Press Releases

WASHINGTON – As Labor Day weekend approaches, U.S. Sens. Mark Warner and Tim Kaine (both D-VA) along with Sens. Bob Menendez and Cory Booker (both D-NJ) are pressing product safety regulators to include beach umbrellas in their testing protocols as they work to develop new safety standards for umbrellas sold to consumers. It’s the latest push in the senators’ continued effort to protect beachgoers following multiple accidents involving wind-swept beach umbrellas, including in 2016, when Lottie Michelle Belk of Chester, Va. was struck in the torso and killed while vacationing in Virginia Beach with her family. 

Sens. Warner and Kaine have previously pushed for increased safety measures in a 2019 letter to the U.S. Consumer Product Safety Commission (CPSC). In addition, the senators have called for a public safety campaign to educate the public about the dangers of beach umbrellas.  

“Given the grave danger posed by beach umbrellas we feel it is imperative that ASTM include beach umbrellas in any new test methods,” the senators wrote to ASTM International Subcommittee Chair Ben Favret. “Summer is in full swing, and as millions of newly vaccinated Americans emerge from their homes to spend time at the shore, we must do all we can to ensure the safety of beach umbrellas.”

ASTM International—a nonprofit that often partners with the U.S. Consumer Product Safety Commission (CPSC) to develop technical standards for a wide range of materials, products, systems, and services—last year began testing the safety and durability of market umbrellas in various wind conditions. Unfortunately it has continued to exclude beach umbrellas from this testing regimen, instead limiting it to patio and weighted-base umbrellas. 

Assessing the risks associated with using certain products under specific conditions is a critical step towards developing new product safety standards, recommendations, and best practices to mitigate the risk.    

According to the U.S. Consumer Product Safety Commission, an estimated 2,800 people sought treatment at emergency rooms for beach umbrella-related injuries from 2010-2018

 Full text of the letter is below and can be downloaded here:

Ben Favret

Subcommittee Chair, ASTM F15.79

ASTM International

100 Barr Harbor Drive

West Conshohocken, PA 19428

 

Dear Mr. Favret:

We write to urge ASTM International to update its testing method standard to account for wind speed as it relates to beach umbrellas.

As you note on your website, “[t]he deleterious effects of a Market Umbrellas [sic] being blow[n] over or broken by wind forces can range from acute injury, such as cuts or bruises to blunt force trauma, such as concussions or broken bones and in some cases death.”  Further, you state that “[t]he lack of any voluntary standard for the safe performance of Market Umbrellas puts millions of consumers and employees around the world at risk unnecessarily.”  Indeed, as the Consumer Product Safety Commission (CPSC) stated in a June 2019 letter to the Senate, over the nine-year period from 2010-2018, an estimated 2,800 people sought treatment in emergency rooms for injuries related to beach umbrellas.  A majority of those injuries were caused by a wind-blown beach umbrella. 

In March 2021, the CPSC wrote to ASTM requesting that it “expand the standard to address fully the hazards of injuries and death due to beach umbrellas implanted in the sand.”  In addition, the agency suggested “mentioning the known fatality in the introduction of the standard, along with the injury data already there”.  We could not agree more. Given the grave danger posed by beach umbrellas we feel it is imperative that ASTM include beach umbrellas in any new test methods.

Summer is in full swing, and as millions of newly vaccinated Americans emerge from their homes to spend time at the shore, we must do all we can to ensure the safety of beach umbrellas. We appreciate ASTM’s willingness to consider this issue.  Should you have further questions please contact Shelby Boxenbaum in Senator Menendez’s office at 202-224-4744.

Sincerely, 

###

WASHINGTON – U.S. Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence; Senator Amy Klobuchar (D-MN), Chairwoman of the Senate Subcommittee on Competition Policy, Antitrust, and Consumer Rights; and Senator Chris Coons (D-DE), Chairman of the Subcommittee on Privacy, Technology, and the Law, sent a letter to Facebook CEO Mark Zuckerburg asking about Facebook’s decision to terminate the ability of researchers at New York University’s Ad Observatory Project’s to access its platform.  

The independent researchers were studying political advertising on Facebook. Their research has produced several key discoveries including highlighting a lack of transparency in how advertisers target political ads online on Facebook. 

“We were surprised to learn that Facebook has terminated access to its platform for researchers connected with the NYU Ad Observatory project. The opaque and unregulated online advertising platforms that social media companies maintain have allowed a hotbed of disinformation and consumer scams to proliferate, and we need to find solutions to those problems,” the senators wrote.

The senators continued later in the letter: “...independent researchers are a critical part of the solution. While we agree that Facebook must safeguard user privacy, it is similarly imperative that Facebook allow credible academic researchers and journalists like those involved in the Ad Observatory project to conduct independent research that will help illuminate how the company can better tackle misinformation, disinformation, and other harmful activity that is proliferating on its platforms.”

The full text of the letter can be found below and HERE.

 

Dear Mr. Zuckerberg,  

As you know, we are committed to protecting privacy for all Americans while eliminating the scourge that is disinformation and misinformation, particularly with regard to elections and the COVID-19 pandemic.

We were surprised to learn that Facebook has terminated access to its platform for researchers connected with the NYU Ad Observatory project. The opaque and unregulated online advertising platforms that social media companies maintain have allowed a hotbed of disinformation and consumer scams to proliferate, and we need to find solutions to those problems. The Ad Observatory project describes itself as “nonpartisan [and] independent…focused on improving the transparency of online political advertising.” Research efforts studying online advertising have helped inform consumers and policymakers about the extent to which your ad platform has been a vector for consumer scams and frauds, enabled hiring discrimination and discriminatory ads for financial services, and circumvented accessibility laws. Such work to improve the integrity of online advertising is critical to strengthening American democracy.

We appreciate Facebook’s ongoing efforts to address misinformation and disinformation on its platforms. But there is much more to do, and independent researchers are a critical part of the solution. While we agree that Facebook must safeguard user privacy, it is similarly imperative that Facebook allow credible academic researchers and journalists like those involved in the Ad Observatory project to conduct independent research that will help illuminate how the company can better tackle misinformation, disinformation, and other harmful activity that is proliferating on its platforms.

We therefore ask that you provide written answers to the following questions by August 20, 2021:

  1. How many accounts of researchers and journalists were terminated or otherwise disabled during 2021, including but not limited to researchers from the NYU Ad Observatory?
  2. Please explain why you terminated those accounts referenced in question 1. If you believe that the researchers violated Facebook’s terms of service, please describe how, in detail.
  3. If the researchers’ access violated Facebook’s terms of service, what steps are you taking to revise these terms to better accommodate research that improves the security and integrity of your platform?
  4. Facebook’s public statement about its decision to terminate the Ad Observatory researchers’ access said that research should not “compromis[e] people’s privacy.” Please explain how the researchers’ work compromised privacy of end-users.
  5. The Ad Observatory project asked Facebook users to voluntarily install a browser extension that would provide information available to that user about the ads that the user was shown. Facebook’s public statement says that the extension “collected data about Facebook users who did not install it or consent to the collection.” Were these non-consenting “users” advertisers whose advertising information was being collected and analyzed, other individual Facebook users, or both?
  6. Facebook has suggested that the NYU researchers potentially violated user privacy because the browser extension could have exposed the identity of users who liked or commented on an advertisement.  However, both researchers at NYU and other independent researchers have confirmed that the extension did not collect information beyond the frame of the ad, and that the program could not collect personal posts.  Given these technical constraints, what evidence does Facebook have to suggest that this research exposed personal information of non-consenting individuals?
  7. Facebook’s public statement explaining its decision to revoke access for the NYU researchers states that Facebook made this decision “in line with our privacy program under the FTC Order.” FTC Acting Bureau Director Samuel Levine sent you a letter dated August 5, 2021 in which he noted that “Had you honored your commitment to contact us in advance, we would have pointed out that the consent decree does not bar Facebook from creating exceptions for good-faith research in the public interest. Indeed, the FTC supports efforts to shed light on opaque business practices.”
    1. Why didn’t Facebook contact the FTC about its plans to disable researchers’ accounts?
    2. Does Facebook maintain that the FTC consent decree or other orders required it to disable access for the Ad Observatory researchers? If so, please explain with specificity which sections of which decree(s) compel that response.
    3. Are there measures Facebook could take to authorize the Ad Observatory research while remaining in compliance with FTC requirements?
    4. In light of Mr. Levine’s statement that the FTC Order does not require Facebook to disable the access of the Ad Observatory researchers, does Facebook intend to restore the Ad Observatory researchers’ access?
  8. In its public statement, Facebook highlighted tools that it offers to the academic community, including its Facebook Open Research and Transparency (FORT) initiative.  However, public reporting suggests that tool only includes data from the three month period before the November 2020 election, and further that it does not include ads seen by fewer than 100 people.
    1. Why does Facebook limit this data set to the three months prior to the November 2020 election?
    2. Why does Facebook limit this data set to ads seen by more than 100 people?
    3. What percentage of unique ads on Facebook are seen by more than 100 people?

 We look forward to your prompt responses.

# # #

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the statement below, following a report that Facebook disabled the accounts of researchers studying political ads on the social network: 

“This latest action by Facebook to cut off an outside group’s transparency efforts – efforts that have repeatedly facilitated revelations of ads violating Facebook’s Terms of Service, ads for frauds and predatory financial schemes, and political ads that were improperly omitted from Facebook’s lackluster Ad Library – is deeply concerning. For several years now, I have called on social media platforms like Facebook to work with, and better empower, independent researchers, whose efforts consistently improve the integrity and safety of social media platforms by exposing harmful and exploitative activity. Instead, Facebook has seemingly done the opposite. It’s past time for Congress to act to bring greater transparency to the shadowy world of online advertising, which continues to be a major vector for fraud and misconduct.”

###

WASHINGTON – U.S. Senators Mark Warner (D-Va.), Bob Menendez (D-N.J.), and Mazie Hirono (D-Hawaii) today slammed Facebook for failing to remove vaccine misinformation from its platforms. The rapid spread of dangerous misinformation across social media could hamper the efforts of public health officials as they work to vaccinate hard-to-reach communities and hesitant individuals, representing a serious concern for public safety. Studies show that roughly 275,000 Facebook users belong to anti-vaccine groups on the platform. 

“As public health experts struggle to reach individuals who are vaccine hesitant, epidemiologists warn that low rates of vaccine rates coupled with the relaxing of mask mandates could result in new COVID-19 outbreaks,” the senators wrote in a letter to Facebook CEO Mark Zuckerberg. “Moreover, most public health officials agree that because herd immunity in the U.S. is now unlikely, ‘continued immunizations, especially for people at highest risk because of age, exposure or health status, will be crucial to limiting the severity of outbreaks, if not their frequency’. In short, ‘vaccinations remain the key to transforming the virus into a controllable threat’.” 

A recent report from Markup.org’s “Citizen Browser project” found that there are 117 active anti-vaccine groups on Facebook. Combined, the groups had roughly 275,000 members. The study also found that Facebook was recommending health groups to its users, including anti-vaccine groups and pages that spread COVID-19 misinformation and propaganda.

The lawmakers asked Zuckerberg a series of questions, including why users were recommended vaccine misinformation; how long anti-vaccine groups and pages remained on the platform before being taken down; and what specific steps the company is taking to ensure its platforms do not recommend vaccine misinformation to its users.

A copy of the letter can be found here and below:

 

Dear Mr. Zuckerberg,

We write to express our concern over recent reporting alleging that Facebook failed to remove vaccine misinformation from its platforms. As the U.S. struggles to reach vaccine hesitant individuals and the world grapples with new variants, it is more important than ever that social media companies such as Facebook ensure that its platforms are free from disinformation.

