Press Releases

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the Department of Health and Human Services (HHS) regarding a proposed rule by the Centers for Medicare and Medicaid Services (CMS) that would require CMS-funded health plans (including ACA marketplace plans) to allow patients to access their personal health information electronically through third-party consumer applications. In his letter, Sen. Warner urged HHS to include clear standards and defined controls for accessing patient data in order to address the potential for misuse of these interoperability features.

“In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information,” wrote Sen. Warner. “It is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.”

“Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users,” he continued. “As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used.”

Under the proposed Interoperability and Patient Access rule, CMS would require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through open application programing interfaces (APIs). APIs would allow third-party software applications to connect to, process, and make the data available to patients.

In the letter, Sen. Warner emphasized the importance of allowing patients to easily access their health information. He also noted the similarities between the proposed rule and the ACCESS Act – bipartisan legislation introduced by Sen. Warner that would promote market-based competition among social media platforms by requiring the largest social media companies to make user data portable, and their services interoperable, with other platforms. The ACCESS Act would also allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Additionally, Sen. Warner urged that, at a minimum, the final rule include the following standards:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Sen. Warner has been a longtime critic of poor cybersecurity practices that compromise Americans’ personal information. Last week, Sen. Warner raised concern with HSS’ failure to act, following a mass exposure of sensitive medical images and information by health organizations. In September, he wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

The Honorable Alex M. Azar II

Department of Health and Human Services

Office of the Secretary

200 Independence Avenue, S.W.

Washington, D.C. 20201

 

Dear Secretary Azar:

I am writing regarding the proposed rule from the Center for Medicare and Medicaid Services (CMS) on Interoperability and Patient Access that would enable third party consumer applications to access sensitive patient and health plan data through application programming interfaces (APIs) [1]. I share the goals of advancing interoperability in patient health information and believe that – implemented appropriately – this proposal could represent a significant step in that direction. However, I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information.

Congress passed the 21st Century Cures Act (P.L. 114-255) with a key objective of improving the protected exchange of electronic health records across the care continuum. Notably, Section 4003 and 4004 included specific provisions to establish a trusted health information exchange framework and reduce information blocking; it stated that there should be regulation over unreasonable practices to interfere with, prevent, or materially discourage access, exchange, or use of a patient’s electronic health records. While your agency has taken substantial steps to implement fundamental aspects of this legislation, it is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.

In your proposed rule CMS would specifically require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through an open application programming interface (API). Data should be made available through an API so that third party software applications can connect to, process, and make the data available to patients.

I agree that patients should have an ability to easily acquire their health information. The rule is in many ways consistent with bipartisan legislation I have introduced in Congress – the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, which requires our nation’s largest social media companies to make user data portable, and make their services interoperable with other platforms.

Common to both my bill and the proposed rule is a recognition that consumers should have a right to possess their data – and share it with authorized third parties that will protect it. Both proposals also seek to address the control over consumer data that incumbents wield, often to the detriment of new, innovative providers. Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users.

 As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used. Such standards in a final rule should include at a minimum:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Thank you for your consideration your commitment to advancing interoperability to improve patient care. I believe the outline I have shared would strengthen and ensure the rule achieves its intended purpose.  It is my hope and belief that we can achieve both a higher level of interoperability and patient access to their data, as well as, strong protections for that information. I look forward to continued work with you on this important issue and our shared goals.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, today raised concern with the U.S. Department of Health and Human Services (HHS)’s failure to act, following a mass exposure of sensitive medical images and information by health organizations. In a letter to the HHS Director of the Office for Civil Rights, Sen. Warner identified this exposure as damaging to individual and national security, as this kind of information can be used to target individuals and to spread malware across organizations.

“I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it,” wrote Sen. Warner. “As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.”

“These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization,” he continued. “In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected.”

On September 17th, a report revealed that millions of Americans had their private medical images exposed online, due to unsecured picture archiving and communication servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM) protocol. Along with the medical images, these PACS also exposed the names and social security numbers of those affected, leaving this information open to anyone with basic computer expertise, as these required no authentication to access or download.

This exposure was uncovered by German researchers, who contacted the German Federal Office for Information Security (BSI). BSI then alerted the United States Computer Emergency Readiness Team (US-CERT), who confirmed the exposure and reached out to HHS. However, if they received this information, HHS has failed to act on it, even failing to list TridentUSA Health Services – one of the main companies responsible for the exposure – on its breach portal website.

In his letter to Director Roger Severino, Sen. Warner also raised alarm with the fact that TridentUSA Health Services successfully completed an HHS Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audit in March 2019, while patient images were actively accessible online.

Sen. Warner also posed the follow questions for HHS regarding the incident, and its current cybersecurity requirements and procedures:

  1. Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
    1. If so, what actions were taken to address the issue?
  2. What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
    1. Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
  3. What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
  4. Please describe your information security audit process.
  5. Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that compromise Americans’ personal information. In September, Sen. Warner wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Mr. Roger Severino                                                                

Director, Office for Civil Rights

Department of Health and Human Services

200 Independence Ave SW

Washington, DC 20201

Dear Director Severino,

As the health care industry increasingly harnesses internet connectivity and software, including machine learning systems, to improve patient care, a long overdue focus on data privacy and information security has come into sharper focus. This is particularly evident in light of reports that sensitive medical records of potentially millions of Americans were recently exposed online – and that your agency has done little to address this issue. Prompting even greater concern, one of the companies that left the data exposed online also successfully completed one of your Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audits in March. I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it. As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients, without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.

On September 17th ProPublica published a shocking report that the sensitive medical images of millions of American patients were exposed online through unsecured picture and archiving and communications servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM), protocol. The publicly-accessible information that had been accessed from Germany included MRI’s, X-rays, and CT scans, as well as names and social security numbers of the patients. The 13.7 million images found on the internet required absolutely no authentication to access or download. As of writing this letter, there are 779 million image records attached to 21.6 million patient records, impacting an estimated 5 million patients in 22 states. The largest system accessed holds 61 million diagnostic images attached to 1.23 million exam records of American patients and remains available on the internet.

In late August, German researchers initiated an investigation to determine the global accessibility and remote access capabilities of PACS. On September 9th, the researchers concluded their two week inquiry and submitted their findings to the German Federal Office for Information Security (BSI). By September 17th, BSI had addressed the affected systems which were removed from the internet prior to the publishing of the ProPublica report.

After US-CERT was notified of the problem by BSI, US-CERT contacted the German researchers at Greenbone Networks, confirming they received the data on September 20th. US-CERT stated the agency would convey the information to the U.S. Department of Health and Human Services (HHS). According to the researchers, however, there has been no further communication from US-CERT or HHS, even though data privacy authorities from other countries like France and the UK contacted Greenbone Networks following the publication of ProPublica’s report.

On September 23rd, I wrote to TridentUSA Health Services expressing my concern regarding the issues raised in the ProPublica report, and pointed out that MobilexUSA, a TridentUSA Health Services affiliate, was identified as controlling one of the unsecured PACS. On October 15th, the German researchers demonstrated to my office a number of US-based PACS have open ports, supporting unencrypted communications protocols, exposing images to the internet like chest X-rays and mammograms, and identifying details like names and social security numbers. Those images and medical records continue to be accessible.

These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected. The researchers who discovered the flaw in the DICOM protocol were able to use a polyglot file, which can contain more than one stream of data with different file formats, and hide the malicious code in the scan. In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization.

In their response to my letter, TridentUSA Health Services noted that they successfully completed the Department of Health and Human Services audits, confirming compliance with the HIPAA Security Rule, the last of which concluded in March 2019, while patient images were accessible online.

While the information security lapses by the medical companies using the PACS are clear, it is unclear how your agency has addressed this issue. As of the writing of this letter, TridentUSA Health Services is not included on your breach portal website, and I have seen no evidence that, once contacted by US-CERT, you acted on that information in any meaningful way.

To understand how such an enormous oversight in your organization has allowed medical companies to leave insecure ports open to the internet and accessed repeatedly by a German IP address, I ask that you answer the following questions:

1.      Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
a.      If so, what actions were taken to address the issue?
2.      What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
a.      Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
3.      What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
4.      Please describe your information security audit process.
5.      Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

The American people deserve to have their sensitive private information protected and their government held accountable for enforcing the rules in place to keep that information private. I hope that you will share what immediate actions you are taking, along with answering the questions above. I look forward to hearing your response no later than November 18, 2019.

Sincerely,

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Josh Hawley (R-MO) and Richard Blumenthal (D-CT) will introduce the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, bipartisan legislation that will encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

“Social media has enormous benefits. But, as we've seen, the tremendous dominance of a handful of large platforms also has major downsides – including few options for consumers who want to use social media to connect with friends, store their photos or just watch cat videos, but who face a marketplace with just a few major players and little in the way of real competition,” said Sen. Warner, a former technology entrepreneur and venture capitalist. “As a former cell phone guy, I saw what a game-changer number portability was for that industry. By making it easier for social media users to easily move their data or to continue to communicate with their friends after switching platforms, startups will be able to compete on equal terms with the biggest social media companies. And empowering trusted custodial companies to step in on behalf of users to better manage their accounts across different platforms will help balance the playing field between consumers and companies. In other words – by enabling portability, interoperability, and delegatability, this bill will help put consumers in the driver’s seat when it comes to how and where they use social media.”

“Your data is your property. Period. Consumers should have the flexibility to choose new online platforms without artificial barriers to entry. This bill creates long-overdue requirements that will boost competition and give consumers the power to move their data from one service to another,” said Sen. Hawley.

“The exclusive dominance of Facebook and Google have crowded out the meaningful competition that is needed to protect online privacy and promote technological innovation. As we learned in the Microsoft antitrust case, interoperability and portability are powerful tools to restrain anti-competitive behaviors and promote innovative new companies. The bipartisan ACCESS Act would empower consumers to finally stand up to Big Tech and move their data to services that respect their rights,” said Sen. Blumenthal.

Online communications platforms have become vital to the economic and social fabric of the nation, but network effects and consumer lock-in have entrenched a select number of companies’ dominance in the digital market and enhanced their control over consumer data. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act would increase market competition, encourage innovation, and increase consumer choice by requiring large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

  • Make their services interoperable with competing communications platforms.
  • Permit users to easily port their personal data in a structured, commonly used and machine-readable format.
  • Allow users to delegate trusted custodial services, which are required to act in a user’s best interests through a strong duty of care, with the task of managing their account settings, content, and online interactions. 

