This country-specific Q&A provides an overview to technology laws and regulations relevant in United States.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes, communications networks and services are regulated. The Federal Communications Commission (“FCC”) regulates “telecommunications services,” which includes radio and television (broadcast and cable), and telephone services (landline and wireless). Although the internet has not traditionally been regulated by the FCC, in 2015, the FCC implemented regulations to govern certain aspects of internet services, including prohibitions on providers of broadband internet services from limiting or controlling the access to internet services (so-called “net neutrality” rules). In 2017, the FCC has announced its intention to roll back such regulation to pre-2015 standards, under which the provision of broadband internet services was not considered a telecommunications service.
Licenses are required to operate radio and television (broadcast and cable) services, as well as telephone (landline and wireless) services. Any use of the radio spectrum that might cause interference with broadcast media requires a license from the FCC. The FCC regulates the electromagnetic spectrum (which is considered the property of the government) and allocates by license the use of any frequency.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
Communications-related services are regulated by the Federal Communications Commission (“FCC”). The FCC is an “independent” agency governed by five commissioners, meaning that it makes decisions independent of direct government control. As a practical matter, however, the rules for appointing commissions allow the President to appoint a majority of commissioners, so that the FCC’s policies will often reflect the policy preferences of the President.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
No, but the FCC will closely examine foreign ownership shares exceeding 25%. Long-standing FCC policy prohibiting foreign ownership (directly or indirectly) of more than 25% of a company holding a broadcast license was relaxed in 2013, with the FCC announcing that it would consider foreign ownership shares exceeding 25% on a case-by-case basis. Since then, the FCC has allowed foreign ownership shares in excess of 25% where the foreign owner is deemed not to represent a security risk. In February 2017, the FCC for the first time approved 100% foreign ownership of a broadcast radio station.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?
In general, operators of telecommunications services must not discriminate against other operators when interconnecting. Thus, for instance, providers of local telephone service must accept calls from all providers of long-distance telephone services.
The principal of non-discrimination was applied to providers of broadband internet services in 2015, prohibiting them from providing different levels of access to different websites (so-called “net neutrality”). Telecom operators are generally subject to competition and antitrust regulation by the Antitrust Division of the Department of Justice, which, among other things, regulates telecom mergers. Market power will be taken into consideration in such analysis. They are also subject to competition review by the FCC, which applies both traditional competition law considerations, and reviews transactions under a “public benefits” analysis.
Telecom services are subject to a broad range of consumer protection regulations. The principal ones are protections against consumer fraud and misrepresentation (largely regulated by the Federal Trade Commission (“FTC”)) and privacy protections, which are regulated largely by the FTC and the individual states.
FCC rules govern the terms of US telecommunications carriers’ interconnections with foreign telecommunications carriers that are presumed to possess sufficient market power in the foreign jurisdiction to affect competition adversely in the US market. The FCC maintains a list of such foreign carriers, revising the list from time to time.
What legal protections are offered in relation to the creators of computer software?
Computer software may be protected in a number of ways, including the use of patents (utility and design), copyrights, trade secrets, and licenses. Each has its advantages and limitations, so many times, protection of computer software can often be layered to provide the broadest possible protection to creators of the software. It should be noted that the various protections are highly nuanced, so what follows below is a general description of each.
Moreover, there are statutory protections for certain software and computer systems, including the Digital Millenium Copyright Act (“DMCA”) that prevents the circumvention of technological protection to unlawfully access software and computer systems. DMCA’s anti-circumvention provisions can be applicable even if material is not actually protected by copyright, such as if the code were public domain or open source. There is also an anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”). The CFAA makes it a violation punishable by both criminal and civil law to, among other things, intentionally access a computer without authorization and obtain information therefrom.
A. Patents. Patents are available to “whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof…” (35.U.S.C. §101). Beginning in 1981 with Diamond v. Diehr, 450 U.S 175 (1981), computer software has generally been afforded protection as proper subject matter for patenting under this section, provided the software meets the other requirements of patentability including novelty and non-obviousness. Since then, the scope of protection has fluctuated somewhat, with the recent 2014 U.S. Supreme Court in Alice Corp. v. CLS Bank International, 573 U.S. __, 134 S. Ct. 2347 (2014) limiting protection somewhat. Under current law, abstract ideas, such as an algorithm, method of computation, or other general principle embodied in computer software are not patent eligible unless there is a further “inventive step” which may involve a machine or transformation. So while computer software remains patent eligible generally, the scope of the software that is patent eligible been significantly narrowed and in fact, remains in flux as further case law is being developed. Design patents may be available for certain graphical user interface configurations.