In a February 2021 blog post, Facebook promised to expand “the list of false claims [it] will remove to include additional debunked claims about the coronavirus and vaccines. This includes claims such as: COVID-19 is man-made or manufactured; Vaccines are not effective at preventing the disease they are meant to protect against; It’s safer to get the disease than to get the vaccine; [and] Vaccines are toxic, dangerous or cause autism.” According to data from the Markup.org’s “Citizen Browser project,” misinformation regarding COVID-19 and vaccines are readily available on Facebook. According to Madelyn Webb, a senior researcher at Media Matters, as late as April 2021, she found 117 active anti-vaccine groups on Facebook. Combined, those groups had roughly 275,000 members. Even more troubling is the finding that Facebook “continued to recommend health groups to its users, including blatantly anti-vaccine groups and pages explicitly founded to propagate lies about the pandemic.” As public health experts struggle to reach individuals who are vaccine hesitant, epidemiologists warn that low rates of vaccine rates coupled with the relaxing of mask mandates could result in new COVID-19 outbreaks. Moreover, most public health officials agree that because herd immunity in the U.S. is now unlikely, “[c]ontinued immunizations, especially for people at highest risk because of age, exposure or health status, will be crucial to limiting the severity of outbreaks, if not their frequency.” In short, “vaccinations remain the key to transforming the virus into a controllable threat.”

In March 2021, Senator Warner wrote to you expressing these same concerns. Your April 2021 response failed to directly answer the questions posed in his letter. Specifically, you failed to respond to a question as to why posts with content warnings about health misinformation were promoted into Instagram feeds. Given Facebook’s continued failure to remove vaccine misinformation from its platforms, we seek answers to the following questions no later than July 5, 2021.

1.    In calendar year 2021, how many users viewed vaccine-related misinformation? 

2.    In calendar year 2021, how many users were recommended anti-vaccine information or vaccine-related misinformation? 

a.    Why were these users recommended such information?

3.    In calendar year 2021, how many vaccine-related posts has Facebook removed due to violations of its vaccine misinformation policy? How many pages were removed? How many accounts were removed? How many groups were removed?

a.    On average, how long did these pages or posts remain on the platform before Facebook removed them?  

4.    What steps is Facebook taking to ensure that its platforms do not recommend vaccine-related misinformation to its users? Please be specific. 

5.    What steps is Facebook taking to ensure that individuals who search out anti-vaccine content are not subsequently shown additional misinformation?

6.    In March 2019, Facebook said it would stop recommending groups that contained vaccine-related misinformation content. It wasn’t until February 2021 that the company announced it would remove such content across the platform. Why did it take Facebook nearly a year to make this decision? 

Thank you in advance or your prompt response to the above questions. 

Sincerely, 

###

WASHINGTON – Today U.S. Sens. Mark R. Warner (D-VA), Mazie Hirono (D-HI) and Amy Klobuchar (D-MN) announced the Safeguarding Against Fraud, Exploitation, Threats, Extremism and Consumer Harms (SAFE TECH) Act to reform Section 230 and allow social media companies to be held accountable for enabling cyber-stalking, targeted harassment, and discrimination on their platforms.  

“When Section 230 was enacted in 1996, the Internet looked very different than it does today. A law meant to encourage service providers to develop tools and policies to support effective moderation has instead conferred sweeping immunity on online providers even when they do nothing to address foreseeable, obvious and repeated misuse of their products and services to cause harm,” said Sen. Warner, a former technology entrepreneur and the Chairman of the Senate Select Committee on Intelligence. “Section 230 has provided a ‘Get Out of Jail Free’ card to the largest platform companies even as their sites are used by scam artists, harassers and violent extremists to cause damage and injury. This bill doesn’t interfere with free speech – it’s about allowing these platforms to finally be held accountable for harmful, often criminal behavior enabled by their platforms to which they have turned a blind eye for too long.” 

“Section 230 was passed in 1996 to incentivize then-nascent internet companies to voluntarily police illegal and harmful content posted by their users. Now, twenty-five years later, the law allows some of the biggest companies in the world turn a blind eye while their platforms are used to violate civil and human rights, stalk and harass people, and defraud consumers—all without accountability,” Sen. Hirono said. “The SAFE TECH Act brings Section 230 into the modern age by creating targeted exceptions to the law’s broad immunity. Internet platforms must either address the serious harms they impose on society or face potential civil liability.”

“We need to be asking more from big tech companies, not less. How they operate has a real-life effect on the safety and civil rights of Americans and people around the world, as well as our democracy. Holding these platforms accountable for ads and content that can lead to real-world harm is critical, and this legislation will do just that,” said Sen. Klobuchar. 

The SAFE TECH Act would make clear that Section 230:

·       Doesn’t apply to ads or other paid content – ensuring that platforms cannot continue to profit as their services are used to target vulnerable consumers with ads enabling frauds and scams;

·       Doesn’t bar injunctive relief – allowing victims to seek court orders where misuse of a provider’s services is likely to cause irreparable harm; 

·       Doesn’t impair enforcement of civil rights laws – maintaining the vital and hard-fought protections from discrimination even when activities or services are mediated by internet platforms; 

·       Doesn’t interfere with laws that address stalking/cyber-stalking or harassment and intimidation on the basis of protected classes – ensuring that victims of abuse and targeted harassment can hold platforms accountable when they directly enable harmful activity;

·       Doesn’t bar wrongful death actions – allowing the family of a decedent to bring suit against platforms where they may have directly contributed to a loss of life;

·       Doesn’t bar suits under the Alien Tort Claims Act – potentially allowing victims of platform-enabled human rights violations abroad (like the survivors of the Rohingya genocide) to seek redress in U.S. courts against U.S.-based platforms.

These changes to Section 230 do not guarantee that platforms will be held liable in all, or even most, cases. Proposed changes do not subject platforms to strict liability; and the current legal standards for plaintiffs still present steep obstacles. Rather, these reforms ensure that victims have an opportunity to raise claims without Section 230 serving as a categorical bar to their efforts to seek legal redress for harms they suffer – even when directly enabled by a platform’s actions or design. 

Bill text is available here. A three-page summary is available here. Frequently asked questions about the bill are available here. A redline of Section 230 is available here.

“Social media platforms and the tech companies that run them must protect their users from the growing and dangerous combination of misinformation and discrimination. As we have repeatedly seen, these platforms are being used to violate the civil rights of Black users and other users of color by serving as virtually-unchecked homes for hateful content and in areas such as housing and employment discrimination through the targeting and limiting of who can see certain advertisements. Section 230 must be strengthened to ensure that these online communities are not safe harbors for the violations of civil rights laws. LDF supports Senator Warner and Senator Hirono’s bill as it addresses these critical concerns,” said Lisa Cylar Barrett, Director of Policy, NAACP Legal Defense and Educational Fund, Inc. (LDF)

“Tech companies must be held accountable for their roles in facilitating genocide, extremist violence and egregious civil rights abuses. We applaud Senators Hirono and Warner for their leadership in introducing a robust bill that focuses on supporting targets of civil and human rights abuses on social media while also addressing cyber-harassment and other crimes stemming from the spread of hate and disinformation. The sweeping legal protections enjoyed by tech platforms cannot continue,” said Jonathan A. Greenblatt, CEO of ADL (Anti-Defamation League).

“Platforms should not profit from targeting employment ads toward White users, or from targeting voter suppression ads toward Black users. Senator Warner and Senator Hirono’s comprehensive bill makes it clear that Section 230 does not give platforms a free pass to violate civil rights laws, while also preserving the power of platforms to remove harmful disinformation,” said Spencer Overton, President, Joint Center for Political and Economic Studies.

“I applaud the SAFE TECH Act introduced by Sens. Warner and Hirono which provides useful modifications to section 230 of the 1996 Communications Decency Act to limit the potential negative impacts of commercial advertising interests while continuing to protect anti-harassment and civil and human rights interests of those who may be wrongfully harmed through wrongful online activity,”

Ramesh Srinivasan, Professor at the UCLA Department of Information Studies and Director of UC Digital Cultures Lab, said.

“Congress enacted 47 USC 230 in the mid-1990s to support online innovation and free speech but the way in which courts have very generously read Section 230 have meant there is no legal mechanism that has done more to insulate intermediaries from legal accountability for distributing, amplifying, and carefully delivering unlawful content and facilitating dangerous antisocial connections. Racist, misogynist, and violent antidemocratic forces coalesce online because intermediaries rarely have to account for their social impacts. Senator Warner and Senator Hirono’s proposed changes create a new and necessary incentive for such companies to be far more mindful of the social impacts of their services in areas of law that are of vital importance to the health of the networked information environment. It does this while not abandoning the protection for intermediaries' distribution of otherwise lawful content,” said Olivier Sylvain, Professor at Fordham Law School and Director of the McGannon Center for Communications Research.

“We applaud Senator Warner and Senator Hirono’s important effort to reform Section 230 and thus bring greater accountability to the tech sector. Warner’s proposed reforms are crucial to protecting civil rights and making the web safer for those who have been negatively impacted by much that happens there, both online and off.  We thank Senator Warner and Senator Hirono for tackling this critically important issue,” Wendy Via, Cofounder, Global Project Against Hate and Extremism, said.

“The Cyber Civil Rights Initiative welcomes this effort to protect civil rights in the digital age and to hold online intermediaries accountable for their role in the silencing and exploitation of vulnerable communities. This bill offers urgently needed provisions to limit and correct the overzealous interpretation of Section 230 that has granted a multibillion dollar industry immunity and impunity for profiting from irreparable injury,” said Mary Anne Franks, President, Cyber Civil Rights Initiative and Danielle K. Citron, Vice President, Cyber Civil Rights Initiative.

“For too long, companies like Facebook and YouTube have undermined the rights and safety of Muslims and communities of color in the U.S. and around the world. We have urged them to take responsibility for the targeted hate and violence, including genocide, facilitated by their platforms but these companies have refused to act,” said Madihha Ahussain, Muslim Advocates Special Counsel for Anti-Muslim Bigotry. “We appreciate Senators Warner and Hirono for introducing the SAFE TECH Act, which includes essential adjustments to Section 230 and will finally hold these companies accountable for violating people’s rights.”

“The SAFE TECH Act is an important step forward for platform accountability and for the protection of privacy online. Providing an opportunity for victims of harassment, privacy invasions, and other violations to remove unlawful content is critical to stopping its spread and limiting harm,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director, Electronic Privacy Information Center (EPIC).

“The SAFE TECH Act is the Section 230 reform America needs now. Over-expansive readings of Section 230 have encouraged reckless and negligent shirking by platforms of basic duties toward their users. Few if any of the drafters of Section 230 could have imagined that it would be opportunistically seized on to deregulate online arms sales, protect sellers of defective merchandise, permit genocidaires to organize online with impunity, or allow dating sites to ignore campaigns of harassment and worse against their users. The SAFE TECH Act reins in the cyberlibertarian ethos of Section 230 imperialism, permitting courts to carefully weigh and assess evidence in cases where impunity is now preemptively assumed,” Frank Pasquale, Author of The Black Box Society and Professor at Brooklyn Law School, said.

“For far too long online platforms have placed profit over accountability and decency, and allowed misinformation, algorithmic discrimination, and online hate to be weaponized. When the Communications Decency Act was passed in 1996, no one imagined it would be used to shield the most valuable companies in the world from basic civil rights compliance,” said David Brody, Counsel and Senior Fellow for Privacy and Technology, Lawyers’ Committee for Civil Rights Under Law. “This bill would make irresponsible big tech companies accountable for the digital pollution they knowingly and willfully produce, while continuing to protect free speech online. Black Americans and other communities of color are frequent targets of online hate, threats and discrimination, and many of these online behaviors would not be tolerated if they occurred in a brick-and-mortar business. It is time that big tech stop treating our communities of color like second-class citizens, and give them the protection they deserve.”

“It is unacceptable that Big Tech enjoys near total legal immunity from the harm that their platforms expose to children and families. Tech companies should not be able to hide behind Section 230 to avoid abiding by civil rights laws, court injunctions, and other protections for families and the most vulnerable in society. Reforms proposed by Sens. Warner and Hirono begin to change that. It is time to hold these companies accountable for the harms their platforms have unleashed on society,” said James P. Steyer, CEO and Founder, Common Sense.