“One very real nightmare scenario for the future of the internet is users facing a meaningless choice among a few fully-integrated silos of technology, and the end of independent innovation and creativity. We all need to prevent that from happening. This legislation could help us take a huge step forward towards a better internet future,” said Chris Riley, Director of Public Policy at the Mozilla Corporation.

“Markets work when consumers have a choice and know what's going on. The ACCESS Act is an important step toward reestablishing this dynamic in the market for tech services. We must get back to the conditions that make markets work: when consumers know what they give a firm and what they get in return; and if they don't like the deal, they can take their business elsewhere. By giving consumers the ability to delegate decisions to organizations working on their behalf, the ACCESS Act gives consumers some hope that they can understand what they are giving up and getting in the opaque world that the tech firms have created. By mandating portability, it also gives them a realistic option of switching to another provider,” said Paul Romer, New York University Professor of Economics and Nobel Prize winner in Economics.

“We’re thrilled to see a concrete legislative proposal to provide interoperability for consumers. Built on a solid foundation of privacy and security protections, interoperability enables users to communicate across networks promoting competition among social media platforms. Interoperability ensures that users benefit from increased competition, and it helps new competitors grow by reaching users that are locked-in to their current provider. Senator Warner’s interoperability bill lays out an excellent, practical framework for making interoperability a reality while preserving a role for states to go even further,” said Charlotte Slaiman, Senior Policy Counsel at Public Knowledge.

“All of us at USV believe in decentralized, emergent, market driven innovation. The shared communications infrastructure of the open Internet and a vibrant competitive market triggered the Cambrian explosion of new Web services we all now enjoy. But today, a small number of companies capitalize on their exclusive control over our data - the data we contribute as we interact with their services - to dominate markets, stifling competition and limiting consumer choice. While this is widely understood, most policy makers propose prescriptive regulation that would only further entrench the dominant platforms. The ACCESS Act targets the specific market failure - exclusive control over consumer data - that has led to the consolidation of market power on the Web. Ensuring that consumers have access to their data is an elegant way to restore competition without burdensome regulation,” said Brad Burnham, Partner and Co-Founder at Union Square Ventures.

Previously, Sens. Warner and Hawley have partnered on the DASHBOARD Act, legislation to require data harvesting companies such as social media platforms to disclose how they are monetizing consumer data, as well as the Do Not Track Act, which would allow users to opt out of non-essential data collection, modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list. 

A section-by-section summary of the bill is available here. Bill text is available here.

###

 

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Marco Rubio (R-FL), member of the Senate Select Committee on Intelligence, have expressed concern over the growing threat posed by deepfakes – sophisticated audio and video technologies that allow users to create fake audio and/or video files that falsely depict someone saying or doing something. In letters to 11 social media companies, including Facebook, Twitter, and YouTube, Sens. Warner and Rubio urged the platforms to develop industry standards for sharing, removing, archiving, and confronting the sharing of synthetic content as soon as possible, in light of foreign threats to the upcoming U.S. election. The letters also encouraged the platforms to develop clear policies to ensure their platforms are not exploited to spread disinformation or misinformation, including through authenticating media, labeling and archiving synthetic media content, and providing access to qualified outside researchers.

“As concerning as deepfakes and other multimedia manipulation techniques are for the subjects whose actions are falsely portrayed, deepfakes pose an especially grave threat to the public’s trust in the information it consumes; particularly images, and video and audio recordings posted online,” wrote the Senators. “If the public can no longer trust recorded events or images, it will have a corrosive impact on our democracy.”

“Despite numerous conversations, meetings, and public testimony acknowledging your responsibilities to the public, there has been limited progress in creating industry-wide standards on the pressing issue of deepfakes and synthetic media,” they continued. “Having a clear strategy and policy in place for authenticating media, and slowing the pace at which disinformation spreads, can help blunt some of these risks.  Similarly, establishing clear policies for the labeling and archiving of synthetic media can aid digital media literacy efforts and assist researchers in tracking disinformation campaigns, particularly from foreign entities and governments seeking to undermine our democracy.”

Deepfake technologies allow users to superimpose existing images and videos onto unrelated images or videos, essentially giving users the ability to create false and defamatory content that can be easily spread on social media.

In their letters to Facebook, Twitter, YouTube, Reddit, LinkedIn, Tumblr, Snapchat, Imgur, TikTok, Pinterest, and Twitch, the Senators emphasized that more than two-thirds of Americans get their news from social media sites, and stressed that online media platforms must assume a heightened responsibility for safeguarding public confidence. They also posed the following series of questions about each company’s ability to prevent, detect, and address deepfakes and other synthetic media:

  1. What is your company’s current policy regarding whether users can post intentionally misleading, synthetic or fabricated media?
  2. Does your company currently have the technical ability to detect intentionally misleading or fabricated media, such as deepfakes? If so, how do you archive this problematic content for better re-identification in the future?
  3. Will your company make available archived fabricated media to qualified outside researchers working to develop new methods of tracking and identifying such content?  If so, what partnerships does your company currently have in place?  Will your company maintain a separate, publicly accessible archive for this content?
  4. If the victim of a possible deepfake informs you that a recording is intentionally misleading or fabricated, how will your company adjudicate those claims or notify other potential victims?
  5. If your company determines that a media file hosted by your company is intentionally misleading or fabricated, how will you make clear to users that you have either removed or replaced that problematic content?
  6. Given that deepfakes may attract views that could drive algorithmic promotion, how will your company and its algorithms respond to, and downplay, deepfakes posted on your platform?
  7. What is your company’s policy for dealing with the posting and promotion of media content that is wholly fabricated, such as untrue articles posing as real news, in an effort to mislead the public? 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the CEO of TridentUSA Health Services today to ask about the company’s data security practices as they relate to Health Insurance Portability and Accountability Act (HIPAA) compliance. The letter comes in light of a report that MobileXUSA – an affiliate of TridentUSA Health Services – left an unencrypted server online, exposing the medical data of millions of Americans.

“It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required,” wrote Sen. Warner. “While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.”

According to recent reports, many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. As part of the report, researchers identified 187 servers in the U.S. – including that of MobileXUSA – that were unprotected by passwords or basic security precautions.

In the letter to TridentUSA Health Services, Sen. Warner stressed the importance of protecting Americans’ privacy and personal health information. He also posed the following questions for TridentUSA Health Services:

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that have led to the compromise of Americans’ personal information. Last week, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. He also introduced legislation earlier this year to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Andrei Soran, CEO

TridentUSA Health Services

930 Ridgebrook Rd.

Sparks Glencoe, MD 21152

Dear Mr. Soran,

It has come to my attention that one of your affiliated companies, MobileXUSA, recently left an unencrypted server online, exposing sensitive medical images and health data of Americans. According to recent reporting, researchers found 13.7 million data sets and 303.1 million images in medical image storage systems have been freely accessible online with no authentication requirements to access or download the images.  This left the MRI’s, X-rays, and CT scans of millions of Americans exposed on the internet, not because of a breach, but simply because they were stored on 187 unprotected picture archiving and communication servers (PACS) including yours.  Additionally, along with the sensitive medical images, according to the research, your server displayed the names of more than a million patients. 

My colleagues and I in the Senate have been concerned about negligent cybersecurity practices in the health care space for a long time. Cybersecurity risks within the health care sector represent a growing threat, with 285 breaches reported between January and June of this year.  According to one report, there has been at least one healthcare-related data breach a day since 2016.  Just recently, the Senate Cybersecurity Caucus, of which I am a co-founder, convened a briefing that focused on healthcare and cybersecurity, particularly on the security of healthcare records which further highlighted the need for more robust cyber hygiene practices, and possibly additional standards.

It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required. While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.

To better understand how exactly millions of private medical scans were left open on the internet, I would appreciate your answers to the following questions:  

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

It is critical that the privacy of the individual– including their personal health information – is appropriately protected.  I look forward to hearing your response by October 9th, 2019. Any further questions can be directed to Leisel Bogan in my office at Leisel_Bogan@warner.senate.gov

Sincerely,

###

 

WASHINGTON – U.S. Sens. Mark R. Warner and Tim Kaine (D-VA) are urging the Consumer Product Safety Commission (CPSC) to launch a public safety campaign to educate the public about the dangers of beach umbrellas. The popular beach accessories can quickly become hazards when propelled by wind through the air, as has happened on several occasions in recent years, as in 2016, when Lottie Michelle Belk was struck in the torso and killed while vacationing in Virginia Beach with her family. Last month, a toddler was nearly impaled by a flying beach umbrella in North Myrtle Beach, S.C.

Today’s letter to Acting CPSC Chairwoman Ann Marie Buerkle is a follow-up to one the Senators sent in May along with Sens. Bob Menendez and Cory Booker (both D-NJ) regarding the documented safety risks posed by beach umbrellas. In a June response, the CPSC noted that an estimated 2,800 beach umbrella-related injuries were treated in emergency departments nationwide from 2010 to 2018. Despite that, the CPSC also noted that it currently does not regulate the safety of beach umbrellas and is unaware of any voluntary standards specifically for beach umbrellas. Today, the four lawmakers urged the U.S. Consumer Product Safety Commission (CSPC) to take more aggressive action to protect beachgoers from the dangers of wind-swept beach umbrellas that can cause serious injury or even death. 

“As Americans flock to the beach this summer season, we believe it is imperative that the CPSC ensure that a day at the beach isn’t turned into a day at the emergency room,” the Senators wrote.  

The lawmakers mentioned other notable CPSC public education campaigns that have proven successful in changing people’s behavior and encouraging greater precaution. Specifically, they pointed to the 2010 “Safe Sleep Campaign” to educate parents and caregivers about how best to make nurseries safe; the 2015 “Anchor It!” campaign to warn of the dangers of furniture tip-overs; the annual July 4th fireworks safety campaign; and a 2017 alert to the public of fidget spinner choking hazards.  

The Senators also pressed CPSC on whether it has considered the efficacy of a weighted system or other safety measures that could be taken to reduce the risk of umbrellas becoming airborne and endangering beach-goers.                                               

Full text of the letter is below and a copy can be found here.