B. Copyright. While patents, when available, protect the idea or functionality of computer software, copyright protects the expression of those ideas. Under U.S. law, computer programs are considered “literary works” under 17 U.S.C. §101. Copyright affords the copyright owner certain exclusive rights, including but not limited to, the right to copy, distribute, and to create derivative works of the software. Registration of the software is not required to secure copyright, but is generally required in order to sue for infringement.
C. Trade Secrets. One option for software developers is to maintain the software code as a trade secret. To be eligible to be a trade secret, the concept must not be generally known in the industry and provide a competitive advantage to the trade secret owner. Moreover, the owner must take affirmative steps to maintain its secrecy. Protection through trade secrets does not prevent reverse engineering of the software, therefore trade secret may be used as an alternative to patent protection when the software is not easily accessible by a third party.
D. Licenses. Licenses for proprietary and open source software are also available for contractual protection. Licenses are generally bi-lateral between the software owner and the user and may include minor or major restrictions on the licensee. For example, the license may prohibit the licensee from exercising the exclusive rights of the software copyright owner while also restrict the licensee from reverse engineering the software. At other times, the license may grant to the licensee one or more of the exclusive rights afforded to the copyright owner such as the right to distribute or create derivative works. Even ‘free” open source software is often protected by license using the various so-called “copyleft” licenses.
Are specific intellectual property rights in respect of data/databases recognised?
In the United States, there is no sui generis database protection available that is comparable to that under European law which would provide independent protection for databases. That being said, copyright protection for databases is available as a compilation. However, the compilation requires originality with respect to the structure, sequence and organization of the database, so databases such as a telephone directory are not protectable. Moreover, copyright protection does not protect against the extraction and use of underlying factual data within the database.
Additionally, the statutory protections of the DMCA are available, so technological restrictions on database access are permissible and will be enforced. Likewise, the CFAA is available which proscribes hacking into databases.
What key protections exist for personal data?
Sector-specific federal laws protect personal information in certain industries, such as health care, financial institutions, and telecommunications companies. Personal information is differently by the federal sector-specific statutes and their respective implementing regulations. For example, the federal Health Insurance Portability and Accountability Act (HIPAA) and its regulations require “covered entities,” such as hospitals and doctors’ offices, and “business associates,” which provide healthcare-related services to covered entities, to implement administrative, physical, and technical measures to prevent the disclosure of “protected health information” to unauthorized persons. The federal Department of Health and Human Services (HHS) can impose penalties against covered entities and business associates that fail to implement such required protections. HHS has imposed multi-million dollar penalties and has entered into settlement agreements with covered entities and business associates with multi-million dollar payment requirements.
Federal banking regulators, such as the Federal Deposit Insurance Commission (FDIC), can impose fines against FDIC-member banks that violate data security regulations, such as the Interagency Guidelines. The Federal Communications Commission (FCC) can similarly impose penalties against telecommunications companies that fail to secure “customer proprietary network information” (CPNI).
The Federal Trade Commission (FTC) has applied section 5 of the Fair Trade Commission Act to impose fines and to require corrective action by companies that represent that they will secure customers’ personal information and fail to do so. The FTC has brought section 5 cases against companies that fail to implement security measures to protect personal information regardless of whether the companies made any security representations to potential customers.
Forty-eight of the 50 states in the United States, as well as Washington, D.C., Puerto Rico, the U.S. Virgin Islands, and Guam have enacted data breach notification statutes that require businesses and other entries to notify customers, patients, employees, or other affected individuals when “personal information” has been accessed or acquired by an unauthorized individual. These statutes generally define “personal information” as including an individual’s first name or initial and last name, together with his or her Social Security number, payment card number, financial account number, driver’s license number, state identification card number, or passport number. Several states’ definitions of “personal information” are broader. State attorneys general may enforce these state statutes as authorized by the state’s breach notification law or pursuant to state’s consumer protection statute. State attorneys’ general contend that the law of the state where a potentially affected individual resides determines which state’s law applies, regardless of where the affected entity is located. The state statutes generally require that organizations must send notifications as soon as possible, although some states’ laws require organizations to send such notifications within 30 or 45 days after an incident is discovered.
Are there restrictions on the transfer of personal data overseas?
No, there are no restrictions on the transfer of US personal data overseas.
What is the maximum fine that can be applied for breach of data protection laws?
