob Menendez and Cory Booker (both D-NJ), in asking the U.S. Consumer Product Safety Commission (CPSC) to do more to inform and protect the public from dangerous, and potentially lethal, flying beach umbrellas. 

“As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them,” the Senators wrote to Consumer Product Safety Commission Chair Elliot Kaye. “Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media.”

According to data from the Consumer Product Safety Commission, more than 31,000 people were treated at hospitals for umbrella-related injuries between 2008 and 2017. However, the publicly available data falls short of providing consumers with recommended safety standards to prevent beach umbrella-related injuries or information on specific products that have caused serious injuries.

The Senators noted several examples of these injuries, including a Virginia man who lost the use of his eye after a seven-foot-long beach umbrella struck him at a beach in Delaware.  

The Senators are requesting more information from the Consumer Product Safety Commission, including what safety standards are in place to prevent umbrella-related injuries and problems with specific beach umbrella products, and what it is doing to ensure the public is properly educated of the risks and dangers of beach umbrellas to prevent injuries. They also requested that the CPSC provide a detailed breakdown of data on umbrella injuries, including the number of injuries caused specifically by beach umbrellas.

 

Full text of the letter is below and a copy can be found here.

 

May 2, 2019

 

Elliot F. Kaye

Chairman, U.S. Consumer Product Safety Commission

4330 East West Highway

Bethesda, MD 20814

 

Dear Chairman Kaye,

 

We write regarding concerns about the safety of beach umbrellas. Recently, we heard from constituents impacted by flying beach umbrellas, which have caused injury, and in at least one recent case, death. As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them. According to a query on the Consumer Product Safety Commission’s own website, from 2008-2017 over 31,000 people sought treatment at a hospital due to an umbrella-related injury.  Unfortunately, the CPSC does not parse out the data to differentiate between types of umbrellas. Nonetheless, we request information regarding how the CPSC plans to address this issue.

 

Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media. In 2015, a Virginian man lost the use of his eye after a seven-foot-long beach umbrella struck him at Bethany Beach, Delaware.  Last year, a beach umbrella came loose from the sand in Seaside Heights, New Jersey impaling a British tourist through the ankle.   That same summer a woman sitting on the beach in Ocean City, Maryland was pierced below the collarbone by a beach umbrella.  Most tragically, in June 2016, a Virginia resident lost her life after a gust of wind launched an umbrella into the air, striking her in the torso while she was on vacation in Virginia Beach.  The scourge of beach umbrellas is not a new phenomenon. In 2006, a woman in New York received $200,000 from New York State because of injuries she sustained from an airborne beach umbrella in 1999; the umbrella struck her forehead resulting in 13 stitches and permanent nerve damage. 

 

To ensure the public is equipped with the most updated information, we request responses to the following questions:

 

1.      What if any safety standards does the CPSC have in place to adequately prevent beach umbrella-related injuries?

2.      Does CPSC believe any particular safety standard could prevent injuries?

3.      What is the CPSC doing to educate the public regarding the dangers of beach umbrellas?

4.      Has the CPSC received complaints regarding beach umbrellas?  If so, what do those reports indicate about injuries related to beach umbrellas?

5.      Is the CPSC aware of problems with specific beach umbrellas that have not been made public?

6.      Can the CPSC provide a detailed breakdown of data on umbrella injuries? Specifically, how many injuries are specifically caused by beach umbrellas?

 

We appreciate CPSC’s willingness to take a direct look at the concerns raised by our constituents, and look forward hearing back from you by June 3, 2019. 

 

Sincerely,

 

###

 

WASHINGTON – With summer vacation season just around the corner, Sens. Mark R. Warner and Tim Kaine (both D-VA) are drawing attention to an unexpected danger to beachgoers: flying beach umbrellas. Essential staples of many family vacations, the popular beach accessories can quickly become hazards when propelled by wind through the air, as has happened on several occasions in recent years, most tragically in 2016, when Lottie Michelle Belk of Chester, Va. was struck in the torso and killed while vacationing in Virginia Beach with her family. Today, Virginia’s Senators were joined by their colleagues from New Jersey, Sens. Bob Menendez and Cory Booker (both D-NJ), in asking the U.S. Consumer Product Safety Commission (CPSC) to do more to inform and protect the public from dangerous, and potentially lethal, flying beach umbrellas.