“The deadly insurrection at the Capitol made clear that lawmakers must take immediate action to ensure multi-billion-dollar social media companies, whose business models incentivize the unchecked spread of hate-fueled misinformation and violent clickbait conspiracies, can no longer abuse Section 230’s broad protections to evade civil rights laws,” said Arisha Hatch, Color Of Change Vice President and Chief of Campaigns. “The SAFE TECH Act from Sen. Warner and Sen. Hirono is critical. The proposed reform would not only prevent power-hungry social media companies from leveraging Section 230 to turn a blind eye to civil rights violations on their platforms, but it would also incentivize them to take down dangerous paid and organic content — and establish better protections against real world harms like cyberstalking, which disproportionately impacts Black women. We strongly encourage members of Congress to support this legislation, which represents a significant step towards finally holding Big Tech accountable for their years-long role in enabling civil rights violations against Black communities.”

“After 2020 no-one is asking if online misinformation creates real-world harms - whether it's COVID and anti-vaxx misinformation, election-related lies or hate, it is now clear that action is needed to deal with unregulated digital platforms. Whereas users can freely spread hate and misinformation, platforms profit from traffic regardless of whether it is productive or damaging, the costs are borne by the public and society at large. This timely bill forensically delineates the harms and ensures perpetrators and enablers pay a price for the harms they create. In doing so, it reflects our desire for richer communication technologies, which enhance our right to speak and be heard, and that also respect our fundamental rights to life and safety,” said Imran Ahmed, CEO, Center for Countering Digital Hate. 

“Our lives are at stake because hate and white supremacy is flourishing online. On January 6th we saw the results of what continuous disinformation and hate online can do with the insurection and domestic terrorist attack on the U.S. Capitol, where five lives were lost,” said Brenda Victoria Castillo, President & CEO, National Hispanic Media Coalition. “It is time to hold online platforms accountable for their role in the radicalization and spread of extremist ideologies in our country. NHMC is proud to support Senator Warner's limited reform of Section 230, and applauds his efforts to safeguard our democracy and the Latinx community.”

“Senator Mark Warner is a leader in ensuring that technology  supports democracy even as it advances innovation. His and Senator Hirono’s new Section 230 reform bill now removes  obstacles to enforcement against discrimination, cyber-stalking, and targeted harassment in the online world. The events of Jan 6 demonstrated that what happens online isn’t just a game. Online conspiracy theories, discrimination, and harassment are a public danger. The Warner-Hirono bill would go a long way toward addressing these dangers, and incentivizing platforms to move past the current, ineffective whack-a-mole approach to these important online harms,” said Karen Kornbluh, Director of the Digital Innovation and Democracy Initiative at the German Marshall Fund of the US and Former US Ambassador to the Organization for Economic Co-operation and Development.

###

WASHINGTON - As tech companies and public health agencies deploy new tools to fight the spread of COVID-19 – including contact tracing apps, digital monitoring, home tests, and vaccine appointment booking – U.S. Sens. Mark R. Warner (D-VA), Richard Blumenthal (D-CT) and U.S. Representatives Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19. 

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Our health privacy laws have not kept pace with what Americans have come to expect for their sensitive health data,” Warner said. “Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services. Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.” 

“I’m exceedingly proud of the American innovators, many of whom are in my congressional district, who have built technologies to combat the coronavirus. As these technologies are used, they must be coupled with policies to protect the civil liberties that define who we are as a nation,” said Eshoo. “The Public Health Emergency Privacy Act is a critical bill that will prohibit privacy invasions by preventing misuse of pandemic-related data for unrelated purposes like marketing, prohibiting the data from being used in discriminatory ways, and requiring data security and integrity measures. The legislation will give the American people confidence to use technologies and systems that can aid our efforts to combat the pandemic.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to re-introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo and Congresswoman DelBene, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that the Trump Administration missed an opportunity when it failed to advocate for swift passage of this legislation. Based on how poorly the Trump Administration’s contact tracing scheme went, we all know this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again – for digital contact tracing to be a worthwhile auxiliary to the Biden Administration’s plan for widespread testing and manual contact tracing.” 

“Technology has become one of our greatest tools in responding to the COVID-19 pandemic but we need to build trust with the broader public if we are going to reach its full potential. Americans need to be certain their sensitive personal information will be protected when using tracing apps and other COVID-19 response technology and this pandemic-specific privacy legislation will help build that trust,” said DelBene. “Data privacy should not end with the pandemic. We need comprehensive privacy reform to protect Americans at all times, including state preemption to create a strong, uniform national standard. I hope that this crisis has shed light on the lack of adequate digital privacy policies in our country and look forward to working with these lawmakers and others to create the necessary standards moving forward.”

The bill is co-sponsored in the Senate by U.S. Senators Michael Bennet (D-CO), Amy Klobuchar (D-MN), Edward J. Markey (D-MA), Tammy Baldwin (D-WI), Mazie K. Hirono (D-HI), Cory Booker (D-NJ), Robert Menendez (D-NJ), Angus King (I-ME), Elizabeth Warren (D-MA) and Dick Durbin (D-IL).

The bill is co-sponsored in the House of Representatives by Don Beyer (D-VA), Jerry McNerney (D-CA), Nanette Diaz Barragán (D-CA), Mark Pocan (D-WI), Bobby Rush (D-IL), Peter Welch (D-VT), Mary Gay Scanlon (D-PA), Doris Matsui (D-CA), Ted Lieu (D-CA), Mark DeSaulnier (D-CA), Jahana Hayes (D-CT), Ro Khanna (D-CA), Jesús ''Chuy'' García (D-IL), Stephen Lynch (D-MA), Raúl Grijalva (D-AZ), Barbara Lee (D-CA), Debbie Dingell (D-MI), and Peter DeFazio (D-OR). 

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Access Now, Electronic Privacy and Information Center (EPIC), the Center for Digital Democracy, Color of Change, Common Sense Media, New America’s Open Technology Institute, and Public Knowledge.

“A public health crisis is not the time to give up on our privacy rights, and this bill would go a long way toward protecting those rights. COVID-19 response apps are already out there, and this bill will help ensure that the apps are distributed and used in a responsible manner that will limit the new and expansive surveillance systems companies are building. Allowing these apps to proceed unchecked would create serious privacy violations that will never be undone,”said Eric Null, U.S. Policy Manager at Access Now.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC).

“Public health measures to contain the deadly spread of COVID-19 must be effective and protect those most at risk. Where data are collected or used, they should not be misused to undermine privacy, fairness and equity, or place our civil rights in peril. The Public Health Emergency Privacy Act ensures that efforts to limit the spread of the virus truly protect all our interests,” said Katharina Kopp, Director of Policy for the Center for Digital Democracy.

“Color Of Change strongly supports the Public Health Emergency Privacy Act, as it would prevent corporate profiteering and government misuse of health data to help ensure Black people — who are disproportionately exposed to the dangers of surveillance — can operate online without fear. Profit-incentivized corporations should not be allowed to exploit loopholes to gather and sell sensitive health and location data without any regard to the safety of our communities. As the COVID-19 pandemic rages on, we need stringent and enforceable safeguards in place to protect private health information of Black people and other marginalized communities, who are most at risk of both COVID-19 and surveillance. We thank Senators Blumenthal and Warner for their leadership on this legislation, and we will continue to advocate for the highest standard of protection against the abuse of personal data,” said Color Of Change President Rashad Robinson.

“Common Sense calls on Congress to pass meaningful privacy safeguards for families. More than ever, the pandemic has highlighted how important it is that families can trust how their information is being collected, used, and shared. PHEPA is an important proposal to ensure technologies and data being used to combat COVID are used in privacy-protective ways, and it also can serve as a model for how Congress can comprehensively protect privacy in the near future,” said Ariel Fox Johnson, Senior Counsel for Global Policy with Common Sense Media. 

“OTI welcomes the re-introduction of this legislation that would establish strong safeguards to prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner. The ongoing privacy threats and urgency of the pandemic make these protections more important than ever,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge.

###

Washington, D.C. – Today, U.S. Sen. Mark R. Warner (D-Va.) joined Sens.  Catherine Cortez Masto (D-Nev.) and Sherrod Brown (D-Ohio) and 13 of their Senate colleagues in sending a letter to Consumer Financial Protection Bureau (CFPB) Director Kathleen Kraninger regarding the Bureau’s recent public enforcement actions against mortgage originators offering Veterans Administration (VA)-guaranteed loans. Between July 2020 and September 2020, the CFPB announced consent orders against eight different mortgage lenders for deceptive and misleading advertising of VA mortgages. In each case, the CFPB found that the originators’ advertisements contained false, misleading, or inaccurate statements that violated the Consumer Financial Protection Act’s prohibition against deceptive acts and practices, the Mortgage Acts and Practices Advertising Rule, and Regulation Z. The CFPB collected approximately $2.8 million in civil penalties from these eight violators, but did not require any of these companies to provide restitution to harmed consumers.

The lawmakers wrote, “We write to you regarding the Consumer Financial Protection Bureau (Bureau)’s recent public enforcement actions against mortgage originators offering Veterans Administration (VA)-guaranteed loans. We are deeply concerned by the Bureau’s failure to obtain restitution for consumers who were targeted by these companies’ deceptive marketing practices.”

“Unfortunately, because of extended travel and multiple relocations, often related to their service, servicemembers and veterans are particularly vulnerable to scams. The VA and the Bureau have long been aware of one such scam: direct-mail advertisements that contained inadequate disclosures or misleading and deceptive statements pertaining to VA home loans,” the lawmakers continued. “For instance, in 2016, the Bureau released a snapshot of servicemember complaints and highlighted that veterans had reported receiving misleading advertisements. And in November 2017, the VA and the Bureau issued a “Warning Order” alerting servicemembers and veterans to offers of mortgage refinancing that contained deceptive or false advertising.”

“As servicemembers, veterans, and their families make sacrifices for our country, they expose themselves to a number of financial risks and challenges; the Bureau must be clear that it is looking out for them in return. We are concerned that there has been no effort to ensure that thousands of servicemembers and veterans are made whole or at least compensated for damages caused by unscrupulous lenders seeking to profit by misleading homeowners,” wrote the lawmakers. 

The full text of the letter can be found here.

BACKGROUND:

Since the beginning of the coronavirus pandemic, complaints to the CFPB have increased 50 percent over the 2019 levels, including thousands of complaints about credit reporting, debt collection, credit cards and prepaid cards, and mortgages. 

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), former technology entrepreneur and Vice Chairman of the Senate Select Committee on Intelligence, applauded the house passage of the Internet of Things (IoT) Cybersecurity Improvement Act – legislation to require minimum security requirements for Internet of Things (IoT) devices purchased by the U.S. government. Sen. Warner authored and introduced this legislation in the Senate back in August 2017. He reintroduced the bill in the 116th Congress with a House companion led by U.S. Reps. Robin Kelly and Will Hurd. That legislation passed through the Senate Homeland Security and Governmental Affairs Committee in June 2019 and now awaits consideration in the Senate. 

“The House passage of this legislation is a major accomplishment in combatting the threats that insecure IoT devices pose to our individual and national security. Frankly, manufacturers today just don’t have the appropriate market incentives to properly secure the devices they make and sell – that’s why this legislation is so important,” said U.S. Sen. Mark R. Warner. “I commend Congresswoman Kelly and Congressman Hurd for their efforts to push this legislation forward over the past two years. I look forward to continuing to work to get this bipartisan, bicameral bill across the finish line in the Senate.”

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act introduced by Sen. Warner would:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
  • Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
  • Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.


Sen. Warner, the Vice Chairman of the Senate Select Committee on Intelligence and former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus and a leader in Congress on security issues related to the Internet of Things.

###

WASHINGTON, DC – As communities across the country grapple with how to reopen as safely as possible, U.S. Sen. Mark R. Warner joined Sens. Tom Carper (D-Del.), Bill Cassidy, M.D. (R-La.) and a bipartisan group of senators in calling on the Department of Health and Human Services (HHS) and the Centers for Disease Control and Prevention (CDC) to improve, automate and modernize COVID-19 data collection and management. In a letter sent to Secretary Azar and Dr. Redfield, the lawmakers specifically called on the agencies to harness technologically advanced systems and build on existing data sources in order to provide public health officials and community leaders with more accurate, real-time information as they make critical decisions about reopening.

