This country-specific Q&A provides an overview to technology laws and regulations that may occur in the United States.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Providers of “telecommunications services” are regulated as common carriers by the Federal Communications Commission ("FCC") and many state public utility commissions ("PUCs"). The term “telecommunications service” is defined by the FCC to mean the offering of telecommunications – i.e., the transmission of information of the user’s choosing, without change in the form or content of the information as sent and received – for a fee directly to the public, or to such classes of users as to be effectively available directly to the public. International common carriers are required to obtain FCC authorization. In addition, most states, including California, require intrastate domestic common carriers to obtain a state authorization.
The Telecommunications Act of 1996 is the primary law applicable to telecommunication services, including telephony, radio, broadcast and, to a limited extent, Internet services. The Act regulates telecommunication carriers' interconnection obligations, universal service obligations, broadcast spectrum and ownership provisions, cable services and restrictions related to obscenity and violence in programming. The Act had also applied to Internet services under the so called "net neutrality" rules, but recently the FCC overruled its prior finding that Internet services were telecommunication services regulated under the Act, and has rolled back associated net-neutrality regulations. At the state level, state public utility commissions have limited overlapping jurisdiction with the FCC, and can set rates for smaller rural telecom providers and establish franchises for cable service.
Licenses are required to provide telephony services (both landlines and wireless), as well as radio and television (broadcast and cable) services. Citizens band ("CB") radio may be operated without a license; otherwise, use of the public radio frequency spectrum for radio, television or wireless telephony requires authorization from the FCC and allocation of spectrum.
Section 214 Authorization. All new common carriers must register with the FCC and provide certain contact information. The FCC provides blanket authority for the provision of interstate telecommunications service on a common carrier basis, and this blanket authority covers all providers. Consequently, unlike international common carriers, which must secure Section 214 authorizations, interstate common carriers are not required to apply for prior FCC authorization. Before providing any international telecommunications service between the United States and another country, a new common carrier must apply for and obtain an international Section 214 authorization from the FCC.
Although foreign entities may hold international Section 214 authorizations, the application
process for a foreign entity to obtain a Section 214 authorization can take more than a year.
Team Telecom, a working group representing the U.S. Executive Branch, reviews Section
214 applications that involve foreign ownership to determine whether they raise national
security, law enforcement, foreign policy, or trade policy issues, and there is no deadline by
which Team Telecom must complete this review.
Intrastate telecommunications services are regulated by state PUCs. Although each state’s rules and procedures differ, many states require intrastate common carriers to register or obtain a state license prior to providing telecommunications services. Certain states, including California, mandate an application and approval process. In California, this approval process can take six to nine months. Other states merely require prior notice.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The primary federal regulator of communications-related service is the FCC. The FCC is an agency of the U.S. government. It is directed by five commissioners appointed by the President of the United States for 5 year terms. Although it is an independent agency of the federal government, the appointment process has become politicized in recent years, and commissioners frequently espouse the policy positions of the administration that appoints them.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
When a corporation is directly or indirectly controlled by another corporation, the FCC traditionally reserved the right to refuse to approve a licence if more than a 25% interest in the controlling company is foreign and if the Commission finds it in the public interest to do so. In 2013, the FCC announced a policy change that it would review foreign ownership above 25% on a case-by-case basis. There are additional restrictions on the nationality of management that apply in the case telephone companies having a common carrier radio licence. No license has been denied on the basis of foreign investment. Wireline common carriers are not subject to these restrictions.