“As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them,” the Senators wrote to Consumer Product Safety Commission Chair Elliot Kaye. “Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media.”

According to data from the Consumer Product Safety Commission, more than 31,000 people were treated at hospitals for umbrella-related injuries between 2008 and 2017. However, the publicly available data falls short of providing consumers with recommended safety standards to prevent beach umbrella-related injuries or information on specific products that have caused serious injuries.

The Senators noted several examples of these injuries, including a Virginia man who lost the use of his eye after a seven-foot-long beach umbrella struck him at a beach in Delaware.

The Senators are requesting more information from the Consumer Product Safety Commission, including what safety standards are in place to prevent umbrella-related injuries and problems with specific beach umbrella products, and what it is doing to ensure the public is properly educated of the risks and dangers of beach umbrellas to prevent injuries. They also requested that the CPSC provide a detailed breakdown of data on umbrella injuries, including the number of injuries caused specifically by beach umbrellas.

Full text of the letter is below and a copy can be found here.

 

May 2, 2019

Ann Marie Buerkle

Acting Chairman, U.S. Consumer Product Safety Commission

4330 East West Highway

Bethesda, MD 20814

Dear Acting Chairman Buerkle,

We write regarding concerns about the safety of beach umbrellas. Recently, we heard from constituents impacted by flying beach umbrellas, which have caused injury, and in at least one recent case, death. As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them. According to a query on the Consumer Product Safety Commission’s own website, from 2008-2017 over 31,000 people sought treatment at a hospital due to an umbrella-related injury. Unfortunately, the CPSC does not parse out the data to differentiate between types of umbrellas. Nonetheless, we request information regarding how the CPSC plans to address this issue.

Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media. In 2015, a Virginian man lost the use of his eye after a seven-foot-long beach umbrella struck him at Bethany Beach, Delaware. Last year, a beach umbrella came loose from the sand in Seaside Heights, New Jersey impaling a British tourist through the ankle. That same summer a woman sitting on the beach in Ocean City, Maryland was pierced below the collarbone by a beach umbrella. Most tragically, in June 2016, a Virginia resident lost her life after a gust of wind launched an umbrella into the air, striking her in the torso while she was on vacation in Virginia Beach. The scourge of beach umbrellas is not a new phenomenon. In 2006, a woman in New York received $200,000 from New York State because of injuries she sustained from an airborne beach umbrella in 1999; the umbrella struck her forehead resulting in 13 stitches and permanent nerve damage.

To ensure the public is equipped with the most updated information, we request responses to the following questions:

  1. What if any safety standards does the CPSC have in place to adequately prevent beach umbrella-related injuries?
  2. Does CPSC believe any particular safety standard could prevent injuries?
  3. What is the CPSC doing to educate the public regarding the dangers of beach umbrellas?
  4. Has the CPSC received complaints regarding beach umbrellas? If so, what do those reports indicate about injuries related to beach umbrellas?
  5. Is the CPSC aware of problems with specific beach umbrellas that have not been made public?
  6. Can the CPSC provide a detailed breakdown of data on umbrella injuries? Specifically, how many injuries are specifically caused by beach umbrellas?

We appreciate CPSC’s willingness to take a direct look at the concerns raised by our constituents, and look forward hearing back from you by June 3, 2019.

Sincerely,

###

 

WASHINGTON – A day ahead of the one-year anniversary of Facebook CEO Mark Zuckerberg’s congressional testimony, U.S. Sens. Mark R. Warner (D-VA) and Deb Fischer (R-NE) have introduced the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.

The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not take under normal circumstances. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.  

“For years, social media platforms have been relying on all sorts of tricks and tools to convince users to hand over their personal data without really understanding what they are consenting to. Some of the most nefarious strategies rely on ‘dark patterns’ – deceptive interfaces and default settings, drawing on tricks of behavioral psychology, designed to undermine user autonomy and push consumers into doing things they wouldn’t otherwise do, like hand over all of their personal data to be exploited for commercial purposes,” said Sen. Warner, a former technology executive who is Vice Chairman of the Senate Select Committee on Intelligence. “Our goal is simple: to instill a little transparency in what remains a very opaque market and ensure that consumers are able to make more informed choices about how and when to share their personal information.” 