Unfortunately, recent reports have shown that case reporting and contact tracing across the country are being hampered by a fragmented health system and antiquated technology, including manual entry of patients’ data and results and sharing of such results through paper and pencil or fax. In Texas, some patients were having to wait l0 days to find out if they had been infected with coronavirus because their results were being faxed to public health officials and then entered into a database by hand. 

In their letter, the lawmakers wrote, “During an emergency such as the current pandemic, scaling up and using existing systems to the greatest extent possible can improve data collection and contact tracing efforts. We therefore ask that you and your colleagues utilize and build on existing data sources, such as electronic health record (EHR) and laboratory information management systems (LIMS), claims databases, and other automated systems to provide government leaders, public health officials, community leaders, and others with actionable, easy-to-interpret data from a wide-ranging set of sources. Data generated by contact tracing, syndromic surveillance, and large-scale testing can help inform decisions on how to safely reopen communities and bring economies back online. Modernizing and automating data collection should augment detection, testing, and contact tracing plans, while also helping to prevent and improve the management of new outbreaks.”

The bipartisan group highlighted the fact that some of these tools are already being successfully utilized in communities across the country. They noted, “Fortunately, software-based systems providing data management for state public health entities and major testing laboratories already exist, and they are more efficient and accurate while reducing the burden of excess paperwork. For example, North Carolina and Florida have taken steps to modernize and improve patients’ Covid-19 test results and other infectious disease symptoms. In Florida, nurses can register patients for Covid testing in the field using tablet computers that are connected to a HIPAA compliant cloud. By managing the patient and order requisition information electronically, lab processing time is reduced and transcription errors are eliminated.”

Joining Sens. Warner, Carper and Cassidy in sending this letter are Sens. Michael Bennet (D-Colo.), Richard Blumenthal (D-Conn.), Bob Casey (D-Penn.), Susan Collins (R-Maine), Chris Coons (D-Del.), Tina Smith (D-Minn.), and Thom Tillis (R-N.C.).

The letter is available here

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) joined Sen. Amy Klobuchar (D-MN), a senior Member of Senate Commerce Committee and Ranking Member of the Senate Judiciary Subcommittee on Antitrust, Competition Policy and Consumer Rights and Chairman of the Senate Commerce Subcommittee on Manufacturing, Trade, and Consumer Protection, Senator Jerry Moran (R-KS), sent a letter to  Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (“app”) Premom. 

Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant, relying on personal and private health information. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the Apple App and Google Play stores.

In addition to Sen. Warner, Sens. Klobuchar and Moran were joined by Ranking Member of the Senate Commerce Committee, Maria Cantwell (D-WA), Richard Blumenthal (D-CT), Shelley Moore Capito (R-WV), and Elizabeth Warren (D-MA).

“A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent,” Klobuchar and her colleagues wrote.

The full text of the letter can be found HERE and below:

Dear Chairman Simons:

We write to express our serious concerns regarding recent reports about the data collection and sharing practices of the mobile application (“app”) Premom and to request information on the steps that the Federal Trade Commission (FTC) plans to take to address this issue.

Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the leading app stores. To use Premom, users provide the app extensive personal and private health information.

A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent. IDAC sent a letter to the FTC on August 6, 2020, to describe these undisclosed data transmissions along with other concerning allegations including conflicting privacy policies and questionable representations related to their collection of installed apps for functionality purposes.

While Premom claimed to only share “nonidentifiable” information in its privacy policy, the IDAC report found that Premom collected and shared—with three third-party advertising companies based in China including Jiguang, UMSNS, and Umeng—non-resettable unique user device identifiers that can be used to build profiles of consumer behavior. Additionally, users of the Premom app were not given the option to opt out of sharing their personal data with these advertising companies, and reports also allege that one of the companies that received user data from Premom concealed the data being transferred—which privacy experts say is an uncommon practice for apps that is used primarily to conceal their data collection practices.

While we understand that Premom has taken steps to update its app to halt the sharing of its users’ information with these companies, it is concerning that Premom may have engaged in these deceptive practices and shared users’ personal data without their consent. Additionally, there may still be users who have not yet updated the Premom app, which could still be sharing their personal data—without their knowledge or consent. 

In light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:

1.  Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?

2.  Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?

3.  Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?

4.  Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.

5.  How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in? 

Thank you for your time and attention to this important matter. We look forward to working with you to improve Americans consumers’ data privacy protections. 

Sincerely, 

###

 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) and Sen. Richard Blumenthal (D-CT), along with Sens. Michael Bennet (D-CO), Mazie Hirono (D-HI), Angus King (I-ME), Bob Menendez (D-NJ), Kamala Harris (D-CA), Ed Markey (D-MA), Cory Booker (D-NJ), Tammy Baldwin (D-WI), Elizabeth Warren (D-MA), Amy Klobuchar (D-MN), and Dick Durbin (D-IL), sent a letter to Senate leaders urging them to include the Public Health Emergency Privacy Act in the next coronavirus relief package as negotiations between Senate Republicans and Democrats are underway. Inclusion of the legislation will help strengthen the public’s trust to participate in critical screening and contact tracing efforts to aid in the fight against COVID-19.

“As you begin negotiations on another coronavirus stimulus package, we write to urge inclusion of commonsense privacy protections for COVID health data. Building public trust in COVID screening tools will be essential to ensuring meaningful participation in such efforts. With research consistently showing that Americans are reluctant to adopt COVID screening and tracing apps due to privacy concerns, the lack of health privacy protections could significantly undermine efforts to contain this virus and begin to safely re-open – particularly with many screening tools requiring a critical mass in order to provide meaningful benefits,” the Senators wrote in a letter to Senate Majority Leader Mitch McConnell, Senate Minority Leader Chuck Schumer, and the Chairman and Ranking Member of the Senate Committee on Health, Education, and Labor.

According to a recent survey, 84 percent of Americans feel uneasy about sharing their personal health information for COVID-19 related mitigation efforts. Public reluctance can be attributed to a myriad of investigative reports and congressional hearings that have exposed widespread secondary use of Americans data over the years. The Senators noted that with the inclusion of their bill, Congress can establish commonsense targeted rules to ensure the collection, retention, and use of data by COVID screening tools are focused on combatting COVID and not for extraneous, invasive, or discriminatory purposes.

“Our urgent and forceful response to COVID-19 can coexist with protecting and even bolstering our health privacy. If not appropriately addressed, these issues could lead to a breakdown in public trust that could ultimately thwart successful public health surveillance initiatives. Privacy experts, patient advocates, civil rights leaders, and public interest organizations have resoundingly called for strong privacy protections to govern technological measures offered in response to the COVID-19 crisis. In the absence of a federal privacy framework, experts and enforcers – including the Director of the Bureau of Consumer Protection of Federal Trade Commission – have encouraged targeted rules on this sensitive health data. The Public Health Emergency Privacy Act meets the needs raised by privacy and public health communities, and has been resoundingly endorsed by experts and civil society groups,” the Senators continued.

A copy of the letter can be found here and below.

 

Dear Leader McConnell, Leader Schumer, Chairman Alexander, and Ranking Member Murray,

As you begin negotiations on another coronavirus stimulus package, we write to urge inclusion of commonsense privacy protections for COVID health data. Building public trust in COVID screening tools will be essential to ensuring meaningful participation in such efforts. With research consistently showing that Americans are reluctant to adopt COVID screening and tracing apps due to privacy concerns, the lack of health privacy protections could significantly undermine efforts to contain this virus and begin to safely re-open – particularly with many screening tools requiring a critical mass in order to provide meaningful benefits. According to one survey, 84% of Americans “fear that data collection efforts aimed at helping to contain the coronavirus cost too much in the way of privacy.”

Public health experts have consistently pointed to health screening and contact tracing as essential elements of a comprehensive strategy to contain and eradicate COVID. Since the onset of the pandemic, employers, public venue operators, and consumer service providers have introduced a range tools and resources to engage in symptom monitoring, contact tracing, exposure notification, temperature checks, and location tracking. Increasingly, we have seen higher education institutions mandate the use of these applications for incoming students and employers mandate participation in these programs among employees.

Health data is among the most sensitive data imaginable and even before this public health emergency, there has been increasing bipartisan concern with gaps in our nation’s health privacy laws. While a comprehensive update of health privacy protections is unrealistic at this time, targeted reforms to protect health data – particularly with clear evidence that a lack of privacy protections has inhibited public participation in screening activities – is both appropriate and necessary.

Our legislation does not prohibit or otherwise prevent employers, service providers, or any other entity from introducing COVID screening tools. Rather, it provides commonsense and widely understood rules related to the collection, retention, and usage of that information – most notably, stipulating that sensitive data collected under the auspices of efforts to contain COVID should not be used for unrelated purposes. As a litany of investigative reports, Congressional hearings, and studies have increasingly demonstrated, the widespread secondary use of Americans’ data – including sensitive health and geolocation data – has become a significant public concern. The legislation also ensures that Americans cannot be discriminated against on the basis of COVID health data – something particularly important given the disproportionate impact of this pandemic on communities of color.

Efforts by public health agencies to combat COVID-19, such as manual contract tracing, health screenings, interviews, and case investigations, are not restricted by our bill. And the legislation would allow for the collection, use, and sharing of data for public health research purposes and makes clear that it does not restrict use of health information for public health or other scientific research associated with a public health emergency.

Our urgent and forceful response to COVID-19 can coexist with protecting and even bolstering our health privacy. If not appropriately addressed, these issues could lead to a breakdown in public trust that could ultimately thwart successful public health surveillance initiatives. Privacy experts, patient advocates, civil rights leaders, and public interest organizations have resoundingly called for strong privacy protections to govern technological measures offered in response to the COVID-19 crisis. In the absence of a federal privacy framework, experts and enforcers – including the Director of the Bureau of Consumer Protection of Federal Trade Commission – have encouraged targeted rules on this sensitive health data. The Public Health Emergency Privacy Act meets the needs raised by privacy and public health communities, and has been resoundingly endorsed by experts and civil society groups.

Providing Americans with assurance that their sensitive health data will not be misused will give Americans more confidence to participate in COVID screening efforts, strengthening our common mission in containing and eradicating COVID-19. For this reason, we urge you to include the privacy protections contained in the Public Health Emergency Privacy Act in any forthcoming stimulus package.

Thank you for your attention to this important matter.                                                                       

Sincerely,

###

WASHINGTON - U.S. Sen. Mark R. Warner (D-VA) joined Sen. Sherrod Brown (D-OH) and 6 of their Senate colleagues in a letter requesting additional information on the Borrower Protection Program that the Consumer Financial Protection Bureau (CFPB) and the Federal Housing Finance Agency (FHFA) announced in April. The agencies’ announcement stated that the CFPB and FHFA would share data under the program but did not say how that data would be used to protect borrowers. The Senators asked the agencies what information they would share and how each agency would use this new program to avoid unnecessary borrower defaults and foreclosures, as well as misinformation, unequal treatment of borrowers, or otherwise address servicers not complying with the law.   

“It is critical that the CFPB and FHFA act quickly to ensure homeowners across the country can access the relief they need during this national emergency. Any delay could result in unnecessary delinquencies and foreclosures that will set consumers back, rather than helping them recover,” wrote the lawmakers.

In addition to Sens. Warner and Brown, the letter was signed by Sens. Jack Reed (D-RI), Elizabeth Warren (D-MA), Brian Schatz (D-HI), Chris Van Hollen (D-MD), Catherine Cortez Masto (D- NV), and Tina Smith (D-MN).

A copy of the letter appears here and below:

 

We are writing regarding the Consumer Financial Protection Bureau (CFPB) and the Federal Housing Finance Agency’s (FHFA) joint announcement of the Borrower Protection Program. The announcement states that the CFPB will share consumer complaint data and analytics with FHFA, and FHFA will provide the CFPB with its internal data on mortgage forbearances, modifications, and other loss mitigation.

Sharing information between your agencies is an important first step to ensure that homeowners are getting the help they need. The CFPB’s supervisory, research, and market monitoring tools and consumer-oriented perspective coupled with FHFA’s loan-level data could provide unique insights into borrowers’ experiences.