 

July 29, 2019

Ann Marie Buerkle

Acting Chair, U.S. Consumer Product Safety Commission

4330 East West Highway

Bethesda, MD 20814

Dear Chairman Buerkle,

We write in the wake of your June 7, 2019 response to our May 2, 2019 letter regarding the documented safety risks posed by beach umbrellas. Your letter stated that, over the nine-year period from 2010-2018, an estimated 2,800 people sought treatment in emergency rooms for injuries related to beach umbrellas. A majority of those injuries were caused by a wind-blown beach umbrella. As we noted in our letter, unsafe beach umbrellas have even proved fatal to our constituents. 

As Americans flock to the beach this summer season, we believe it is imperative that the CPSC ensure that a day at the beach isn’t turned into a day at the emergency room. To that end, we write to specifically ask that the Consumer Product Safety Commission (CPSC) launch a public safety campaign to educate the public about the dangers of beach umbrellas. In addition, we write with additional follow-up questions regarding whether the Commission considered the efficacy of certain design or technical changes to beach umbrellas.

As your letter acknowledges, there is currently no CPSC-led public education campaign on the dangers of beach umbrellas. Yet, a July 6, 2019 tweet and Instagram post from the CPSC’s social media accounts remind consumers to properly stake their beach umbrellas.  We were pleased to see the CPSC take the issue of beach umbrella safety seriously. Notably, your June 7 letter states: “CPSC technical staff believes that an information sheet on the potential hazards could be developed.” We agree, and formally request that the CPSC develop safety and educational resources for the public. As you know, the CPSC has a history of such public safety campaigns.

In 2010, the CPSC implemented the “Safe Sleep Campaign” in part to “educate parents and caregivers about the most effective ways to make a nursey safe.”  In 2015, the CPSC launched “Anchor It!”, a national public safety campaign to educate the public about the dangers of furniture tip-overs.  In addition, every July 4th the CPSC reminds the public of the dangers of fireworks.  In August 2017, the CPSC went so far as to warn the public of the dangers of fidget spinners, stating that the popular toys pose a choking hazard.  Surely, the dangers of a beach umbrella turned flying spear – and the large number, and often gruesome nature, of these incidents – warrant the attention of the Commission. 

Your June 7 letter stated that “[t]echnical staff does not believe a safety standard would have a substantial effect on injuries from beach umbrellas incidents.” The letter states that the CPSC considered requiring a performance standard, requiring umbrellas to “contain venting”, the development of a staking requirement, and the development of a warning label system. Your letter does not however indicate whether the CPSC considered the efficacy of a weighted system, or any other alternative system options. To that end, we request responses to the following questions:

1.      Has the CPSC considered whether a weighted system or another alternative, could best mitigate the risk of a wind-blown beach umbrella?

2.      What information would factor into a decision as to whether the CPSC would recommend a weighted system or an additional or alternative safety feature for beach umbrellas? 

3.      Is the CPSC aware of any instance where an umbrella secured with a weighted system caused an injury?

We appreciate CPSC’s willingness to consider this issue and look forward hearing back from you by August 30, 2019.  Should you have further questions please contact Shelby Boxenbaum in Senator Menendez’s office at 202-224-4744.  

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Banking Committee, issued the following statement after regulators and the credit bureau Equifax reached a $700 million settlement over a 2017 data breach that compromised the personal information of more than 145 million Americans:

Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Sen. Warner is the leading sponsor along with Sen. Elizabeth Warren (D-MA) of legislation that would hold Equifax and other credit reporting agencies (CRAs) accountable for data breaches. The Data Breach Prevention and Compensation Act would provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs. Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information.

Companion legislation is sponsored in the House of Representatives by Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL).

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) issued the following statement regarding the Federal Trade Commission’s reported decision to approve a $5 billion settlement with Facebook for violating a 2011 consent decree requiring the company to enact privacy reforms:  

“Given Facebook’s repeated privacy violations, it is clear that fundamental structural reforms are required. With the FTC either unable or unwilling to put in place reasonable guardrails to ensure that user privacy and data are protected, it’s time for Congress to act.”

Last year, Sen. Warner called on the social media companies to work with Congress and provide feedback on ideas he put forward in a white paper discussing potential policy solutions to challenges surrounding social media, privacy, and data security. He has introduced several bipartisan bills to improve transparency, privacy, and accountability on social media. The Honest Ads Act, introduced with Sens. Amy Klobuchar (D-MN) and Lindsey Graham (R-SC), would prevent foreign actors from influencing our elections by ensuring that political ads sold online are covered by the same rules as ads sold on TV, radio, and satellite. The DETOUR Act, introduced in April with Sen. Deb Fischer (R-NE), would prohibit large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data. The most recent bill, the DASHBOARD Act, was introduced weeks ago with Sen. Josh Hawley (R-MO), and would require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers, and how it is being leveraged by the platform for profit.

Sen. Warner plans to introduce additional legislation in the coming weeks.

###?

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Josh Hawley (R-MO) will introduce the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act, bipartisan legislation that will require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers, and how it is being leveraged by the platform for profit.

“For years, social media companies have told consumers that their products are free to the user. But that’s not true – you are paying with your data instead of your wallet,” said Sen. Warner. “But the overall lack of transparency and disclosure in this market have made it impossible for users to know what they’re giving up, who else their data is being shared with, or what it’s worth to the platform. Our bipartisan bill will allow consumers to understand the true value of the data they are providing to the platforms, which will encourage competition and allow antitrust enforcers to identify potentially anticompetitive practices.”

“When a big tech company says its product is free, consumers are the ones being sold. These 'free' products track everything we do so tech companies can sell our information to the highest bidder and use it to target us with creepy ads,” said Sen. Hawley. “Even worse, tech companies do their best to hide how much consumer data is worth and to whom it is sold. This bipartisan legislation gives consumers control of their data and will show them how much these 'free' services actually cost.”

As user data increasingly represents one of the most valuable, albeit intangible, assets held by technology firms, shining light on how this data is collected, retained, monetized, and protected, is critical. The DASHBOARD Act will:

  • Require commercial data operators (defined as services with over 100 million monthly active users) to disclose types of data collected as well as regularly provide their users with an assessment of the value of that data.
  • Require commercial data operators to file an annual report on the aggregate value of user data they’ve collected, as well as contracts with third parties involving data collection.
  • Require commercial data operators to allow users to delete all, or individual fields, of data collected – and disclose to users all the ways in which their data is being used. including any uses not directly related to the online service for which the data was originally collected.
  • Empower the SEC to develop methodologies for calculating data value, while encouraging the agency to facilitate flexibility to enable businesses to adopt methodologies that reflect the different uses, sectors, and business models.

The DASHBOARD Act is the second tech-focused bill Hawley and Warner have partnered on. The first was Hawley’s Do Not Track Act, which would be modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list and allow users to opt out of non-essential data collection.

A section-by-section summary of the bill is available here. Bill text is available here.

 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) has introduced several amendments to the annual defense authorization bill, including one that would build on his legislation, Ensuring Safe Housing for Our Military Act, most of which was included in the base text, by adding additional measures to improve privatized military housing.

Following reports of health hazards in privatized military housing in bases across the Commonwealth and the country, Sen. Warner has advocated on behalf of servicemembers and their families, and recently introduced an amendment to establish an advisory group to help the Department of Defense strengthen accountability and oversight in military housing. The amendment was offered in the FY20 National Defense Authorization Act (NDAA), the legislative vehicle that provides support for our servicemembers and sets the national security priorities for the United States.

“Servicemembers and their families sacrifice so much for this country. That’s why we’ve got to make things right for military families who, too often, have been subjected to subpar and sometimes dangerous living conditions. This includes making sure that the health and well-being of our nation’s servicemembers and their families are part of our national security priorities,” said Sen. Warner.

The amendment would also require the Secretaries of the Navy, Air Force, and Army to issue standard mold assessments, remediation’s and procedures in their agreements with privatized housing companies. Sens. Tim Kaine (D-VA) and Dianne Feinstein (D-CA) joined Sen. Warner in introducing the amendment, which comes on the heels of Sen. Warner’s letter to Acting Secretary of Defense Patrick Shanahan, urging the Department of Defense (DoD) to establish an advisory group to address the prevalent health and environmental hazards in privatized military housing.

To protect U.S. innovation and combat technology threats, Sen. Warner filed a bipartisan amendment with Sen. Marco Rubio (R-FL) to establish an Office of Critical Technologies within the Executive Office of the President. The office would be responsible for coordinating a whole-of-government approach to protect the U.S. from state-sponsored technology theft and risks to critical supply chains. The amendment is based on the bipartisan legislation introduced by Sens. Warner and Rubio that would combat technology threats from China. Sen. Warner also introduced a bipartisan amendment with Sen. Crapo to strengthen the intelligence support to protect our supply chain from growing adversary threats.

“In the 20th century, the U.S. pioneered many groundbreaking technological advancements, and today, countries like China are using every tool in their arsenal to try to diminish U.S. leadership, set the standards for technologies like 5G, and dominate key technologies. In order to confront this challenge, the United States must push forward a coherent strategy to protect our technological edge and preserve American leadership,” continued Sen. Warner.

In a move to further defend national security and respond to emerging cyber-threats, Sen. Warner also introduced a series of amendments that would revamp the security clearance process, assess cyber threat detection and encourage the DoD to work with the Federal Communications Commission (FCC) to identify new spectrum for reallocation for 5G services.

“To ensure the U.S. can hire trusted professionals to tackle the emerging threats in cyber and technology, we must modernize our outdated security clearance system. While we’ve already seen an encouraging drop in individuals waiting on a background check, there is still more work to be done,” concluded Sen. Warner. 

The security clearance reform language is based on legislation introduced by Vice Chair Warner, and unanimously approved in the Intelligence Authorization Act (IAA) for Fiscal Years 2018-2020. Text for the cyber threat assessment amendment can be found here.

Sen. Warner also introduced amendments to improve the quality in information submitted in background investigation requests, ensure DoD has the funding flexibility to perform the personnel vetting mission, and ensure the new Defense Counterintelligence and Security Agency adequately protects the millions of pieces of personally identifiable information it will hold as the government’s primary investigative service provider.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), a former technology entrepreneur and venture capitalist, joined Sen. Josh Hawley (R-MO) in co-sponsoring the Do Not Track Act, bipartisan legislation to give control over personal data back to users. Similar to the national “Do Not Call” list, the Do Not Track Act gives every person the power to block online companies from collecting any data beyond what is necessary for the companies’ online services.