The FCC may deny certain radio licenses to parent corporations with greater than 25% foreign investment only if the public interest is served by this refusal. When a foreign-organized company files an application with the FCC to provide US international telecommunications services, or to acquire control of an existing provider of US domestic or international telecommunications services, the FCC seeks the advice of US Executive Branch agencies with respect to national security, law enforcement, and foreign policy and trade policy concerns. In addition, the Telecommunications Communications Act of 1996 does not allow the FCC to grant a radio license to a foreign government. It also does not allow the FCC to grant a common carrier (or broadcast, aeronautical fixed, or aeronautical en route) radio license to a foreign individual or corporation, or to a US corporation of which more than 20% of the stock is owned or voted by foreign individuals, corporations or governments. However, where an applicant for a common carrier radio license has a controlling US parent with greater than 25% foreign investment, the Telecommunications Act of 1996 allows the FCC to deny the license only if the public interest is served by this refusal.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Yes, the Telecommunications Act of 1996 requires local exchange carriers ("LECs") to interconnect with other carriers, and specifies the requirements for LECs to meet the interconnection requirement in their negotiated agreements with other carriers. LECs must provide interconnection at reasonable rates and in a timely manner, and their interconnection agreements are subject to approval of state public utility commissions. While LECs are required to provide interconnection on fair terms, reasonable rates and in a non-discriminatory manner, there is no separate set of rules for LECs with market power.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The FCC's Telecommunications Consumers Division is tasked with protecting consumers from fraudulent and misleading practices. The FCC also protects consumer privacy by restricting the disclosure of customer proprietary network information ("CPNI"). The FCC has recently issued new rules to protect consumers against "slamming" and "cramming" fraud. The Federal Trade Commission ("FTC") has enforcement authority with respect to false and deceptive business practices. A recent federal appellate court ruling affirmed the FTC's authority over common carriers with respect to such practices.
The Telephone Consumer Protection Act of 1991 restricts telemarketing activities, including text messaging, and the use of automated dialing technologies in consumer solicitations, and established a "do not call" registry. The interconnection requirements for data networks are no longer regulated since the recent real of the FCC net neutrality regulations.
See previous question.
What legal protections are offered in relation to the creators of computer software?
Software is protected by U.S. copyright laws and international treaties. Registration of copyright is available (and required for enforcement proceedings), but copyright protection attaches from the moment the work is fixed. The source code to software, if properly maintained in confidence, may be treated as a trade secret. Software may also be eligible for patent protection; however, the patent-eligibility of software has been narrowed significantly by the courts in recent years.
The U.S. Supreme Court recognized software implemented business processes as patentable in its 1998 State Street Bank decision. After a decade of overly broad software patents issued by the patent office, the Supreme Court once again ruled on the patentability of software-implemented business processes in Bilski v. Kappos and substantially narrowed their eligibility for patent protection. Subsequently, in Alice Corp v. CLS Bank, the Supreme Court emphasized that embodying otherwise common aspects of business operations in software would not be eligible for patent protection.
Software is also protected by contract under the terms of the licensor's license agreement. In 1996, a federal appellate court in Pro CD v. Zeidenberg held that shrinkwrap license agreements were enforceable and not pre-empted by the Copyright Act.
Do you recognise specific intellectual property rights in respect of data/databases?
There is no sui generis protection of databases under U.S. law. Under Feist Publications v. Rural Telephone Service Co., 499 U.S. 340 (1991), the United States Supreme Court held that copyright protection is only provided to those original components of the database, and does not extend to the underlying material or data. (17. U.S.C. § 103(B)). No matter how much effort (i.e., “sweat of the brow”) is put into creating a database, only the original elements of the database are protected by copyright.
In most cases, only the selection, coordination, and arrangement of facts is protectable, (17 U.S.C. § 101), and then only if it is original. The Feist case addressed a phone directory, and the Court held that neither the elements of the database (phone numbers) nor the selection (all numbers within a geographic area), coordination (organized by surname), or arrangement (alphabetical order) were protectable under U.S. copyright law.
What key protections exist for personal data?
The U.S. does not have omnibus protection for personal data; rather, it has taken a sectoral approach. Health related information is protected under the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA's Privacy Rule (and the privacy requirements under the HITECH Act) regulate the use and disclosure of protected health information by "covered entities", such as health plans, insurers and medical service providers, as well as "business associates", such as contractors and other service providers to covered entities. Individuals have a right to know the protected health information held by a covered entity and to require the correction of inaccurate information. HIPAA's Security Rule requires covered entities and business associates to maintain administrative, physical and technical measures to protect health information.
Consumer financial data is protected under the Financial Privacy Rule pursuant to the Gramm-Leach-Bliley Act ("GLBA"). The Privacy Rule requires financial institutions to provide privacy notices to consumers that permit them to opt out of sharing financial data with unaffiliated third parties. GLBA's Security Rule requires written security procedures to be in place for the safeguarding of consumer financial information. The Fair Credit Reporting Act ("FCRA") and the Fair and Accurate Credit Transactions Act ("FACTA") regulate the use of consumer credit information, entitle consumers to a free copy of their credit report from each credit reporting agency and provide for disputing inaccurate information.