But information sharing alone will not protect borrowers. Once information is shared, the CFPB and FHFA must also have plans to use their respective tools and authorities to immediately address trends that indicate borrowers are receiving inaccurate information or unequal treatment, or that servicers are not complying with the law. Timeliness of the CFPB and FHFA’s oversight is critical to avoid unnecessary borrower defaults and foreclosures. Just a few weeks of delay could have disastrous outcomes for consumers who may lose the ability to access an affordable modification after just two months or face foreclosure after four months.

To help us better understand what steps your agencies will take to protect homeowners through the Borrower Protection Program, please respond to the following questions:

1.      It has been more than nine weeks since the COVID-19 national emergency declaration, and borrowers may already have experienced weeks of financial hardship.

a.      When will the CFPB and FHFA first share data under the Borrower Protection Program?  

b.      What specific actions will the CFPB and FHFA take, respectively, if either agency identifies noncompliance or consumer harm both to get consumers accurate information and to address noncompliance? Please list all tools that could be used by each agency.  

2.      Consumer complaint data is an important source of information, but it is not the CFPB’s only tool to monitor consumer harm. In addition to consumer complaint data, what other information will the FHFA receive from the CFPB?

3.      The CFPB has regulatory and supervisory authority over many of the largest mortgage servicers, including depositories with more than $10 billion in assets and nonbank mortgage servicers.

a.      Will the information examined under the Borrower Protection Program show data by loan servicer? If so, how will the CFPB use any servicer-specific data to inform its supervisory activities?

b.      Will any servicer-specific data distinguish between loans in forbearance and delinquent loans? If so, how will the CFPB or FHFA monitor and address disparities in delinquency rates amongst servicers to ensure that those borrowers who are facing a financial hardship and eligible for forbearance can receive it?

c.      To the extent that the CFPB or FHFA receives information or identifies trends among mortgage servicers that do not fall within the CFPB’s supervisory authority, will the CFPB or FHFA communicate those findings to the appropriate regulator to ensure compliance with servicing laws and policies? If not, why not?

4.      Will information provided to the CFPB include borrower demographic information when available, including race, ethnicity, English proficiency, age, or other protected classes under the Fair Housing Act to facilitate fair lending oversight?   

a.      How will the CFPB use any available information to ensure that mortgage servicing policies and practices result in equal treatment for all borrowers? Will the CFPB monitor forbearance rates, delinquency rates, loan modifications, non-retention loss mitigation options, and foreclosures by protected class? 

b.      What tools will the CFPB and FHFA use to address any disparate outcomes?

5.      Will any information provided to either agency include a borrower’s servicemember status, when available, to monitor compliance with the Servicemembers Civil Relief Act (SCRA)? If possible violations of the SCRA are identified, which agency will address those violations? 

6.      Many mortgage servicers service not just Fannie Mae and Freddie Mac loans, but also FHA, VA, USDA, and HUD Section 184 loans, as well as loans in private-label securities. 

a.      Will the CFPB enter into agreements with the other federal agencies, which collectively insure or guarantee more than 25 percent of loans, to share data and inform those agencies’ supervision of their servicers? If not, why not?

b.      Borrowers whose loans are not guaranteed by Fannie Mae or Freddie Mac or insured or guaranteed through a federal program are not assured to receive forbearance or other relief if they face a hardship, and information about outcomes for these borrowers will be limited. How will the Borrower Protection Program protect borrowers whose loans are not guaranteed by Fannie Mae or Freddie Mac or insured or guaranteed through a federal program? 

7.      Will the CFPB and FHFA publish regular, public updates on the Borrower Protection Program to share findings and actions? If not, why not?

It is critical that the CFPB and FHFA act quickly to ensure homeowners across the country can access the relief they need during this national emergency. Any delay could result in unnecessary delinquencies and foreclosures that will set consumers back, rather than helping them recover. Thank you for your prompt attention to this request. 

Sincerely,  

###

WASHINGTON - As tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19, U.S. Sens. Mark R. Warner and Richard Blumenthal (D-CT) and U.S. Reps. Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19.

“This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. Americans are rightly skeptical that their sensitive health data will be kept safe and secure, and as a result, they’re reluctant to participate in contact tracing programs essential to halt the spread of this disease. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Communications technology has obviously played an enormously important role for Americans in coping with and navigating the new reality of COVID-19 and new technology will certainly play an important role in helping to track and combat the spread of this virus. Unfortunately, our health privacy laws have not kept pace with the privacy expectations Americans have come to expect for their sensitive health data,” Warner said. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations could become the new status quo in health care and public health. The credibility – and indeed efficacy – of these technologies depends on public trust.” 

“I’m thankful that our country is blessed with the world’s best innovators and technologists, many of whom I represent in the House, and that they have joined the effort to combat the coronavirus by using technology to control the spread of the virus,” said Eshoo. “As we consider new technologies that collect vast amounts of sensitive personal data, we must not lose site of the civil liberties that define who we are as a nation. I’m proud to join my colleagues to introduce the Public Health Emergency Privacy Act, strong and necessary legislation that protects the privacy of every American while ensuring that innovation can aid important public health efforts.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that swift passage of this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again –  for digital contact tracing to be a worthwhile auxiliary to widespread testing and manual contact tracing.”

“We must use every tool available to us to respond to the COVID-19 pandemic. Contract tracing, along with testing, are the cornerstones of a science-based approach to addressing this historic crisis. We can protect our public health response and personal data privacy,” said DelBene. “I have been calling on the Trump administration and the private sector to adopt data privacy principles since the start of this outbreak. It is time for Congress to lead the way in assuring we have a strong national contact tracing system and that Americans’ personal data is protected. This bill will achieve this mutual goal.”

Eshoo, Schakowsky, and DelBene introduced House legislation with original co-sponsors House Energy and Commerce Committee Vice Chair Yvette Clarke (D-NY), Health Subcommittee Vice Chair G. K. Butterfield (D-NY), and Consumer Protection & Commerce Subcommittee Vice Chair Tony Cárdenas (D-CA).

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Lawyers’ Committee for Civil Rights Under Law, Public Knowledge, New America’s Open Technology Institute, Consumer Reports, Free Press, Electronic Privacy and Information Center (EPIC), Public Citizen, health privacy scholar Frank Pasquale, and privacy scholar Ryan Calo.

“African Americans and other marginalized communities are suffering disproportionately from coronavirus and its economic effects. They do not need further harm from snake oil surveillance tech. This bill protects the most vulnerable—it ensures that any technology used to track the virus is not used to unfairly discriminate in employment, voting, housing, education, and everyday commerce,” said David Brody, Counsel and Senior Fellow for Privacy & Technology at the Lawyers’ Committee for Civil Rights Under Law.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge. 

“OTI welcomes this effort to protect privacy as lawmakers consider pandemic response plans that gather vast quantities of data. The bill would establish strong safeguards that would prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“When it comes to tracking and collecting people’s data, we want to make sure there are basic protections for people’s privacy, and this bill is a positive step to establish the trust and balance that’s needed. The bill smartly requires that data collected to fight coronavirus can only be used for public health purposes – and nothing else. Importantly, the bill ensures an individual's right to seek redress for violations, and it bars against the use of pre-dispute arbitration agreements. These measures will help individuals trust contact-tracing or proximity-tracing programs, and they can serve as a model for more comprehensive protections down the road,” said Justin Brookman, Director of Consumer Privacy and Technology Policy for Consumer Reports.

“Digital contact tracing and exposure notification systems may be important tools in combating the spread of coronavirus. But they must be deployed responsibly and with adequate safeguards that protect the privacy and civil rights of the people that use them. The Public Health Emergency Privacy Act is a serious effort at ensuring our rights are protected while giving public health officials the tools they need to track and notify those exposed to COVID-19. These rules must apply to everyone using these systems, whether that’s state or local governments, employers, or other tech companies. This bill protects the civil rights of the most vulnerable essential workers, the disproportionately Black and Latinx people most exposed to the virus, and will help ensure they’re not also subject to invasive and unnecessary surveillance that will linger long after this crisis passes,” said Gaurav Laroia, Senior Policy Counsel with Free Press.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC). 

“What we need more than anything during this global emergency is to feel less vulnerable, to be sure not just that our health is protected, but that our rights are protected as well. This bill will ensure that whatever technological innovation emerges during the pandemic, we will feel safer knowing that our rights to privacy, to our day in court and to access to the ballot box won’t be threatened,” said Robert Weissman, President of Public Citizen.

 “This bill establishes critical protections for patients whose health data is released in the context of the public health emergency. To build a trusted data infrastructure, the US needs to ensure that any entity which accesses such data is held accountable and does not abuse the public trust. The Public Health Emergency  Privacy Act is a big step in the right direction,” said Frank Pasquale, Piper & Marbury Professor of Law at University of Maryland Carey School of Law. 

“This draft legislation addresses two of my biggest privacy concerns about the use of technology and information to respond to COVID-19. As the Act makes clear, the emergency health data of Americans should only be used to fight the pandemic and should never be used to discriminate or deny opportunity,” said Ryan Calo, Lane Powell & D. Wayne Gittinger Endowed Professor at University of Washington School of Law.

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) urged Vice President Mike Pence to take steps to both combat online misinformation related to the coronavirus outbreak and to correct false and misleading statements by the President and other members of the Administration, in the interest of public health. This letter follows reports of widespread misinformation on social media about the novel coronavirus (COVID-19) – from conspiracies about the virus’ inception, to false claims about products that were said to provide immunity or cures.

“I am deeply concerned that despite the seriousness of the novel coronavirus (COVID-19) outbreak, your coronavirus taskforce and members of the Administration have failed to consistently counter the significant amount of misinformation conveyed to the American public. In many instances, we have seen misinformation spread by those seeking to profit from untested and potentially dangerous products misrepresented as effective treatments for the virus,” wrote Sen. Warner. “Of even greater concern, false or misleading information has also come directly from prominent members of the Administration, up to and including the President.”

“The President’s injudicious and false statements could gravely undermine ongoing public health efforts to contain the outbreak. His statements directly conflict with the advice and recommendations of your own coordinated federal response and leading public health experts and will likely exacerbate economic uncertainty and discourage individuals from seeking needed care. To date, I am not aware of any steps your Administration has taken to publicly correct this false narrative,” he continued. “Simply put – this conflicting messaging and misinformation will weaken our ability to respond to COVID-19 and significantly undermine ongoing public health efforts. I strongly encourage you to publicly withdraw and correct President Trump’s statements and other false statements made by members of the Administration. In addition I ask that, moving forward, the coronavirus taskforce proactively monitor and develop a comprehensive strategy to counter widespread misinformation, including campaigns by foreign actors or parties seeking to profit from fraudulent health treatments. Information conveyed to the public must accurately reflect the latest guidance from public health experts and other authorities.”

Around the world, the novel coronavirus has sickened more than 113,000 people and killed more than 4,000 people to date. In the Commonwealth of Virginia alone, there have been nine identified cases of the virus. 

In his letter, Sen. Warner noted that the President’s false statements “stoke and legitimize already widespread online misinformation concerning the virus.”  He also highlighted indications “that at least some of the misinformation is derived from, or at least amplified by, malicious foreign actors.”

A copy of the letter is available here and below. A list of Sen. Warner’s work on coronavirus is available here.

 

The Honorable Michael R. Pence

Vice President of the United States of America

The White House

1600 Pennsylvania Avenue, NW

Washington, D.C. 20500

Dear Vice President Pence:

I am deeply concerned that despite the seriousness of the novel coronavirus (COVID-19) outbreak, your coronavirus taskforce and members of the Administration have failed to consistently counter the significant amount of misinformation conveyed to the American public. In many instances, we have seen misinformation spread by those seeking to profit from untested and potentially dangerous products misrepresented as effective treatments for the virus.[1] Of even greater concern, false or misleading information has also come directly from prominent members of the Administration, up to and including the President. I believe that, left unaddressed, this misinformation and conflicting messaging will undermine our ability to respond to COVID-19 by reducing public confidence in ongoing public health efforts, creating economic uncertainty and causing the public to respond in counterproductive ways.