“Unfortunately, as our technology continues to evolve, so do the avenues for consumer exploitation,” said Sen. Warner. “In the age of the internet, user information is an incredibly valuable asset and Americans deserve to have more control over who can collect it and how they can use it. This legislation will give power back to users and allow them to decide who can and cannot access their private data.”

“Big tech companies collect incredible amounts of deeply personal, private data from people without giving them the option to meaningfully consent. They have gotten incredibly rich by employing creepy surveillance tactics on their users, but too often the extent of this data extraction is only known after a tech company irresponsibly handles the data and leaks it all over the internet. The American people didn't sign up for this, so I'm introducing this legislation to finally give them control over their personal information online,” said Sen. Hawley.

The sheer enormity of data big tech companies extract, and the unscrupulous ways they use that data, is distressing. These companies track user locations and spy on their internet history – even when they are told not to. In March, a senior official at Google admitted, under oath, that Google still tracks a user’s geolocation hundreds of times a day even after that person turns off “location history.” Facebook even collects data on people who don’t have a Facebook account. These companies and others exploit this harvested data to build massive profiles on users and then rake in hundreds of billions of dollars monetizing that data.

For years, industry groups promoted a program called “Do Not Track” to give users control, and the FTC endorsed the program in 2010. However, the program was voluntary, and tech giants that built their businesses around exploiting data refused to voluntarily comply. This bill would give Do Not Track legal force and expand it to cover all internet activity, not just browser-based activity. It would do this by:

  • Creating a program similar to the national Do Not Call list that gives every person the power, at a touch of a button, to block online companies from collecting any data beyond what is indispensable to the companies’ online services.
  • Prohibiting companies from profiling Americans who activate Do Not Track.
  • Banning discrimination against people who activate Do Not Track.
  • Banning companies from transferring data to other companies when a user activates Do Not Track unless the first company is an intended intermediary.
  • Forcing internet companies to disclose to users their rights under this legislation.
  • Imposing strict penalties for violating these provisions.

Under the Do Not Track Act, users would have several options to enroll, including a one-time click in the settings on their browser or downloading a simple app.

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of a breach to a system used by one of Quest’s contractors.

“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach,” Sen. Warner wrote in his letter to Stephen Rusckowski, Chairman, President and CEO of Quest Diagnostics.

Earlier this year, Sen. Warner sent letters to multiple health care associations and government agencies including the Food and Drug Administration, Department of Health and Human Services, Centers for Medicare and Medicaid Services, and National Institute of Standards and Technology, seeking more information about steps being taken to reduce cyber vulnerabilities in the health care industry, which has become a growing target for cyberattackers. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care sector, and conveyed his desire to work alongside stakeholders to develop strategies that strengthen information security.

In today’s letter to Quest, Sen. Warner asked the company to provide additional information regarding the breach and the company’s processes for selecting and monitoring sub-contractors and vendors.

The full text of the letter appears below. A copy of the letter is available here.

 

Mr. Stephen H. Rusckowski

Chairman, President and Chief Executive Officer

Quest Diagnostics                  

500 Plaza Drive          

Secaucus, NJ 0709

Dear Mr. Rusckowski,

On Monday June 3rd it was publicly reported that the data of an estimated 11.9 million of your customers were exposed by one of your bill collection vendors, American Medical Collection Agency (ACMA). According to your SEC filing, between August 1st 2018 and March 30th 2019, an unauthorized user had access to American Medical Collection Agency’s systems and data that included credit card numbers and bank account information, medical information, and other sensitive personal information like social security numbers. A statement by ACMA noted that the company was made aware of the breach by a security compliance firm that works with credit card companies. An internal review was then conducted by ACMA, which took down the web payments page, and notified law enforcement.

While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach.  One set of major vendor breaches in the last year were caused by a third-party administrator for health insurance companies, and impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health. 

In February of this year I queried a number of health care stakeholders seeking input on how we might improve cybersecurity in the health care industry. As I work with stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector, I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies, and what you plan to do about your other vendors, given the vulnerability and information security failures of this one.

Having long been an advocate for transparency and reporting of data breach information, I commend your reporting and handling of the breach notification, but I am still concerned with the third party evaluation and monitoring process.

To gain a better understanding of this situation, I would appreciate answers to the following questions:

1.      Please describe your third-party vendor information security vetting process.

2.      If you secure a contract with a third-party to collect information from your customers, do you have a process for evaluating the standards used by that entity, the sub-supplier, to secure their information systems?

3.      What are your third-party vendor security and risk assessment requirements?

4.      What are your third-party requirements for how customer information is processed and stored?

5.      What are your third-party vendor requirements for data encryption?

6.      How are you ensuring that your other third-party vendors like ACMA are not similarly vulnerable to point of sale malware or other information security vulnerabilities?

Thank you for your attention to this important issue. I look forward to your response in the next two weeks.

Sincerely,

Mark R. Warner

United State Senator

 

###

WASHINGTON, D.C. — Today, the Senate overwhelmingly passed bipartisan legislation cosponsored by U.S. Senators Mark R. Warner and Tim Kaine to crack down on illegal robocall scams. The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act gives regulators more time to find scammers, increases civil forfeiture penalties for those who are caught, requires service providers to adopt call authentication and blocking, and brings relevant federal agencies and state attorneys general together to address impediments to criminal prosecution of robocallers who intentionally break laws.

“Americans are sick and tired of receiving fraudulent robocalls,” said the Senators. “We are proud the Senate passed this bill to help protect consumers from scams and ensure those behind these illegal robocalls are held accountable.”

One report estimated the number of spam calls will grow from nearly 30 percent of all phone calls last year to 45 percent of all calls this year. The TRACED Act gives the FCC more flexibility to enforce rules in the short term, while setting in motion consultations to increase prosecutions of violations, which often require international cooperation. 

The bill now heads to the House for consideration.

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Elizabeth Warren (D-MA), along with Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL), reintroduced legislation today to hold large credit reporting agencies (CRAs) – including Equifax – accountable for data breaches involving sensitive consumer data. The Data Breach Prevention and Compensation Act will provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs.

“It’s been nearly two years since hackers accessed the personal information of more than 143 million Americans, yet thousands of individuals continue to grapple with the effects of this massive breach,” said Sen. Warner. “As personal data becomes more and more valuable in today’s information economy, and the scale and impact to consumers of mega-breaches increase, there needs to be increased consequences for companies like Equifax that mishandle or neglect to properly safeguard consumer data. By imposing strict penalties for data breaches and facilitating compensations for affected Americans, this legislation will increase accountability and help ensure that credit reporting agencies actively prioritize the security of sensitive consumer information.”

“It's been over a year and a half since Equifax opened to the doors to hackers who stole the personal data of more than half the adults in the country, and this new report shows that Equifax still has a long way to fix the problem it created,” said Sen. Warren. “Our bill, which would hold companies like Equifax accountable for failing to protect consumer data, would compensate consumers injured by these breaches and help ensure that they never happen again.”

In September 2017, Equifax announced that hackers had accessed and stolen sensitive personal information, including Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers, belonging to more than 143 million Americans – a number later revised up to 145.5 million people. The breach highlighted that CRAs like Equifax retain vast amounts of data on millions of Americans but often lack adequate safeguards against hackers. Since 2013, Equifax has reported at least four separate hacks in which sensitive personal information was compromised.

The Data Breach Prevention and Compensation Act would:

· Establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs.
· Impose mandatory, strict liability penalties for breaches involving consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. Under this bill, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans' personal information.
· Ensure a robust recovery for affected consumers by requiring the FTC to use 50% of its penalty to compensate consumers.
· Increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.
· Enhance FTC enforcement by giving the FTC civil penalty authority under the Gramm-Leach-Bliley Act.

Additionally, Sens. Warren and Warner, and Rep. Krishnamoorthi, in a new analysis of Consumer Financial Protection Bureau (CFPB) consumer complaints, revealed that consumers filed more than 52,000 complaints related to Equifax in the 18 months following the announcement of the Equifax breach – nearly double the number from the same period before the breach was announced. The report shows how Equifax continues to fail affected consumers by neglecting to provide adequate responses to consumer complaints, including by refusing to remove incorrect information from credit reports. The lawmakers also sent the report to the FTC and CFPB, requesting that the agencies take action.

The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:

"This bill requires the FTC to provide much-needed oversight of the credit bureaus for data security. It also imposes real and meaningful penalties when the credit bureaus, who hold our most sensitive financial information, fail to adequately protect that information. I commend Senator Warren, Senator Warner, and Congressmen Cummings and Krishnamoorthi for their continuing efforts to prevent another massive security failure like the Equifax data breach," said National Consumer Law Center Staff Attorney, Chi Chi Wu.

"A concrete response to a serious problem facing American consumers. The ongoing risk of data breach and identity theft have reached epidemic proportions. We clearly need more expertise in the federal government to address this challenge. We hope the Senate will more forward this important and timely effort to safeguard American consumers and Internet users,” said Electronic Privacy Information Center President and Executive Director, Marc Rotenberg

“Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans. That’s why U.S. PIRG commends Senator Warner, Senator Warren, and Congressmen Cummings and Krishnamoorthi for reintroducing the Data Breach Prevention and Compensation Act. The bill provides strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data,” said U.S. PIRG Consumer Campaign Director, Mike Litt.

"Making the companies that collect and sell consumers’ personal information liable when they fail to secure it is a necessary step in ensuring our privacy rights,” said Former Chief Technologist at the FTC, Ashkan Soltani.

More statements of support are available here. More information about this bill can be found here. For text of the bill, click here.

###

WASHINGTON – With summer vacation season just around the corner, Sens. Mark R. Warner and Tim Kaine (both D-VA) are drawing attention to an unexpected danger to beachgoers: flying beach umbrellas. Essential staples of many family vacations, the popular beach accessories can quickly become hazards when propelled by wind through the air, as has happened on several occasions in recent years, most tragically in 2016, when Lottie Michelle Belk of Chester, Va. was struck in the torso and killed while vacationing in Virginia Beach with her family. Today, Virginia’s Senators were joined by their colleagues from New Jersey, Sens. Bob Menendez and Cory Booker (both D-NJ), in asking the U.S. Consumer Product Safety Commission (CPSC) to do more to inform and protect the public from dangerous, and potentially lethal, flying beach umbrellas. 

“As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them,” the Senators wrote to Consumer Product Safety Commission Chair Elliot Kaye. “Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media.”