“Any privacy policy involving consent is weakened by the presence of dark patterns. These manipulative user interfaces intentionally limit understanding and undermine consumer choice. Misleading prompts to just click the ‘OK’ button can often transfer your contacts, messages, browsing activity, photos, or location information without you even realizing it. Our bipartisan legislation seeks to curb the use of these dishonest interfaces and increase trust online,” said Sen. Fischer, a member of the Senate Commerce Committee. 

Dark patterns can take various forms, often exploiting the power of defaults to push users into agreeing to terms stacked in favor of the service provider. Some examples of such actions include: a sudden interruption during the middle of a task repeating until the user agrees to consent; a deliberate obscuring of alternative choices or settings through design or other means; or the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring through multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking. 

The result is that large online platforms have an unfair advantage over users and potential competitors in forcing consumers to give up personal data such as their contacts, messages, web activity, or location to the benefit of the company. 

“The tech industry has gone unchecked for far too long. Bold action is needed on a wide scale to change the incentives in Silicon Valley with our well-being in mind, especially when it comes to kids,” said Jim Steyer, CEO of Common Sense. “This bill gets to the root of the issue – the use of manipulative and deceptive design features that trick kids and other users into giving up valuable and private information, and hook them into spending more time than is healthy online. Common Sense strongly supports Senators Warner and Fischer on this bipartisan effort to hold tech companies accountable for these practices that only harm consumers.” 

“Dark patterns are among the least humane design techniques used by technology companies in their scramble for growth at all costs. They use these measures to offer false choices that confuse or trap users into over-sharing personal information or driving compulsive use – especially from the most vulnerable users, including kids,” said Tristan Harris, Co-Founder of the Center for Humane Technology. “A system-wide rethinking of technology policy and design is in order, so CHT fully supports Senators Warner and Fisher in this bipartisan effort to place significant constraints around the ability to deceive users online. The creation of a special standards body is especially crucial to the protection of consumers, as they keep lawmakers more up-to-date and able to iterate laws at pace with the rapid change of technology.”

“We support Senators Warner and Fischer in protecting people from exploitive and deceptive practices online,” said Fred Humphries, Corporate Vice President of U.S. Government Affairs at Microsoft. “Their legislation helps to achieve that goal and we look forward to working with them.”

“People are ensnared by ‘dark patterns’ of manipulation on the Internet every day, and ending these practices is a key part of protecting people online. We need to better understand the systems that manipulate people online, and empower users to fight back. We applaud Senator Warner and Senator Fischer for introducing this legislation to curtail these troubling practices,” said Alan Davidson, Vice President of Global Policy, Trust and Security at Mozilla.

“EPIC appreciates Senator Warner and Senator Fischer’s important work to safeguard consumer privacy,” said Caitriona Fitzgerald, Electronic Privacy and Information Center (EPIC) Policy Director.  

The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative dark pattern behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:

  • Enables the creation of a professional standards body, which can register with the Federal Trade Commission (FTC), to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body, providing updated guidance to platforms on design practices that impair user autonomy, decision-making, or choice, positioning the FTC to act as a regulatory backstop.
  • Prohibits segmenting consumers for the purposes of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare. 
  • Prohibits user design intended to create compulsive usage among children under the age of 13 years old.
  • Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

The full bill text is available here. 

Sen. Warner has been raising concerns about the implications of social media companies’ reliance on dark patterns for several years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on their News Feeds. 

Sen. Warner is recognized as one of Congress’ leading voices in an ongoing public debate around social media and user privacy. Last year, Sen. Warner called on the social media companies to work with Congress and provide feedback on ideas he put forward in a white paper discussing potential policy solutions to challenges surrounding social media, privacy, and data security. In addition to the DETOUR Act, in the coming weeks and months, Sen. Warner will introduce further legislation designed to improve transparency, privacy, and accountability on social media.

 

###