As you know, the novel coronavirus (COVID-19) has sickened more than 118,000 people around the world, and killed more than 4,200 people to date.[2] While this situation is rapidly evolving in the United States, the Centers for Disease Control and Prevention (CDC) has said the potential public health threat posed by COVID-19 is very high.[3] It is essential that the Administration communicate timely and accurate information to the American public. This should include a coordinated effort to address potentially harmful misinformation spread through social media and other sources.

On March 4, 2020, during a phone call televised to millions of viewers, President Donald J. Trump indicated that Americans who fear they may have COVID-19 should continue going to work and not seek medical care, and told viewers that the World Health Organization’s (WHO) estimates of the virus’ deadliness were false.[4] In addition, on February 26, 2020 the President carelessly downplayed the seriousness of this outbreak by telling the American public that COVID-19 cases in the U.S. were “going very substantially down, not up” and that the existing 15 cases in the U.S. “is going to be down to close to zero” in two days.[5] As you know, cases have increased exponentially since that time.

The President’s injudicious and false statements could gravely undermine ongoing public health efforts to contain the outbreak. His statements directly conflict with the advice and recommendations of your own coordinated federal response and leading public health experts and will likely exacerbate economic uncertainty and discourage individuals from seeking needed care. To date, I am not aware of any steps your Administration has taken to publicly correct this false narrative.

In addition, such remarks stoke and legitimize already widespread online misinformation concerning the virus. There are indications that at least some of the misinformation is derived from, or at least amplified by, malicious foreign actors.[6] Additional misleading statements from members of the Administration, combined with intentional falsehoods pushed by these malicious actors, will only make matters worse.

Successfully combatting COVID-19 will require that public officials, health care providers and the American public act in a coordinated and responsible manner and, should the need arise, follow recommendations of public health experts to social distance, self-quarantine and take additional safety measures. This will not be possible if the Administration does not take proactive steps to counter false information and consistently relay trusted, accurate and timely information to the American public.

Simply put – this conflicting messaging and misinformation will weaken our ability to respond to COVID-19 and significantly undermine ongoing public health efforts. I strongly encourage you to publicly withdraw and correct President Trump’s statements and other false statements made by members of the Administration. In addition I ask that, moving forward, the coronavirus taskforce proactively monitor and develop a comprehensive strategy to counter widespread misinformation, including campaigns by foreign actors or parties seeking to profit from fraudulent health treatments. Information conveyed to the public must accurately reflect the latest guidance from public health experts and other authorities. Thank you for your attention to this request and I look forward to your response.                                               

Sincerely,

 

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and John Kennedy (R-LA), members of the Senate Banking Committee, released a statement today, ahead of Supreme Court arguments in Liu v. SEC, a case challenging the Securities and Exchange Commission’s (SEC) enforcement powers to seek disgorgement on behalf of defrauded investors:

“Today’s argument in Liu v. SEC highlights the critical importance of affirming the SEC’s ability to protect investors through its disgorgement authority. Disgorgement authority is an essential enforcement tool that deters violations of our securities laws, protects Main Street investors, and helps compensate hard-working Americans who are victims of financial scams. Since the Court’s 2017 decision in Kokesh v. SEC, the SEC has forgone an estimated $1.1 billion in proceeds on behalf of harmed investors – a number that will only grow if the Supreme Court sides with the petitioners in this case – putting more money in the pockets of scammers and fraudsters while leaving ripped-off investors holding the bag. While we strongly believe that the SEC has the legal authority to seek disgorgement in civil actions, uncertainty from this case underscores the importance of congressional action to better protect harmed investors. In the Senate, we have introduced bipartisan legislation that would affirm the SEC’s disgorgement authority and expand its toolkit to increase financial recovery for harmed investors. The House passed similar legislation last year. We urge our colleagues in the Senate to act now by taking up this bipartisan effort,” said the two Senators.

Sens. Warner and Kennedy last year introduced the Securities Fraud Enforcement and Investor Compensation Act, bipartisan legislation that would give the SEC power to seek restitution for Main Street investors harmed by securities fraud. The bill would give the SEC a broader range of tools to seek compensation for investors who’ve lost money to Ponzi schemes and other investment scams. 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement after federal prosecutors today charged four Chinese intelligence officers with hacking Equifax in one of the largest data breaches in history:

“I’m glad the DOJ has moved to formally indict the Chinese intelligence officers associated with the hack of Equifax. For years, the Chinese government has targeted western commercial firms. It is disappointing that despite a lot of rhetoric President Trump’s recent agreement with China does nothing to address this specific issue.

“That said, the indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack. A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure. The legislation I have with Senator Warren would subject data brokers to a higher standard of care and is an important first step in data protection.”

Sen. Warner has been outspoken about the importance of protecting consumers from data theft by employing adequate cybersecurity practices. He has previously introduced legislation to hold large credit reporting agencies – including Equifax – accountable for data breaches involving sensitive consumer data.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), co-chair of the bipartisan Senate Cybersecurity Caucus, urged the Defense Health Agency to remove sensitive medical data belonging to servicemembers exposed online, where it remains vulnerable due to insecure data practices at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center.

“As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans,” wrote Sen. Warner. “The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others.”

He continued, “We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices.”

In September 2019, Sen. Warner sought answers from TridentUSA Health Services regarding reports that many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. Following that letter, the images were removed but millions of records were left online. Nearly two months later, Sen. Warner called out the U.S. Department of Health and Human Services (HHS) for its failure to act following the exposure.

Since the letter to HHS, 16 systems, 31 million images and 1.5 million exam records have been removed from the internet. However, a significant number of personally identifiable and sensitive medical information belonging to servicemembers remains online, due to unsecured Army PACS.

In his letter to the Assistant Secretary, Sen. Warner asked the agency to remediate the situation immediately and posed the following questions for Assistant Secretary Thomas McCaffery:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.  

A copy of the letter can be found here and below.

 

Mr. Thomas McCaffery

Assistant Secretary of Defense for Health Affairs

Defense Health Agency

7700 Arlington Boulevard

Falls Church, VA 22042

Dear Mr. McCaffery,

As the healthcare sector becomes increasingly reliant on technology to deliver essential services to patients, it also faces rising threats from malicious actors that seek to compromise the personally identifiable and other sensitive information of Americans. As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans. It is with great alarm that I recently learned that unsecured Picture and Archiving Servers (PACS) at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center have left personally identifiable and sensitive medical information available online for anyone with a DICOM viewer to find.

Following a report  in September of 2019 highlighting the exposure of sensitive medical images belonging to millions of American through unsecured PACS, I wrote letters  to two healthcare entities that controlled the PACS, and those images were removed. However, millions of records remained online. The following month, I wrote  to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) regarding the remaining exposure of the personally identifiable information belonging to 6 million American patients. Since that letter, 16 systems, 31 million images and 1.5 million exam records were removed from the internet. However, I recently learned that a significant number of medical records belonging to servicemembers remain online. This information was discovered by the German researchers at Greenbone Networks, who accessed the information using German IP addresses; this itself should have triggered alarms by the hospital information security systems.

The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others. We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices. To better understand how this happened, I would like information about your organization’s oversight of the information security practices at military hospitals, particularly at Ft. Belvoir Medical Center and Womack Army Medical Center.

I ask that you immediately remediate this situation, and remove the vulnerable PACS from open access to the internet. To understand how these records have been exposed and accessed repeatedly by a German IP address, please also answer the following questions:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.

Given the gravity of this issue, I would appreciate a response within two weeks.

Sincerely,

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Sen. Deb Fischer (R-NE) announced two new bipartisan co-sponsors for their legislation to protect consumers from being tricked into giving away their personal data online. Sens. Amy Klobuchar (D-MN) and John Thune (R-SD), two senior members of the Senate Commerce Committee, have co-sponsored the Warner-Fischer legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.

“Whether you bought Christmas gifts online, downloaded a new messaging app, or tried to navigate a major browser’s byzantine privacy settings, chances are you were a victim of a dark pattern. In fact, if you wanted to score that extra discount at checkout, these design tactics most likely manipulated you into handing over more than just your email address to get that deal,” Sen. Warner. “I’m grateful to have the support of Sen. Klobuchar and Sen. Thune on this important bill to make sure Americans have more transparency about, and control over, their interactions online.”

“Nearly every time Americans use a new app on our smart phones or browse social media from our laptops, we run into dark patterns. These unethical tricks online platforms use as they battle to capture attention and manipulate users must be stopped. I am pleased to have expanded bipartisan support for this legislation that combats risks to consumer choice and privacy online,” said Sen. Fischer.

“Dark patterns are manipulative tactics used to trick consumers into sharing their personal data. These tactics undermine consumers’ autonomy and privacy, yet they are becoming pervasive on many online platforms,” said Sen. Klobuchar. “This legislation would help prevent the major online platforms from using such manipulative tactics to mislead consumers, and it would prohibit behavioral experiments on users without their informed consent.”

“We live in an environment where large online operators often deploy manipulative practices or ‘dark patterns’ to obtain consent to collect user data, so I’m glad this bills takes meaningful steps to advance consumer transparency,” said Sen. Thune. “I particularly applaud the provisions of this bill that require large online operators to be more transparent about when users are subject to behavioral or psychological research for the purpose of promoting engagement on their platforms. I want to thank Sens. Warner and Fischer for leading this effort, and I’m glad to join them and Sen. Klobuchar in cosponsoring this important legislation.”

The bipartisan Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative dark pattern behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. Specifically, the legislation:

  • Enables the creation of a professional standards body, which can register with the Federal Trade Commission (FTC), to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body, providing updated guidance to platforms on design practices that impair user autonomy, decision-making, or choice, positioning the FTC to act as a regulatory backstop.
  • Prohibits segmenting consumers for the purposes of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare. 
  • Prohibits user design intended to create compulsive usage among children under the age of 13 years old.
  • Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

Sen. Warner has been raising concerns about the implications of social media companies’ reliance on dark patterns for several years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on News Feeds.

Sen. Warner is also recognized as one of Congress’ leading voices in an ongoing public debate around social media and user privacy. He has written and introduced a series of bipartisan bills designed to protect consumers and promote competition in social media. The Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act will require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers, and how it is being leveraged by the platform for profit.? The Honest Ads Act will help prevent foreign interference in future elections and improve the transparency of online political advertisements. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act is a bipartisan bill to encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) released the following statement after President Trump signed into law a bill sponsored by Sen. Warner to crack down on illegal robocall scams:

“The truth is, folks in Virginia and across the nation are sick and tired of receiving unsolicited robocalls at all hours of the day,” said Sen. Warner. “These calls are intrusive and often set up by scammers looking to pray on vulnerable individuals. I’m proud to have sponsored this legislation and am very excited to see it signed into law so that it can start giving individuals some peace of mind. Personally, I know I won’t miss these annoying robocalls, and I have a feeling other Virginians won’t either.”

The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act gives regulators more time to find scammers, increases civil forfeiture penalties for those who are caught, requires service providers to adopt call authentication and blocking, and brings relevant federal agencies and state attorneys general together to address impediments to criminal prosecution of robocallers who intentionally break laws. Sen. Warner sponsored the Senate version of the bill, which passed the Senate in 97-1 vote in May 2019. After the House passed an amended version of the bill earlier this month, the Senate unanimously voted to send the bill to the President’s desk for signature on December 18.

The TRACED Act:

  • Broadens the authority of the Federal Communications Commission (FCC) to levy civil penalties of up to $10,000 per call on people who intentionally flout telemarketing restrictions.
  • Extends the window for the FCC to catch and take civil enforcement action against intentional violations to four years after a robocall is placed. Under current law, the FCC has only one year to do so, and the FCC has told the committee that “even a one-year longer statute of limitations for enforcement” would improve enforcement against violators.
  • Brings together the Department of Justice, FCC, Federal Trade Commission, Department of Commerce, Department of State, Department of Homeland Security, the Consumer Financial Protection Bureau, and other relevant federal agencies, as well as state attorneys general and other non-federal entities to identify and report to Congress on improving deterrence and criminal prosecution at the federal and state level of robocall scams.
  • Requires voice service providers to adopt call authentication technologies, enabling a telephone carrier to verify that incoming calls are legitimate before they reach consumers’ phones.
  • Directs the FCC to initiate a rulemaking to help protect subscribers from receiving unwanted calls or texts from callers.
  • Directs the FCC to initiate a rulemaking process to protect consumers from “one-ring” scams.
  • Requires the FCC to establish a working group to issue best practices to prevent hospitals from receiving illegal robocalls.