According to data from the Consumer Product Safety Commission, more than 31,000 people were treated at hospitals for umbrella-related injuries between 2008 and 2017. However, the publicly available data falls short of providing consumers with recommended safety standards to prevent beach umbrella-related injuries or information on specific products that have caused serious injuries.

The Senators noted several examples of these injuries, including a Virginia man who lost the use of his eye after a seven-foot-long beach umbrella struck him at a beach in Delaware.  

The Senators are requesting more information from the Consumer Product Safety Commission, including what safety standards are in place to prevent umbrella-related injuries and problems with specific beach umbrella products, and what it is doing to ensure the public is properly educated of the risks and dangers of beach umbrellas to prevent injuries. They also requested that the CPSC provide a detailed breakdown of data on umbrella injuries, including the number of injuries caused specifically by beach umbrellas.

 

Full text of the letter is below and a copy can be found here.

 

May 2, 2019

 

Elliot F. Kaye

Chairman, U.S. Consumer Product Safety Commission

4330 East West Highway

Bethesda, MD 20814

 

Dear Chairman Kaye,

 

We write regarding concerns about the safety of beach umbrellas. Recently, we heard from constituents impacted by flying beach umbrellas, which have caused injury, and in at least one recent case, death. As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them. According to a query on the Consumer Product Safety Commission’s own website, from 2008-2017 over 31,000 people sought treatment at a hospital due to an umbrella-related injury.  Unfortunately, the CPSC does not parse out the data to differentiate between types of umbrellas. Nonetheless, we request information regarding how the CPSC plans to address this issue.

 

Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media. In 2015, a Virginian man lost the use of his eye after a seven-foot-long beach umbrella struck him at Bethany Beach, Delaware.  Last year, a beach umbrella came loose from the sand in Seaside Heights, New Jersey impaling a British tourist through the ankle.   That same summer a woman sitting on the beach in Ocean City, Maryland was pierced below the collarbone by a beach umbrella.  Most tragically, in June 2016, a Virginia resident lost her life after a gust of wind launched an umbrella into the air, striking her in the torso while she was on vacation in Virginia Beach.  The scourge of beach umbrellas is not a new phenomenon. In 2006, a woman in New York received $200,000 from New York State because of injuries she sustained from an airborne beach umbrella in 1999; the umbrella struck her forehead resulting in 13 stitches and permanent nerve damage. 

 

To ensure the public is equipped with the most updated information, we request responses to the following questions:

 

1.      What if any safety standards does the CPSC have in place to adequately prevent beach umbrella-related injuries?

2.      Does CPSC believe any particular safety standard could prevent injuries?

3.      What is the CPSC doing to educate the public regarding the dangers of beach umbrellas?

4.      Has the CPSC received complaints regarding beach umbrellas?  If so, what do those reports indicate about injuries related to beach umbrellas?

5.      Is the CPSC aware of problems with specific beach umbrellas that have not been made public?

6.      Can the CPSC provide a detailed breakdown of data on umbrella injuries? Specifically, how many injuries are specifically caused by beach umbrellas?

 

We appreciate CPSC’s willingness to take a direct look at the concerns raised by our constituents, and look forward hearing back from you by June 3, 2019. 

 

Sincerely,

 

###

 

WASHINGTON – With summer vacation season just around the corner, Sens. Mark R. Warner and Tim Kaine (both D-VA) are drawing attention to an unexpected danger to beachgoers: flying beach umbrellas. Essential staples of many family vacations, the popular beach accessories can quickly become hazards when propelled by wind through the air, as has happened on several occasions in recent years, most tragically in 2016, when Lottie Michelle Belk of Chester, Va. was struck in the torso and killed while vacationing in Virginia Beach with her family. Today, Virginia’s Senators were joined by their colleagues from New Jersey, Sens. Bob Menendez and Cory Booker (both D-NJ), in asking the U.S. Consumer Product Safety Commission (CPSC) to do more to inform and protect the public from dangerous, and potentially lethal, flying beach umbrellas.

“As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them,” the Senators wrote to Consumer Product Safety Commission Chair Elliot Kaye. “Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media.”

According to data from the Consumer Product Safety Commission, more than 31,000 people were treated at hospitals for umbrella-related injuries between 2008 and 2017. However, the publicly available data falls short of providing consumers with recommended safety standards to prevent beach umbrella-related injuries or information on specific products that have caused serious injuries.

The Senators noted several examples of these injuries, including a Virginia man who lost the use of his eye after a seven-foot-long beach umbrella struck him at a beach in Delaware.

The Senators are requesting more information from the Consumer Product Safety Commission, including what safety standards are in place to prevent umbrella-related injuries and problems with specific beach umbrella products, and what it is doing to ensure the public is properly educated of the risks and dangers of beach umbrellas to prevent injuries. They also requested that the CPSC provide a detailed breakdown of data on umbrella injuries, including the number of injuries caused specifically by beach umbrellas.

Full text of the letter is below and a copy can be found here.

 

May 2, 2019

Ann Marie Buerkle

Acting Chairman, U.S. Consumer Product Safety Commission

4330 East West Highway

Bethesda, MD 20814

Dear Acting Chairman Buerkle,

We write regarding concerns about the safety of beach umbrellas. Recently, we heard from constituents impacted by flying beach umbrellas, which have caused injury, and in at least one recent case, death. As you know, beach umbrellas provide beachgoers the benefits of shade on hot and sunny days at the shore. Yet, a burst of wind can make these summer accessories harmful to those around them. According to a query on the Consumer Product Safety Commission’s own website, from 2008-2017 over 31,000 people sought treatment at a hospital due to an umbrella-related injury. Unfortunately, the CPSC does not parse out the data to differentiate between types of umbrellas. Nonetheless, we request information regarding how the CPSC plans to address this issue.

Over the last several years, reports of horrific injuries resulting from beach umbrellas have splashed across the media. In 2015, a Virginian man lost the use of his eye after a seven-foot-long beach umbrella struck him at Bethany Beach, Delaware. Last year, a beach umbrella came loose from the sand in Seaside Heights, New Jersey impaling a British tourist through the ankle. That same summer a woman sitting on the beach in Ocean City, Maryland was pierced below the collarbone by a beach umbrella. Most tragically, in June 2016, a Virginia resident lost her life after a gust of wind launched an umbrella into the air, striking her in the torso while she was on vacation in Virginia Beach. The scourge of beach umbrellas is not a new phenomenon. In 2006, a woman in New York received $200,000 from New York State because of injuries she sustained from an airborne beach umbrella in 1999; the umbrella struck her forehead resulting in 13 stitches and permanent nerve damage.

To ensure the public is equipped with the most updated information, we request responses to the following questions:

  1. What if any safety standards does the CPSC have in place to adequately prevent beach umbrella-related injuries?
  2. Does CPSC believe any particular safety standard could prevent injuries?
  3. What is the CPSC doing to educate the public regarding the dangers of beach umbrellas?
  4. Has the CPSC received complaints regarding beach umbrellas? If so, what do those reports indicate about injuries related to beach umbrellas?
  5. Is the CPSC aware of problems with specific beach umbrellas that have not been made public?
  6. Can the CPSC provide a detailed breakdown of data on umbrella injuries? Specifically, how many injuries are specifically caused by beach umbrellas?

We appreciate CPSC’s willingness to take a direct look at the concerns raised by our constituents, and look forward hearing back from you by June 3, 2019.

Sincerely,

###

 

WASHINGTON – A day ahead of the one-year anniversary of Facebook CEO Mark Zuckerberg’s congressional testimony, U.S. Sens. Mark R. Warner (D-VA) and Deb Fischer (R-NE) have introduced the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.

The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not take under normal circumstances. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.  

“For years, social media platforms have been relying on all sorts of tricks and tools to convince users to hand over their personal data without really understanding what they are consenting to. Some of the most nefarious strategies rely on ‘dark patterns’ – deceptive interfaces and default settings, drawing on tricks of behavioral psychology, designed to undermine user autonomy and push consumers into doing things they wouldn’t otherwise do, like hand over all of their personal data to be exploited for commercial purposes,” said Sen. Warner, a former technology executive who is Vice Chairman of the Senate Select Committee on Intelligence. “Our goal is simple: to instill a little transparency in what remains a very opaque market and ensure that consumers are able to make more informed choices about how and when to share their personal information.” 

“Any privacy policy involving consent is weakened by the presence of dark patterns. These manipulative user interfaces intentionally limit understanding and undermine consumer choice. Misleading prompts to just click the ‘OK’ button can often transfer your contacts, messages, browsing activity, photos, or location information without you even realizing it. Our bipartisan legislation seeks to curb the use of these dishonest interfaces and increase trust online,” said Sen. Fischer, a member of the Senate Commerce Committee. 

Dark patterns can take various forms, often exploiting the power of defaults to push users into agreeing to terms stacked in favor of the service provider. Some examples of such actions include: a sudden interruption during the middle of a task repeating until the user agrees to consent; a deliberate obscuring of alternative choices or settings through design or other means; or the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring through multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking. 

The result is that large online platforms have an unfair advantage over users and potential competitors in forcing consumers to give up personal data such as their contacts, messages, web activity, or location to the benefit of the company. 

“The tech industry has gone unchecked for far too long. Bold action is needed on a wide scale to change the incentives in Silicon Valley with our well-being in mind, especially when it comes to kids,” said Jim Steyer, CEO of Common Sense. “This bill gets to the root of the issue – the use of manipulative and deceptive design features that trick kids and other users into giving up valuable and private information, and hook them into spending more time than is healthy online. Common Sense strongly supports Senators Warner and Fischer on this bipartisan effort to hold tech companies accountable for these practices that only harm consumers.” 

“Dark patterns are among the least humane design techniques used by technology companies in their scramble for growth at all costs. They use these measures to offer false choices that confuse or trap users into over-sharing personal information or driving compulsive use – especially from the most vulnerable users, including kids,” said Tristan Harris, Co-Founder of the Center for Humane Technology. “A system-wide rethinking of technology policy and design is in order, so CHT fully supports Senators Warner and Fisher in this bipartisan effort to place significant constraints around the ability to deceive users online. The creation of a special standards body is especially crucial to the protection of consumers, as they keep lawmakers more up-to-date and able to iterate laws at pace with the rapid change of technology.”

“We support Senators Warner and Fischer in protecting people from exploitive and deceptive practices online,” said Fred Humphries, Corporate Vice President of U.S. Government Affairs at Microsoft. “Their legislation helps to achieve that goal and we look forward to working with them.”