All 50 states have enacted legislation requiring notice to customers when a security breach has or is reasonably believed to have exposed a consumer's personal information. Personal information under data breach is typically defined as a first name or initial, a last name, plus a social security number, driver's license or state ID number or an account number with a password or PIN. Recently, states have expanded this definition to include login credentials plus password. Recently, some states have begun to include biometric information as personal data for purposes of breach notification laws. The threshold for notice, timing requirements and liability vary by state.
There are also recent developments in state law that are expanding privacy protections beyond specific sectors. When the California Consumer Privacy Act of 2018 comes into effect in 2020, all businesses in California will have to observe restrictions on data monetization, accommodate individuals' rights to access, deletion, and porting of personal data.
Are there restrictions on the transfer of personal data overseas?
Where personal data may be transferred, there are no statutory restrictions on the transfer of such data overseas.
What is the maximum fine that can be applied for breach of data protection laws?
Typically, violations of data protection laws permit recovery of actual or statutory damages and attorneys' fees. Privacy violations under the FTC Act have a maximum fine of $16,000 per violation. Civil violations of HIPAA have a maximum fine of $1.5M. The maximum civil fine for GLBA violations is $1M.
Are there any restrictions applicable to cloud-based services?
Data protection statutes are not directed at specific technologies. Therefore, there are no regulations that apply only to cloud providers.
Are there specific requirements for the validity of an electronic signature?
Yes, the federal Electronic Signatures in Global and National Commerce Act ("E-SIGN") and the state implementations of the Uniform Electronic Transactions Act ("UETA") both address the use of electronic signatures. Both statutes provide that a signature, record or contract cannot be denied effectiveness solely because it is signed in electronic form. Notably, the statutes exclude certain documents and instruments from their scope, including wills, adoption and divorce records, court documents, and documents (other than contracts) governed by the Uniform Commercial Code (which would include negotiable instruments and security agreement).
In order for electronic signatures to be valid, the parties must consent to doing business electronically. Before a consumer can consent to use of an electronic signature, E-SIGN provides a list of disclosure requirements that must be met, including the records covered by the consent, how to withdraw consent, and how to update contact information to contact the consumer electronically.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
There are no statutes that would automatically transfer employees, assets or third party contracts to a service provider in the event of an outsourcing. Any such transfer would be part of the negotiated agreement between the customer and outsourcing provider. It is common for some segment of customer employees in the affected area to be "rebadged" as service provider employees. Although not as common as in the past, outsourcing providers do agree to the transfer of assets to be used in the outsourcing from the customer's balance sheet to the service provider's. It is also typical for some third party contracts relating to the outsourced scope of service to be assigned or at least managed by the service provider.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
The liability for malfunctioning of an AI will typically be determined by the terms of the agreement under which the AI was provided. License agreements frequently limit the liability of the licensor/provider, and may even require the licensee/user to indemnify the licensor for liabilities arising from the licensee's use (regardless of malfunction).
In the absence of a contractual relationship, the liability analysis would be in tort. The injured party would have to demonstrate negligence - that it was owed a duty of care, that the duty was breached, and that the malfunction was the cause of the injury. Depending upon the facts, a tort claim could be maintained against the developer/licensor or against the user who deployed the AI.
What key laws exist in terms of obligations as to the maintenance of cyber security?
Cybersecurity requirements are set forth in a number of different federal and state laws. As previously noted, both HIPAA and GLBA have security regulations that require the covered entity or institution to maintain administrative, physical and technical measures to protect the controlled data. A federal appellate court has upheld the enforcement authority of the FTC with respect to companies using inadequate measures to secure consumer information.
States may also regulate cybersecurity requirements. New York State's recently enacted NYDFS Cybersecurity Regulation requires covered financial services companies to adopt a program to identify cybersecurity threats and responses, maintain a cybersecurity policy consistent with ISO 270001, appoint a chief information security officer, use multi-factor authentication for inbound network connections and encrypt sensitive data. Entities must certify compliance annually.