 

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the Department of Health and Human Services (HHS) regarding a proposed rule by the Centers for Medicare and Medicaid Services (CMS) that would require CMS-funded health plans (including ACA marketplace plans) to allow patients to access their personal health information electronically through third-party consumer applications. In his letter, Sen. Warner urged HHS to include clear standards and defined controls for accessing patient data in order to address the potential for misuse of these interoperability features.

“In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information,” wrote Sen. Warner. “It is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.”

“Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users,” he continued. “As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used.”

Under the proposed Interoperability and Patient Access rule, CMS would require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through open application programing interfaces (APIs). APIs would allow third-party software applications to connect to, process, and make the data available to patients.

In the letter, Sen. Warner emphasized the importance of allowing patients to easily access their health information. He also noted the similarities between the proposed rule and the ACCESS Act – bipartisan legislation introduced by Sen. Warner that would promote market-based competition among social media platforms by requiring the largest social media companies to make user data portable, and their services interoperable, with other platforms. The ACCESS Act would also allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Additionally, Sen. Warner urged that, at a minimum, the final rule include the following standards:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Sen. Warner has been a longtime critic of poor cybersecurity practices that compromise Americans’ personal information. Last week, Sen. Warner raised concern with HSS’ failure to act, following a mass exposure of sensitive medical images and information by health organizations. In September, he wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

The Honorable Alex M. Azar II

Department of Health and Human Services

Office of the Secretary

200 Independence Avenue, S.W.

Washington, D.C. 20201

 

Dear Secretary Azar:

I am writing regarding the proposed rule from the Center for Medicare and Medicaid Services (CMS) on Interoperability and Patient Access that would enable third party consumer applications to access sensitive patient and health plan data through application programming interfaces (APIs) [1]. I share the goals of advancing interoperability in patient health information and believe that – implemented appropriately – this proposal could represent a significant step in that direction. However, I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information.

Congress passed the 21st Century Cures Act (P.L. 114-255) with a key objective of improving the protected exchange of electronic health records across the care continuum. Notably, Section 4003 and 4004 included specific provisions to establish a trusted health information exchange framework and reduce information blocking; it stated that there should be regulation over unreasonable practices to interfere with, prevent, or materially discourage access, exchange, or use of a patient’s electronic health records. While your agency has taken substantial steps to implement fundamental aspects of this legislation, it is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.

In your proposed rule CMS would specifically require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through an open application programming interface (API). Data should be made available through an API so that third party software applications can connect to, process, and make the data available to patients.

I agree that patients should have an ability to easily acquire their health information. The rule is in many ways consistent with bipartisan legislation I have introduced in Congress – the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, which requires our nation’s largest social media companies to make user data portable, and make their services interoperable with other platforms.

Common to both my bill and the proposed rule is a recognition that consumers should have a right to possess their data – and share it with authorized third parties that will protect it. Both proposals also seek to address the control over consumer data that incumbents wield, often to the detriment of new, innovative providers. Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users.

 As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used. Such standards in a final rule should include at a minimum:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Thank you for your consideration your commitment to advancing interoperability to improve patient care. I believe the outline I have shared would strengthen and ensure the rule achieves its intended purpose.  It is my hope and belief that we can achieve both a higher level of interoperability and patient access to their data, as well as, strong protections for that information. I look forward to continued work with you on this important issue and our shared goals.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, today raised concern with the U.S. Department of Health and Human Services (HHS)’s failure to act, following a mass exposure of sensitive medical images and information by health organizations. In a letter to the HHS Director of the Office for Civil Rights, Sen. Warner identified this exposure as damaging to individual and national security, as this kind of information can be used to target individuals and to spread malware across organizations.

“I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it,” wrote Sen. Warner. “As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.”

“These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization,” he continued. “In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected.”

On September 17th, a report revealed that millions of Americans had their private medical images exposed online, due to unsecured picture archiving and communication servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM) protocol. Along with the medical images, these PACS also exposed the names and social security numbers of those affected, leaving this information open to anyone with basic computer expertise, as these required no authentication to access or download.

This exposure was uncovered by German researchers, who contacted the German Federal Office for Information Security (BSI). BSI then alerted the United States Computer Emergency Readiness Team (US-CERT), who confirmed the exposure and reached out to HHS. However, if they received this information, HHS has failed to act on it, even failing to list TridentUSA Health Services – one of the main companies responsible for the exposure – on its breach portal website.

In his letter to Director Roger Severino, Sen. Warner also raised alarm with the fact that TridentUSA Health Services successfully completed an HHS Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audit in March 2019, while patient images were actively accessible online.

Sen. Warner also posed the follow questions for HHS regarding the incident, and its current cybersecurity requirements and procedures:

  1. Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
    1. If so, what actions were taken to address the issue?
  2. What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
    1. Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
  3. What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
  4. Please describe your information security audit process.
  5. Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that compromise Americans’ personal information. In September, Sen. Warner wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Mr. Roger Severino                                                                

Director, Office for Civil Rights

Department of Health and Human Services

200 Independence Ave SW

Washington, DC 20201

Dear Director Severino,

As the health care industry increasingly harnesses internet connectivity and software, including machine learning systems, to improve patient care, a long overdue focus on data privacy and information security has come into sharper focus. This is particularly evident in light of reports that sensitive medical records of potentially millions of Americans were recently exposed online – and that your agency has done little to address this issue. Prompting even greater concern, one of the companies that left the data exposed online also successfully completed one of your Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audits in March. I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it. As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients, without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.

On September 17th ProPublica published a shocking report that the sensitive medical images of millions of American patients were exposed online through unsecured picture and archiving and communications servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM), protocol. The publicly-accessible information that had been accessed from Germany included MRI’s, X-rays, and CT scans, as well as names and social security numbers of the patients. The 13.7 million images found on the internet required absolutely no authentication to access or download. As of writing this letter, there are 779 million image records attached to 21.6 million patient records, impacting an estimated 5 million patients in 22 states. The largest system accessed holds 61 million diagnostic images attached to 1.23 million exam records of American patients and remains available on the internet.

In late August, German researchers initiated an investigation to determine the global accessibility and remote access capabilities of PACS. On September 9th, the researchers concluded their two week inquiry and submitted their findings to the German Federal Office for Information Security (BSI). By September 17th, BSI had addressed the affected systems which were removed from the internet prior to the publishing of the ProPublica report.

After US-CERT was notified of the problem by BSI, US-CERT contacted the German researchers at Greenbone Networks, confirming they received the data on September 20th. US-CERT stated the agency would convey the information to the U.S. Department of Health and Human Services (HHS). According to the researchers, however, there has been no further communication from US-CERT or HHS, even though data privacy authorities from other countries like France and the UK contacted Greenbone Networks following the publication of ProPublica’s report.

On September 23rd, I wrote to TridentUSA Health Services expressing my concern regarding the issues raised in the ProPublica report, and pointed out that MobilexUSA, a TridentUSA Health Services affiliate, was identified as controlling one of the unsecured PACS. On October 15th, the German researchers demonstrated to my office a number of US-based PACS have open ports, supporting unencrypted communications protocols, exposing images to the internet like chest X-rays and mammograms, and identifying details like names and social security numbers. Those images and medical records continue to be accessible.

These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected. The researchers who discovered the flaw in the DICOM protocol were able to use a polyglot file, which can contain more than one stream of data with different file formats, and hide the malicious code in the scan. In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization.

In their response to my letter, TridentUSA Health Services noted that they successfully completed the Department of Health and Human Services audits, confirming compliance with the HIPAA Security Rule, the last of which concluded in March 2019, while patient images were accessible online.

While the information security lapses by the medical companies using the PACS are clear, it is unclear how your agency has addressed this issue. As of the writing of this letter, TridentUSA Health Services is not included on your breach portal website, and I have seen no evidence that, once contacted by US-CERT, you acted on that information in any meaningful way.

To understand how such an enormous oversight in your organization has allowed medical companies to leave insecure ports open to the internet and accessed repeatedly by a German IP address, I ask that you answer the following questions:

1.      Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
a.      If so, what actions were taken to address the issue?
2.      What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
a.      Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
3.      What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
4.      Please describe your information security audit process.
5.      Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

The American people deserve to have their sensitive private information protected and their government held accountable for enforcing the rules in place to keep that information private. I hope that you will share what immediate actions you are taking, along with answering the questions above. I look forward to hearing your response no later than November 18, 2019.

Sincerely,

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Josh Hawley (R-MO) and Richard Blumenthal (D-CT) will introduce the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, bipartisan legislation that will encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

“Social media has enormous benefits. But, as we've seen, the tremendous dominance of a handful of large platforms also has major downsides – including few options for consumers who want to use social media to connect with friends, store their photos or just watch cat videos, but who face a marketplace with just a few major players and little in the way of real competition,” said Sen. Warner, a former technology entrepreneur and venture capitalist. “As a former cell phone guy, I saw what a game-changer number portability was for that industry. By making it easier for social media users to easily move their data or to continue to communicate with their friends after switching platforms, startups will be able to compete on equal terms with the biggest social media companies. And empowering trusted custodial companies to step in on behalf of users to better manage their accounts across different platforms will help balance the playing field between consumers and companies. In other words – by enabling portability, interoperability, and delegatability, this bill will help put consumers in the driver’s seat when it comes to how and where they use social media.”

“Your data is your property. Period. Consumers should have the flexibility to choose new online platforms without artificial barriers to entry. This bill creates long-overdue requirements that will boost competition and give consumers the power to move their data from one service to another,” said Sen. Hawley.

“The exclusive dominance of Facebook and Google have crowded out the meaningful competition that is needed to protect online privacy and promote technological innovation. As we learned in the Microsoft antitrust case, interoperability and portability are powerful tools to restrain anti-competitive behaviors and promote innovative new companies. The bipartisan ACCESS Act would empower consumers to finally stand up to Big Tech and move their data to services that respect their rights,” said Sen. Blumenthal.

Online communications platforms have become vital to the economic and social fabric of the nation, but network effects and consumer lock-in have entrenched a select number of companies’ dominance in the digital market and enhanced their control over consumer data. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act would increase market competition, encourage innovation, and increase consumer choice by requiring large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

  • Make their services interoperable with competing communications platforms.
  • Permit users to easily port their personal data in a structured, commonly used and machine-readable format.
  • Allow users to delegate trusted custodial services, which are required to act in a user’s best interests through a strong duty of care, with the task of managing their account settings, content, and online interactions. 

“One very real nightmare scenario for the future of the internet is users facing a meaningless choice among a few fully-integrated silos of technology, and the end of independent innovation and creativity. We all need to prevent that from happening. This legislation could help us take a huge step forward towards a better internet future,” said Chris Riley, Director of Public Policy at the Mozilla Corporation.

“Markets work when consumers have a choice and know what's going on. The ACCESS Act is an important step toward reestablishing this dynamic in the market for tech services. We must get back to the conditions that make markets work: when consumers know what they give a firm and what they get in return; and if they don't like the deal, they can take their business elsewhere. By giving consumers the ability to delegate decisions to organizations working on their behalf, the ACCESS Act gives consumers some hope that they can understand what they are giving up and getting in the opaque world that the tech firms have created. By mandating portability, it also gives them a realistic option of switching to another provider,” said Paul Romer, New York University Professor of Economics and Nobel Prize winner in Economics.