“People are ensnared by ‘dark patterns’ of manipulation on the Internet every day, and ending these practices is a key part of protecting people online. We need to better understand the systems that manipulate people online, and empower users to fight back. We applaud Senator Warner and Senator Fischer for introducing this legislation to curtail these troubling practices,” said Alan Davidson, Vice President of Global Policy, Trust and Security at Mozilla.

“EPIC appreciates Senator Warner and Senator Fischer’s important work to safeguard consumer privacy,” said Caitriona Fitzgerald, Electronic Privacy and Information Center (EPIC) Policy Director.  

The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative dark pattern behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:

  • Enables the creation of a professional standards body, which can register with the Federal Trade Commission (FTC), to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body, providing updated guidance to platforms on design practices that impair user autonomy, decision-making, or choice, positioning the FTC to act as a regulatory backstop.
  • Prohibits segmenting consumers for the purposes of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare. 
  • Prohibits user design intended to create compulsive usage among children under the age of 13 years old.
  • Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

The full bill text is available here. 

Sen. Warner has been raising concerns about the implications of social media companies’ reliance on dark patterns for several years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on their News Feeds. 

Sen. Warner is recognized as one of Congress’ leading voices in an ongoing public debate around social media and user privacy. Last year, Sen. Warner called on the social media companies to work with Congress and provide feedback on ideas he put forward in a white paper discussing potential policy solutions to challenges surrounding social media, privacy, and data security. In addition to the DETOUR Act, in the coming weeks and months, Sen. Warner will introduce further legislation designed to improve transparency, privacy, and accountability on social media.

 

###

WASHINGTON – Today U.S. Sens. Mark R. Warner (D-VA) and John Kennedy (R-LA), members of the Senate Banking Committee, introduced the Securities Fraud Enforcement and Investor Compensation Act, bipartisan legislation that would give the Securities and Exchange Commission (SEC) power to seek restitution for Main Street investors harmed by securities fraud.

The bill would give the SEC a broader range of tools to seek compensation for investors who’ve lost money to Ponzi schemes and other investment scams. It also extends the window of time for which the SEC can pursue a claim on an investor’s behalf from five years to ten.

“As Bernie Madoff demonstrated, financial fraudsters can sometimes go on for years, even decades, before they finally get caught. They shouldn’t be able to rip off investors just because some arbitrary five-year window has expired,” said Sen. Warner. “This bill will give the Securities and Exchange Commission more time and additional tools to seek restitution for everyday Americans who fall victim to investment scams.”

 “Investors who are scammed by con artists like Bernie Madoff and Allen Stanford lose their life savings. All too often, the victims of financial fraud aren’t wealthy people,” Sen. Kennedy said. “They’re middle class Americans who lose every penny they set aside for their retirements. Because of a narrow window of time for recouping stolen investment dollars, fraudsters are actually incentivized to keep the shell game going for decades. This bill addresses that problem.”

 

Background:

On June 5, 2017, the Supreme Court in Kokesh v. Securities Exchange Commission ruled that the SEC only has five years to bring disgorgement claims against bad actors to try to compensate harmed Main Street investors. Although the SEC strives to bring cases as soon as possible, sometimes well-concealed frauds are not discovered for many years. (As an example, Bernie Madoff was able to defraud investors for decades before his investment fund was revealed as Ponzi scheme in 2009.) Under the Kokeshprecedent, clever fraudsters can manage to retain any ill-gotten gains from outside the five-year window.  

The implications of the Kokesh ruling limiting the SEC’s enforcement window to five years have been significant. The SEC’s 2018 enforcement report noted that “the court’s ruling in Kokesh may cause the Commission to forgo up to approximately $900 million in disgorgement, of which a substantial amount likely could have been returned to retail investors.” The Securities Fraud Enforcement and Investor Compensation Act addresses this problem by expanding the range of tools available to the SEC to pursue compensation for scammed investors, subject to a 10-year statute of limitations.

Today, the SEC typically compensates harmed investors by bringing disgorgement claims, which allow the SEC to recoup any ill-gotten profits from the perpetrator and turn them over to the investor. Sometimes, the profits are small, and the compensation can represent just a small fraction of the overall loss to the investor as a result of the fraud. Under the terms of the bill, the SEC would retain the power to bring disgorgement claims for up to five years, but would also gain the authority to file claims of restitution, which would increase the amount of compensation available to make whole harmed investors. Rather than limiting the compensation to just the profit margin of the perpetrator, as with a disgorgement claim, restitution would allow the SEC to recover from fraudsters and refund investors the full amount of their losses, up to ten years after the fact.

Bill text is available here.

 

###

WASHINGTON – U.S. Sens. Mark R. Warner and Tim Kaine (both D-VA) joined Sen. Jack Reed (D-RI) and the entire Senate Democratic Caucus in calling for the Consumer Financial Protection Bureau (CFPB) to protect U.S. military personnel and their families from predatory lenders. In a letter addressed to CFPB Director Kathleen Kraninger, the Senators urged CFPB not to cease checking for compliance with the Military Lending Act (MLA) in the Bureau’s routine lender examinations.

“When the CFPB was making every effort to protect servicemembers and their families, its own routine examination of one payday lender uncovered a violation of the MLA, where loans at rates higher than 36% were being extended to more than 300 active-duty servicemembers or their dependents,” the Senators wrote. “We urge you to continue these examinations in order to pursue the clear bipartisan goals of supporting military readiness, saving taxpayer money, and protecting our servicemembers and their families from predatory lenders.”

They concluded, “The CFPB should not have to be persuaded to stand up for consumers, especially military consumers and their families who simply do what’s right when asked to protect and defend our nation.  We urge you to do your duty and carry out the CFPB’s mission by standing with servicemembers and their families and ensuring that they receive all of the MLA protections they have earned.”

The MLA was passed in 2006 with bipartisan support to help safeguard active-duty military members and their families from financial fraud, predatory loans, and credit gouging. The law caps at 36% the annual interest rate for an extension of consumer credit to a servicemember or their dependents. It also strengthens military readiness by helping to preventing unnecessary servicemember separations caused by predatory lending. According to the Department of Defense (DOD), losing a servicemember due to personal issues, such as financial instability, costs taxpayers and DOD more than $58,000 per separated servicemember. In their letter, the Senators also requested that the bureau provide a full justification of its decision put servicemembers at risk. 

Sens. Warner and Kaine have previously pressed the administration on this issue, and have been outspoken advocates for Virginia’s active duty military personnel, veterans, and their families. In February, they wrote to the Secretaries of the U.S. Navy, Army, and Air Force, requesting information about military housing contracts with private companies after allegations surfaced of health hazards for military families. They also called on the VA in November to resolve payment issues that threatened to displace veterans from their homes.

Full text of the letter is below and a copy can be found here.

 

Hon. Kathleen Kraninger

Director

Consumer Financial Protection Bureau

1700 G St. N.W.

Washington, D.C. 20552

 

Dear Director Kraninger:

 

We write to request that you fulfill the Consumer Financial Protection Bureau’s (CFPB) mission by including compliance with the Military Lending Act (MLA) in the Bureau’s routine lender examinations, as was its practice prior to November 2018.  In short, we urge you to stand up to predatory lenders and stand with servicemembers and their families.

 

In 2006, Republicans and Democrats set aside partisanship and worked across the aisle to enact the MLA, which not only caps at 36% the annual interest rate for an extension of consumer credit to a servicemember or his or her dependents, but also strengthens military readiness by preventing unnecessary servicemember separations caused by predatory lending.  According to DOD, losing a servicemember due to personal issues, such as financial instability, costs taxpayers and DOD more than $58,000 for each separated servicemember.

 

Indeed, when the CFPB was making every effort to protect servicemembers and their families, its own routine examination of one payday lender uncovered a violation of the MLA, where loans at rates higher than 36% were being extended to more than 300 active-duty servicemembers or their dependents.  We urge you to continue these examinations in order to pursue the clear bipartisan goals of supporting military readiness, saving taxpayer money, and protecting our servicemembers and their families from predatory lenders.

 

The CFPB’s existing statutory authorities are more than sufficient to justify including MLA compliance in routine examinations, and to our knowledge, the CFPB’s authority in this regard has never been challenged.

 

As explained by the Consumer Federation of America in its November 1, 2018 legal analysis - Missing in Action? Consumer Financial Protection Bureau Supervision and the Military Lending Act - the relevant statutory provisions give the CFPB more than one basis for including the MLA in CFPB examinations.

 

For instance, one such provision, Section 1024(b)(1)(C) of the Dodd-Frank Wall Street Reform and Consumer Protection Act, explicitly states that the CFPB “shall require reports and conduct examinations on a periodic basis…for purposes of…detecting and assessing risks to consumers and to markets for consumer financial products and services.”  Charging servicemembers and their families more than 36% interest for loans is clearly a risk to consumers and indeed, DOD has stated that “high-cost debt can detract from mission focus, reduce productivity, and require the attention of supervisors and commanders.”  Therefore, the CFPB is authorized under Section 1024(b)(1)(C) to conduct examinations for this purpose. 

 

When Office of Management and Budget Director Mick Mulvaney removed MLA compliance from CFPB examinations, he argued that “such a broad statutory reading offers little to restrain the Bureau from supervising for compliance with a wide variety of other laws.”  To be clear, based on the plain text of Section 1024(b)(1)(C), Congress specifically intended this broad statutory reading.  In the aftermath of the worst financial crisis in decades where safety and soundness regulators failed to keep a watchful eye over Wall Street and predatory lenders, Congress provided the CFPB with broad powers to protect consumers – with an explicit focus on servicemembers and their families – so that risks could be spotted before they caused irreparable harm.  In short, the CFPB continues to have all the authority it needs to include the MLA as part of its routine lender examinations.  There is no law that prevents you from doing so.  

 

The CFPB should not have to be persuaded to stand up for consumers, especially military consumers and their families who simply do what’s right when asked to protect and defend our nation.  We urge you to do your duty and carry out the CFPB’s mission by standing with servicemembers and their families and ensuring that they receive all of the MLA protections they have earned.  Please provide a full justification of the current CFPB leadership’s decision to put servicemembers at risk by failing to do its duty no later than Friday, March 8, 2019.