Massachusetts enacted a comprehensive law, the Standards for the Protection of Personal Information of Residents of the Commonwealth, that requires all persons or entities that maintain personal information of a Massachusetts resident to implement a written information security plan containing appropriate administrative, technical and physical safeguards for such data.
The newly enacted California Consumer Privacy Act of 2018 allows aggrieved consumers to sue companies for unauthorized access or disclosure of personal data in violation of a business' duty to implement and maintain reasonable security procedures and practices.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
Hacking and DDoS attacks implicate the following statutes:
The primary federal criminal statute regulating “hacking”, distributed denial of service attacks or other computer crimes, in themselves, is the Computer Fraud and Abuse Act (the “CFAA”), 18 U.S.C. § 1030. The CFAA criminalizes various computer-related conduct, such as intentional access to protected computers without authorization obtaining information (18 U.S.C. § 1030(a)(2)(c)); knowing access to protected computers with intent to defraud if the value of the use exceeds $5,000 (18 U.S.C. § 1030(a)(4)); knowing transmission of programs, information, codes, or commands and thereby intentionally causing damage to protected computers (18 U.S.C. § 1030(a)(5)(A)); intentional access to protected computers without authorization and the resulting damage (18 U.S.C. § 1030(a)(5)(B-C)). The phrase “protected computer” in the CFAA refers to any computer used in interstate or foreign commerce or communication. 18 U.S.C. § 1030(e)(2)(B).
It also should be noted that certain other federal statutes, such as the Securities Act of 1933, have been amended to cover computer-related conduct, and, therefore, each such statute must be addressed separately. Moreover, computer-related crimes such as hacking also can be prosecuted under numerous other federal statutes, including, e.g., the Copyright Act, the National Stolen Property Act, mail and wire fraud statutes, the Electronic Communications Privacy Act of 1986, the Telecommunications Act of 1996, and the Child Pornography Prevention Act of 1996.
Finally, many states have enacted anti-hacking and/or anti-wiretapping laws designed to address computer-related crimes. State consumer fraud statutes and other state tort and contract theories (e.g., trespass, invasion of privacy) also may be used to address computer crimes such as hacking.
What technology development will create the most legal change in your jurisdiction?
The Internet of Things, or network-connected smart devices, will drive significant legal change. For example, autonomous vehicles (reliant on network-connected sensors) require a rethinking of legal relationships, from who bears tort liability in the event of an injury, to the nature of driver and vehicle insurance. Smart devices may be capable of entering into contracts with other devices, using self-executing provisions maintained on a blockchain. These technological developments will require a re-evaluation of basic principles of contract law, including 'meeting of the minds' and contracting capacity.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
The increasing momentum for privacy protections that fail to address big data and use of artificial intelligence will create impediments to economic growth. Businesses are just beginning to develop and deploy artificial intelligence solutions that rely on ingestion of very large data sets to capitalize on the network effects of AI. Omnibus data privacy statutes, such as the recently enacted California Consumer Privacy Act of 2018, severely limit secondary usage of personal data. Then salutary effects of giving individual consumers more control over the use of their personal data may come at a cost of curtailing the evolution of artificial intelligence.
Do you believe your legal system specifically encourages or hinders digital services?
The U.S. legal system generally encourages the growth of digital services by having a legal climate that supports the freedom of contracting parties to fashion the terms that govern their relationship. The U.S. does not have an excessively burdensome licensing regime for digital services so that there are low barriers to entry and the potential for robust competition. Constitutional first amendment protections encourages the development of digital services by mandating that any regulation must be content neutral.
Recently, the FCC rolled back its "net-neutrality" regulations that were designed to ensure non-discriminatory access to network infrastructure, and regulatory agencies greenlit mergers that have resulted in a greater concentration of digital service providers. Whether these developments have anti-competitive effects in the digital services market remains to be seen.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
The U.S. legal system is not well-suited to address legal issues associated with artificial intelligence. First, there is no sui generis protection of databases, and therefore the right to use databases is either subject to bilateral contract terms or not well-settled by statute. Second, foundational principles of contract law are based upon the intentions of the contracting parties, which is a standard that is inapt for machine based contracting. Third, injury related jurisprudence under tort law is based on a fault regime that is difficult to apply to artificial actors. The U.S. legal system is not unique in facing these challenges, as artificial intelligence will require all legal systems to re-evaluate the application of basic legal principles.