“We’re thrilled to see a concrete legislative proposal to provide interoperability for consumers. Built on a solid foundation of privacy and security protections, interoperability enables users to communicate across networks promoting competition among social media platforms. Interoperability ensures that users benefit from increased competition, and it helps new competitors grow by reaching users that are locked-in to their current provider. Senator Warner’s interoperability bill lays out an excellent, practical framework for making interoperability a reality while preserving a role for states to go even further,” said Charlotte Slaiman, Senior Policy Counsel at Public Knowledge.

“All of us at USV believe in decentralized, emergent, market driven innovation. The shared communications infrastructure of the open Internet and a vibrant competitive market triggered the Cambrian explosion of new Web services we all now enjoy. But today, a small number of companies capitalize on their exclusive control over our data - the data we contribute as we interact with their services - to dominate markets, stifling competition and limiting consumer choice. While this is widely understood, most policy makers propose prescriptive regulation that would only further entrench the dominant platforms. The ACCESS Act targets the specific market failure - exclusive control over consumer data - that has led to the consolidation of market power on the Web. Ensuring that consumers have access to their data is an elegant way to restore competition without burdensome regulation,” said Brad Burnham, Partner and Co-Founder at Union Square Ventures.

Previously, Sens. Warner and Hawley have partnered on the DASHBOARD Act, legislation to require data harvesting companies such as social media platforms to disclose how they are monetizing consumer data, as well as the Do Not Track Act, which would allow users to opt out of non-essential data collection, modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list. 

A section-by-section summary of the bill is available here. Bill text is available here.

###

 

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Marco Rubio (R-FL), member of the Senate Select Committee on Intelligence, have expressed concern over the growing threat posed by deepfakes – sophisticated audio and video technologies that allow users to create fake audio and/or video files that falsely depict someone saying or doing something. In letters to 11 social media companies, including Facebook, Twitter, and YouTube, Sens. Warner and Rubio urged the platforms to develop industry standards for sharing, removing, archiving, and confronting the sharing of synthetic content as soon as possible, in light of foreign threats to the upcoming U.S. election. The letters also encouraged the platforms to develop clear policies to ensure their platforms are not exploited to spread disinformation or misinformation, including through authenticating media, labeling and archiving synthetic media content, and providing access to qualified outside researchers.

“As concerning as deepfakes and other multimedia manipulation techniques are for the subjects whose actions are falsely portrayed, deepfakes pose an especially grave threat to the public’s trust in the information it consumes; particularly images, and video and audio recordings posted online,” wrote the Senators. “If the public can no longer trust recorded events or images, it will have a corrosive impact on our democracy.”

“Despite numerous conversations, meetings, and public testimony acknowledging your responsibilities to the public, there has been limited progress in creating industry-wide standards on the pressing issue of deepfakes and synthetic media,” they continued. “Having a clear strategy and policy in place for authenticating media, and slowing the pace at which disinformation spreads, can help blunt some of these risks.  Similarly, establishing clear policies for the labeling and archiving of synthetic media can aid digital media literacy efforts and assist researchers in tracking disinformation campaigns, particularly from foreign entities and governments seeking to undermine our democracy.”

Deepfake technologies allow users to superimpose existing images and videos onto unrelated images or videos, essentially giving users the ability to create false and defamatory content that can be easily spread on social media.

In their letters to Facebook, Twitter, YouTube, Reddit, LinkedIn, Tumblr, Snapchat, Imgur, TikTok, Pinterest, and Twitch, the Senators emphasized that more than two-thirds of Americans get their news from social media sites, and stressed that online media platforms must assume a heightened responsibility for safeguarding public confidence. They also posed the following series of questions about each company’s ability to prevent, detect, and address deepfakes and other synthetic media:

  1. What is your company’s current policy regarding whether users can post intentionally misleading, synthetic or fabricated media?
  2. Does your company currently have the technical ability to detect intentionally misleading or fabricated media, such as deepfakes? If so, how do you archive this problematic content for better re-identification in the future?
  3. Will your company make available archived fabricated media to qualified outside researchers working to develop new methods of tracking and identifying such content?  If so, what partnerships does your company currently have in place?  Will your company maintain a separate, publicly accessible archive for this content?
  4. If the victim of a possible deepfake informs you that a recording is intentionally misleading or fabricated, how will your company adjudicate those claims or notify other potential victims?
  5. If your company determines that a media file hosted by your company is intentionally misleading or fabricated, how will you make clear to users that you have either removed or replaced that problematic content?
  6. Given that deepfakes may attract views that could drive algorithmic promotion, how will your company and its algorithms respond to, and downplay, deepfakes posted on your platform?
  7. What is your company’s policy for dealing with the posting and promotion of media content that is wholly fabricated, such as untrue articles posing as real news, in an effort to mislead the public? 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the CEO of TridentUSA Health Services today to ask about the company’s data security practices as they relate to Health Insurance Portability and Accountability Act (HIPAA) compliance. The letter comes in light of a report that MobileXUSA – an affiliate of TridentUSA Health Services – left an unencrypted server online, exposing the medical data of millions of Americans.

“It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required,” wrote Sen. Warner. “While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.”

According to recent reports, many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. As part of the report, researchers identified 187 servers in the U.S. – including that of MobileXUSA – that were unprotected by passwords or basic security precautions.

In the letter to TridentUSA Health Services, Sen. Warner stressed the importance of protecting Americans’ privacy and personal health information. He also posed the following questions for TridentUSA Health Services:

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that have led to the compromise of Americans’ personal information. Last week, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. He also introduced legislation earlier this year to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Andrei Soran, CEO

TridentUSA Health Services

930 Ridgebrook Rd.

Sparks Glencoe, MD 21152

Dear Mr. Soran,

It has come to my attention that one of your affiliated companies, MobileXUSA, recently left an unencrypted server online, exposing sensitive medical images and health data of Americans. According to recent reporting, researchers found 13.7 million data sets and 303.1 million images in medical image storage systems have been freely accessible online with no authentication requirements to access or download the images.  This left the MRI’s, X-rays, and CT scans of millions of Americans exposed on the internet, not because of a breach, but simply because they were stored on 187 unprotected picture archiving and communication servers (PACS) including yours.  Additionally, along with the sensitive medical images, according to the research, your server displayed the names of more than a million patients. 

My colleagues and I in the Senate have been concerned about negligent cybersecurity practices in the health care space for a long time. Cybersecurity risks within the health care sector represent a growing threat, with 285 breaches reported between January and June of this year.  According to one report, there has been at least one healthcare-related data breach a day since 2016.  Just recently, the Senate Cybersecurity Caucus, of which I am a co-founder, convened a briefing that focused on healthcare and cybersecurity, particularly on the security of healthcare records which further highlighted the need for more robust cyber hygiene practices, and possibly additional standards.

It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required. While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.

To better understand how exactly millions of private medical scans were left open on the internet, I would appreciate your answers to the following questions:  

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

It is critical that the privacy of the individual– including their personal health information – is appropriately protected.  I look forward to hearing your response by October 9th, 2019. Any further questions can be directed to Leisel Bogan in my office at Leisel_Bogan@warner.senate.gov

Sincerely,

###

 

WASHINGTON – U.S. Sens. Mark R. Warner and Tim Kaine (D-VA) are urging the Consumer Product Safety Commission (CPSC) to launch a public safety campaign to educate the public about the dangers of beach umbrellas. The popular beach accessories can quickly become hazards when propelled by wind through the air, as has happened on several occasions in recent years, as in 2016, when Lottie Michelle Belk was struck in the torso and killed while vacationing in Virginia Beach with her family. Last month, a toddler was nearly impaled by a flying beach umbrella in North Myrtle Beach, S.C.

Today’s letter to Acting CPSC Chairwoman Ann Marie Buerkle is a follow-up to one the Senators sent in May along with Sens. Bob Menendez and Cory Booker (both D-NJ) regarding the documented safety risks posed by beach umbrellas. In a June response, the CPSC noted that an estimated 2,800 beach umbrella-related injuries were treated in emergency departments nationwide from 2010 to 2018. Despite that, the CPSC also noted that it currently does not regulate the safety of beach umbrellas and is unaware of any voluntary standards specifically for beach umbrellas. Today, the four lawmakers urged the U.S. Consumer Product Safety Commission (CSPC) to take more aggressive action to protect beachgoers from the dangers of wind-swept beach umbrellas that can cause serious injury or even death. 

“As Americans flock to the beach this summer season, we believe it is imperative that the CPSC ensure that a day at the beach isn’t turned into a day at the emergency room,” the Senators wrote.  

The lawmakers mentioned other notable CPSC public education campaigns that have proven successful in changing people’s behavior and encouraging greater precaution. Specifically, they pointed to the 2010 “Safe Sleep Campaign” to educate parents and caregivers about how best to make nurseries safe; the 2015 “Anchor It!” campaign to warn of the dangers of furniture tip-overs; the annual July 4th fireworks safety campaign; and a 2017 alert to the public of fidget spinner choking hazards.  

The Senators also pressed CPSC on whether it has considered the efficacy of a weighted system or other safety measures that could be taken to reduce the risk of umbrellas becoming airborne and endangering beach-goers.                                               

Full text of the letter is below and a copy can be found here.

 

July 29, 2019

Ann Marie Buerkle

Acting Chair, U.S. Consumer Product Safety Commission

4330 East West Highway

Bethesda, MD 20814

Dear Chairman Buerkle,

We write in the wake of your June 7, 2019 response to our May 2, 2019 letter regarding the documented safety risks posed by beach umbrellas. Your letter stated that, over the nine-year period from 2010-2018, an estimated 2,800 people sought treatment in emergency rooms for injuries related to beach umbrellas. A majority of those injuries were caused by a wind-blown beach umbrella. As we noted in our letter, unsafe beach umbrellas have even proved fatal to our constituents. 

As Americans flock to the beach this summer season, we believe it is imperative that the CPSC ensure that a day at the beach isn’t turned into a day at the emergency room. To that end, we write to specifically ask that the Consumer Product Safety Commission (CPSC) launch a public safety campaign to educate the public about the dangers of beach umbrellas. In addition, we write with additional follow-up questions regarding whether the Commission considered the efficacy of certain design or technical changes to beach umbrellas.

As your letter acknowledges, there is currently no CPSC-led public education campaign on the dangers of beach umbrellas. Yet, a July 6, 2019 tweet and Instagram post from the CPSC’s social media accounts remind consumers to properly stake their beach umbrellas.  We were pleased to see the CPSC take the issue of beach umbrella safety seriously. Notably, your June 7 letter states: “CPSC technical staff believes that an information sheet on the potential hazards could be developed.” We agree, and formally request that the CPSC develop safety and educational resources for the public. As you know, the CPSC has a history of such public safety campaigns.

In 2010, the CPSC implemented the “Safe Sleep Campaign” in part to “educate parents and caregivers about the most effective ways to make a nursey safe.”  In 2015, the CPSC launched “Anchor It!”, a national public safety campaign to educate the public about the dangers of furniture tip-overs.  In addition, every July 4th the CPSC reminds the public of the dangers of fireworks.  In August 2017, the CPSC went so far as to warn the public of the dangers of fidget spinners, stating that the popular toys pose a choking hazard.  Surely, the dangers of a beach umbrella turned flying spear – and the large number, and often gruesome nature, of these incidents – warrant the attention of the Commission. 

Your June 7 letter stated that “[t]echnical staff does not believe a safety standard would have a substantial effect on injuries from beach umbrellas incidents.” The letter states that the CPSC considered requiring a performance standard, requiring umbrellas to “contain venting”, the development of a staking requirement, and the development of a warning label system. Your letter does not however indicate whether the CPSC considered the efficacy of a weighted system, or any other alternative system options. To that end, we request responses to the following questions:

1.      Has the CPSC considered whether a weighted system or another alternative, could best mitigate the risk of a wind-blown beach umbrella?

2.      What information would factor into a decision as to whether the CPSC would recommend a weighted system or an additional or alternative safety feature for beach umbrellas? 

3.      Is the CPSC aware of any instance where an umbrella secured with a weighted system caused an injury?

We appreciate CPSC’s willingness to consider this issue and look forward hearing back from you by August 30, 2019.  Should you have further questions please contact Shelby Boxenbaum in Senator Menendez’s office at 202-224-4744.  

Sincerely,

###