 

Sincerely,

 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Ranking Member of the Senate Banking Subcommittee on Securities, Insurance and Investment, released the following statement after the Securities and Exchange Commission (SEC) adopted a transaction fee pilot for National Market System (NMS) stocks to test the effects of “maker-taker” fee models on order routing and execution quality. The pilot program will create two test groups, one that bans rebates and linked pricing with another that tests a fee cap of $0.0010: 

“I’ve long urged the SEC to take the step it has taken today, and I’m heartened to see the SEC adopt this pilot.  It’s time we get this data to better understand stock exchange transaction-based fees and rebates so we can make sure our market structure is benefiting Main Street investors.”

Under the maker-taker pricing model, securities exchanges pay rebates to brokers that send bids and offers not intended for immediate execution, in the hopes of incentivizing liquidity in the market. Brokers who immediately execute their orders pay fees, which offset the rebates paid to brokers who create liquidity by not immediately executing their orders. However, this model has come under Congressional scrutiny after a 2013 study found evidence it created a conflict of interest for brokers – who may be incentivized to send orders that generate the largest rebate for the broker, rather than the best trade for the client. 

Since 2014, Sen. Warner has been raising concerns about the “maker-taker” model. In April 2016, Sen. Warner and Sen. Mike Crapo (R-ID) wrote to the SEC expressing support for a pilot program to study the effects of rebates on U.S. equity markets.  In July 2017, Warner wrote to newly-appointed SEC Chairman Jay Clayton and called for “…pursuing the full elimination of [maker-taker] rebates.” 

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) sent another letter to Federal Trade Commission (FTC) Chairman Joseph J. Simons pressing the leader of the agency to use the authorities granted to it by Congress to protect American businesses and shoppers from digital advertising fraud, which reached $7.4 billion in 2016 – costs that are later passed on to consumers in the form of higher prices. Today’s letter follows an earlier Oct. 25 letter urging the FTC to do more to respond to the prevalence of digital ad fraud, in light of inaction by major industry players like Google to voluntarily curb the problem.

Sen. Warner noted that in large part because of enforcement decisions made by the FTC, Google has come to dominate the digital ad market, but has done little to crack down on fraud. Google was the only major social media company absent for a September hearing in the Senate Intelligence Committee, on which Sen. Warner serves as Vice Chairman.

Sen. Warner today criticized the FTC’s failure to take action, writing, “As long as Google stands to profit from the sale of additional advertisements, the financial incentive for it to voluntarily root out and address fraud remains minimal. It was thus enormously discouraging to read your own response to my [Oct. 25] letter, which did nothing to address the inaction of major industry stakeholders in curbing these abuses. Instead, your letter appeared to suggest that your authority to address deceptive and unfair practices does not apply to this conduct; rather, your letter portrays the FTC as successfully addressing online fraud through workshops and education campaigns. Neither suggestion inspires confidence in the FTC’s efforts as digital ad fraud has continued to proliferate.”

“In recent congressional testimony, you have urged Congress to provide the FTC with additional authority related to promoting competition and consumer protection in the digital age. Increasingly, I am not convinced the Commission is adequately utilizing the authority it already has to crack down on fraud and other misbehavior,” Sen. Warner added. “The FTC is the agency explicitly empowered to address fraud and deceptive practices, and Section 5 of the Federal Trade Commission Act was written in broad terms precisely for this purpose. Since 1938, Congress has given your agency broad enforcement authority to protect consumers and expects you to use it. I would like to sit down with you in the next month to discuss how the FTC can ensure it does the job Congress intended it to do.” 

The full text of today’s letter is available here, and also appears below.

In October, Sen. Warner wrote a letter to the Federal Trade Commission (FTC) Chairman Joseph Simons expressing concern following a report published by Buzzfeed detailing continued prevalence of digital advertising fraud and inaction by Google to curb these efforts. AccordingBuzzfeed, this scheme has generated hundreds of millions of dollars in fraudulent advertising revenues, with operations spanning more than 125 Android apps and websites. The FTC’s November response can be found here. 

In July 2016, Sen. Warner and Sen. Chuck Schumer (D-NY) wrote to then-FTC Chairwoman Ramirez calling on the agency to protect consumers from the growing digital ad fraud phenomenon. Since then, reports have estimated that digital ad fraud has only grown to $7.4 billion in 2017 – and projected to rise to $10.9 billion by 2021.

 

The full text of today’s letter follows:

 

December 6, 2018

 

The Honorable Joseph J. Simons

Chairman

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, D.C. 20530

 

Dear Chairman Simons,

 

On October 25th, I wrote to you to express grave concerns with the growing phenomenon of digital ad fraud, and in particular my frustration with the ways that large intermediaries have turned a blind eye to, and in certain cases helped enable, this fraud. This letter followed concerns Senator Schumer and I raised in a 2016 letter to your predecessor about the negative economic impact of ad fraud on end users, advertisers, and publishers. I was deeply disappointed by your November 19th response, which failed to substantively address any of the concerns that I have been raising for two years now regarding the Federal Trade Commission’s failures to crack down on digital advertising fraud.

 

The digital advertising market has come to be largely dominated by one company,  in part because of enforcement decisions by the FTC.  The FTC’s failure to act has had the effect of allowing Google to structure its own market; through a series of transactions, the company has accomplished a level of vertical integration that allows it in effect to act as the equivalent of market-maker, commodities broker, and commodities exchange for digital advertising – in the process creating a range of conflicts of interest. While the company controls each link in the supply chain and therefore maintains the power to monitor activity in the digital advertising market from start to finish, it has continued to be caught flat-footed in identifying and addressing digital ad fraud. As we’ve seen in other contexts – such as the rampant proliferation of online disinformation – major platforms including Google have often proved unwilling to address misuse of their platforms until brought to the wider public’s attention by Congress or media outlets. As long as Google stands to profit from the sale of additional advertisements, the financial incentive for it to voluntarily root out and address fraud remains minimal.

 

It was thus enormously discouraging to read your own response to my letter, which did nothing to address the inaction of major industry stakeholders in curbing these abuses. Instead, your letter appeared to suggest that your authority to address deceptive and unfair practices does not apply to this conduct; rather, your letter portrays the FTC as successfully addressing online fraud through workshops and education campaigns. Neither suggestion inspires confidence in the FTC’s efforts as digital ad fraud has continued to proliferate.

 

In recent congressional testimony, you urged Congress to provide the FTC with additional authority related to promoting competition and consumer protection in the digital age.  Increasingly, I am not convinced the Commission is adequately utilizing the authority it already has to crack down on fraud and other misbehavior. The FTC is the agency explicitly empowered to address fraud and deceptive practices, and Section 5 of the Federal Trade Commission Act was written in broad terms precisely for this purpose. 

 

Since 1938, Congress has given your agency broad enforcement authority to protect consumers and expects you to use it. I would like to sit down with you in the next month to discuss how the FTC can ensure it does the job Congress intended it to do.   

 

Sincerely,

 

Mark R. Warner

United States Senator

 

 

###

WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Banking Committee, released the following statement after the Senate voted to advance the nomination of Kathy Kraninger to head the Consumer Financial Protection Bureau (CFPB):

“Director Mulvaney has been a disaster for consumers as head of the Consumer Financial Protection Bureau. He has dramatically reduced enforcement against banks and other financial institutions, weakened the law that protects servicemembers and their families from predatory lending, and rendered the Office of Fair Lending and Equal Opportunity quite toothless, to name just a few examples. 

“In her hearing before the Senate Banking Committee, Ms. Kraninger testified that she ‘cannot identify any action’ that Director Mulvaney ‘has taken with which I disagree.’ The CFPB is responsible for making sure that banks and big corporations can’t rip off American consumers. It should have a Director who shares that mission.”

 

###

WASHINGTON- U.S. Senators Amy Klobuchar (D-MN), Mark Warner (D-VA), Chris Coons (D-DE), and Richard Blumenthal (D-CT) pressed Facebook CEO Mark Zuckerberg to respond to reports that the company used contractors to retaliate against or spread intentionally inflammatory information about their critics. Since the 2016 election, both the government and Facebook internal investigations have revealed that the company failed to adequately protect the data of its 2.2 billion users. Recent reports—including one from the New York Times—allege that Facebook has taken significant steps to undermine critics, including hiring partisan political consultants to retaliate and spread intentionally inflammatory information about people who have criticized Facebook, which, if not properly disclosed, may have campaign finance implications.

“We are gravely concerned by recent reports indicating that your company used contractors to retaliate against or spread intentionally inflammatory information about your critics,” the senators wrote. “In addition, the staggering amount of data that Facebook has collected on both its users and people who have not subscribed to or consented to use of the platform, raises concern that the company could improperly or illegally use its vast financial and data resources against government officials and critics seeking to protect the public and our democracy.”

“Both elected officials and the general public have rightfully questioned whether Facebook is capable of regulating its own conduct.” 

Russia attempted to influence the 2016 presidential election by buying and placing political ads on platforms such as Facebook, Twitter, and Google. The content and purchaser(s) of those online advertisements are a mystery to the public because of outdated laws that have failed to keep up with evolving technology. The Honest Ads Act, led by Klobuchar, Warner, and the late Senator John McCain (R-AZ) and cosponsored by Coons and Blumenthal, would prevent foreign actors from influencing our elections by ensuring that political ads sold online, including social media platforms like Facebook, are covered by the same rules as ads sold on TV, radio, and print.

 

The full text of the letter can be found below:

 

Dear Mr. Zuckerberg:

 

We are gravely concerned by recent reports indicating that your company used contractors to retaliate against or spread intentionally inflammatory information about your critics.  

Since the 2016 election, both the government and your own internal investigations have revealed that your company failed to adequately protect the data of its 2.2 billion users. Your company also failed to implement protocols to prevent manipulation by foreign adversaries working to undermine America’s political system. Both elected officials and the general public have rightfully questioned whether Facebook is capable of regulating its own conduct.  

According to recent reports, your company hired contractors to retaliate and spread intentionally inflammatory information about people who have criticized Facebook, which, if not properly disclosed, may have campaign finance and other potential legal implications. In addition, the staggering amount of data that Facebook has collected on both its users and people who have not subscribed to or consented to use of the platform, raises concern that the company could improperly or illegally use its vast financial and data resources against government officials and critics seeking to protect the public and our democracy.

In light of these concerns, we respectfully request you answer the following questions:

 

1.      To your knowledge, did your company hire any entity – including, but not limited to research firms and contractors – to collect or find information to be used in retaliation against people who criticized Facebook, including elected officials who were scrutinizing your company?

 

2.      Did your company hire any entity – including, but not limited to research firms and contractors – to spread negative or intentionally inflammatory information in retaliation against people who criticized Facebook, including elected officials who were scrutinizing your company?

 

3.      Did your company – or any entity affiliated with or hired by your company – ever use any of the vast financial and data resources available to Facebook in retaliation against people who criticized Facebook, including elected officials who were scrutinizing your company?

 

4.      Did your company – or any entity affiliated with or hired by your company – ever seek to conceal information related to foreign interference with the 2016 U.S. election from the public or government investigators? 

 

5.      Did your company – or any entity affiliated with or hired by your company — ever contact any media outlets with negative or misleading information, or suggest, promote, or amplify negative or misleading social media about your critics, including elected officials scrutinizing your company?

 

6.      How much money have you expended or paid other entities to collect, find, spread or amplify information about people who have criticized Facebook, including elected officials scrutinizing your company? Has any of that spending been publically disclosed?

 

7.      Some of us have requested that the Deputy Attorney General expand the scope of the Department of Justice’s existing investigations to include the latest reports that Facebook hired contractors to retaliate and spread negative information about people who criticized the company. If the Department’s investigation is expanded to include this recent report, will you commit to co-operating with any investigation into this matter? 

 

Thank you for your prompt attention to this request.

 

Sincerely,

 

###

WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and U.S. Sen. Marco Rubio (R-FL), a member of the Committee, urged Canadian Prime Minister Justin Trudeau to reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance. A letter from the two Senators to the Prime Minister follows comments made by Head-Designee of the Canadian Center for Cyber Security Scott Jones regarding Huawei. 

The entry of Chinese state-directed telecommunications companies like Huawei into the Canadian market could seriously jeopardize the relationship between U.S. and Canadian carriers, depriving North American operators of the scale needed to rapidly build out 5G networks.

The full text of the letter is below. A copy of the signed letter is available here. 

 

Dear Prime Minister Trudeau:

 

We write with grave concerns about the possibility that Canada might include Huawei Technologies or any other Chinese state-directed telecommunications company in its fifth-generation (5G) telecommunications network infrastructure.  As you are aware, Huawei is not a normal private-sector company.  There is ample evidence to suggest that no major Chinese company is independent of the Chinese government and Communist Party—and Huawei, which China’s government and military tout as a “national champion,” is no exception.

 

Based on what we know about Chinese state-directed telecommunications companies, it was troubling to learn that on September 20, 2018, the new Head-Designee of the Canadian Center for Cyber Security Scott Jones told the House of Commons Standing Committee on Public Safety and National Security that banning Huawei is not needed, in response to a question about why Canada has not come out against Huawei as other Five Eyes allies have.  Specifically, he claimed that Canada has “a very advanced relationship with our telecommunications providers, something that is different from most other countries,” adding, “We have a program that is very deep in terms of working on increasing that broader resilience piece especially as we are looking at the next-generation telecommunications networks.”

 

In contrast to Mr. Scott’s comments, however, three former senior Canadian national security officials warned earlier this year against the inclusion of Huawei in Canada’s 5G network.  One of them—Mr. Ward Elcock, former Deputy Minister of National Defence—told the Globe and Mail on March 18, 2018, “I have a pretty good idea of how signal-intelligence agencies work and the rules under which they work and their various operations,” concluding that, “I would not want to see Huawei equipment being incorporated into a 5G network in Canada.”

 

While Canada has strong telecommunications security safeguards in place, we have serious concerns that such safeguards are inadequate given what the United States and other allies know about Huawei.  Indeed, we are concerned about the impact that any decision to include Huawei in Canada’s 5G networks will have on both Canadian national security and “Five Eyes” joint intelligence cooperation among the United States, United Kingdom, Australia, New Zealand, and Canada.  As you know, Australia effectively banned Huawei, ZTE, and other Chinese state-directed companies from its nation’s 5G networks by excluding firms that “are likely to be subject to extrajudicial directions from a foreign government” and therefore pose unacceptable risks to national security.  Moreover, the United Kingdom’s Huawei Cyber Security Evaluation Centre Oversight Board’s 2018 annual report to Britain’s national security adviser found that “identification of shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunications networks and long-term challenges to mitigation and management.”

 

Further, the strong alignment between the United States and Canada in spectrum management has meant that American and Canadian carriers in many cases share complementary spectrum holdings, jointly benefiting from economies of scale for equipment designed for regionally harmonized frequencies. The entry of suppliers such as Huawei into the Canadian market could seriously jeopardize this dynamic, depriving both Canadian and American operators of the scale needed to rapidly build out 5G networks.

 

Given the strong statements by former Canadian national security officials as well as similar concerns out of the U.S., Australia, and the United Kingdom, we hope that you will reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance.  Should you have any questions about the threat that Chinese state-directed telecommunications firms pose to your networks, we urge your government to seek additional information from the U.S. Intelligence Community.

 

Thank you for your attention to this matter.

 

Sincerely,

 

 

###

WASHINGTON —U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Committee on Banking, Housing, and Urban Affairs, joined a group of 12 Senate Democrats in demanding CFPB leadership to explain how Consumer Financial Protection Bureau Policy Director Eric Blankenstein was chosen to oversee supervision, enforcement, and fair lending issues given his past racist writings.

Last week, the Washington Post uncovered a 2004 blog where Blankenstein, under an alias, posted bigoted writings on race, hate crimes, and women. In his current role as Policy Director at CFPB, Blankenstein is charged with enforcing consumer protection laws, including laws in place to prevent lending discrimination. CFPB leadership has failed to condemn Mr. Blankenstein’s writings, and failed to explain how someone with Mr. Blankenstein’s views came to be charged with fair lending responsibilities.

“Mr. Blankenstein was not hired through the competitive service process like most CFPB employees; he is one of your hand-selected political appointees. Further, you have specifically tasked him with overseeing the CFPB’s fair lending supervision and enforcement work at a time when you have decided to restructure the Office of Fair Lending and Equal Opportunity.”the Senators wrote.  “It is unclear whether his appointment is due to a failure to investigate Mr. Blankenstein’s background prior to his appointment, Mr. Blankenstein withholding information from you and the CFPB, or an informed decision on your part to ignore his public comments.”

Joining Sen. Warner on the letter are U.S. Sens. Sherrod Brown (D-OH), Catherine Cortez Masto (D-NV), Richard Blumenthal (D-CT),  Kristen Gillibrand (D-NY), Elizabeth Warren (D-MA), Ron Wyden (D-OR), Kamala Harris (D-CA), Jack Reed (D-RI), Maria Cantwell (D-WA), Edward Markey (D-MA), Robert Menendez (D-NJ), and Cory Booker (D-NJ). 

In his role as a member of the Senate Banking Committee, Sen. Warner has advocated for policies that support the well-being of diverse communities. Earlier this year, he led an effort in the Senate to urge banking regulators to take steps that would strengthen access to credit for disadvantaged communities under the Community Reinvestment Act (CRA).

Full text of the letter can be found here and below:

The Honorable Mick Mulvaney
Consumer Financial Protection Bureau
1700 G Street NW
Washington, D.C. 20552

Dear Mr. Mulvaney,

We are deeply concerned that you have placed a person with a history of racist writing at a senior position within the Consumer Financial Protection Bureau (CFPB). 

The Washington Post reported last week that Eric Blankenstein, a political appointee that you chose to oversee supervision, enforcement, and fair lending, wrote under an alias in defense of the use of racial slurs, and claimed without evidence that the majority of reported hate crimes were hoaxes. When confronted with his past writing on these and other subjects, Mr. Blankenstein acknowledged his authorship, but failed to denounce his writings. Only after an outcry from CFPB career staff did Mr. Blankenstein send a note apologizing for the “framing” and “tone” of his arguments – but he did not apologize for his defense of racial slurs, nor did he apologize for reflexively disbelieving victims of hate crimes. 

Mr. Blankenstein was not hired through the competitive service process like most CFPB employees; he is one of your hand-selected political appointees. Further, you have specifically tasked him with overseeing the CFPB’s fair lending supervision and enforcement work at a time when you have decided to restructure the Office of Fair Lending and Equal Opportunity. It is unclear whether his appointment is due to a failure to investigate Mr. Blankenstein’s background prior to his appointment, Mr. Blankenstein withholding information from you and the CFPB, or an informed decision on your part to ignore his public comments.

In order to ensure that the CFPB is fulfilling its fair lending mandate and thoroughly evaluating senior employees with fair lending responsibilities, it is critical for us to understand how someone with Mr. Blankenstein’s views was charged with this particular set of duties.

Please respond to the following requests no later than October 22, 2018.

1)      Were you personally aware of any of the writings referenced in The Washington Post article prior to hiring Mr. Blankenstein?

a.      If not, did you ask Mr. Blankenstein whether he had written anything that would reflect poorly on the CFPB or indicate that he was not an appropriate candidate for this role prior to extending an offer of employment? Did he respond verbally or in writing to any inquiry about past public statements?

b.      If so, how were you made aware of the writings? Why did you believe it was still appropriate to hire Mr. Blankenstein to oversee supervision, enforcement and fair lending?

2)      Please describe your process for identifying potential candidates for political appointment to senior CFPB positions and provide all written guidelines and procedures related to identifying potential candidates for appointment as senior CFPB officials. 

a.      Was Mr. Blankenstein recommended to you by a Member of Congress, a federal employee, or a person or entity subject to CFPB oversight?

b.      Were all established guidelines and procedures adhered to during your search for candidates to fill this position? Were any other candidates considered for this position?

3)      Please describe your process for vetting candidates for political appointment to senior CFPB positions, provide all written guidelines and procedures related to the performance of background checks or other due diligence, and specify whether such background checks include investigations into statements on social media, websites, or in other public forums.

a.      Were all established guidelines related to background checks or other due diligence adhered to in evaluating Mr. Blankenstein’s appointment? Have they been adhered to for all CFPB political appointments during your tenure?

b.      As part of any background check or other due diligence, was Mr. Blankenstein asked about past statements on social media, websites, or other public forums? If so, did Mr. Blankenstein properly disclose the above referenced writings? 

4)      Does Mr. Blankenstein have the confidence and support of the enforcement and fair lending staff he oversees? Will you further investigate Mr. Blankenstein’s past writings, and do you intend to take action if you find more troubling statements?

 

Sincerely,

 

###