There is no maximum fine in most circumstances. Fines are determined in the first instance by the regulator or state attorney general enforcing the statute or regulation. The targeted organization may appeal a fine through the courts. One exception is that the federal department of Health and Human Services may apply a maximum fine of $1.5 million per year for each HIPAA violation.
Are there any restrictions applicable to cloud-based services?
There are no data security restrictions that apply only to cloud-based platforms. Regulated businesses and other entities that use cloud platforms to store or process personal information must secure the information on the cloud platform in a manner that satisfies generally applicable regulations.
Are there specific requirements for the validity of an electronic signature?
No, a provision of the federal E-Sign Act defines “electronic signature” as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” 15 U.S.C. § 7006(5). Pursuant to this definition, any typewritten, digital, or other symbol that an individual intends to serve as his or her electronic signature may serve as a legally valid signature. The federal law applies to transactions in interstate and foreign commerce. Id. at § 7006(13). The E-Sign Act generally preempts the laws of any states in the United States that are contrary to E-Sign. Id. at § 7001.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No transfer of employees, assets, or contracts would occur automatically. If the organization has contracts with other service providers or independent contractors to perform work that will be transferred, the organization and the other service providers and contractors can agree to transfer those services to the new outsourcing provider. The organization and affected employees can also negotiate with the outsourcing provider to hire the organization’s affected employees. There is no requirement, however, that the organization, the employees, or the new outsourcing provider agree to such employment transfers.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Currently, liability for malfunctioning artificial intelligence programs may be based on tort, in which liability is found only where the developer was negligent or could foresee harm, or on contractual agreements such as End User License Agreements, in which the parties allocate the risk of liability among themselves.
What key laws exist in terms of obligations as to the maintenance of cybersecurity?
There is no one US federal requirement for the maintenance of cybersecurity. Instead, the adequacy of cybersecurity is governed by a patchwork of federal industry-specific laws, by the Federal Trade Commission (FTC) under its authority to protect consumers from “unfair and deceptive trade practices,” and by a number of state laws. The following sections summarize some of the key regulations governing cybersecurity and the industries to which they apply, but should not be considered an exhaustive list of US cybersecurity regulations.
- FTC Act: The general law governing privacy is Section 5 of the Federal Trade Commission Act, which gives the FTC authority to regulate unfair and deceptive trade practices. The FTC has brought actions alleging “deceptive” cybersecurity practices against companies who made misleading representations in their privacy policies regarding their data protection practices. In 2015, in the Third Circuit Court of Appeals affirmed the FTC’s authority to regulate “unfair” cybersecurity practices even in the absence of any deceptive or misleading statements. The Wyndham ruling clearly signaled that the FTC had jurisdiction to regulate companies who chose to go without minimal security measures, such as firewalls, encryption, access controls, vendor management, and incident response planning. The ruling also indicated that information security programs and incident response plans should not be static but should adapt to changing threat landscapes.
In addition to the general provisions of Section 5, certain industries are subject industry-specific security obligations:
- Healthcare Providers and Payers: The Health Insurance Portability and Accountability Act of 1996 requires certain healthcare providers and payers (“covered entities”) and their “business associates” to protect the privacy and security of certain protected health information (“PHI”). HIPAA’s Security Rule establishes minimum security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form. These security requirements are comprised of administrative, technical, and physical safeguards, and are required to take into account: (1) the size, complexity and capabilities of the covered entity; (2) the covered entity’s technical infrastructure, hardware, and software security capabilities; (3) the cost of security measures; and (4) the probability and criticality of potential risks to electronic protected health information.”
- Financial Institutions: The Gramm-Leach-Bliley Act Safeguards Rule requires financial institutions to maintain security controls to protect the confidentiality of personal consume information. The Rule requires financial institutions to develop and implement a comprehensive information security program, which “must be appropriate for the size, complexity, nature and scope of the activities of the institution,” and must be made up of administrative, technical and physical security measures.
- New York Financial Institutions: The New York Department of Financial Services Cybersecurity Requirements for Financial Companies went into effect March 1, 2017. The new regulation requires financial services firms licensed in New York to have a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems. The program should be based on a risk assessment, and should include controlled access to company systems, the development of an incident response plan, and notification procedures. Financial institutions subject to the regulation are also required to designate a Chief Information Security Officer (CISO), who is required to submit a report on cybersecurity to the Board of Directors or equivalent governing body.
- Government Contractors: Government contractors will be subject to strict new cybersecurity regulations as of December 31, 2017. Contractors who do business with the Department of Defense are subject to the Defense Federal Acquisition Regulation Supplement (DFARS), which require that all contractors provide “adequate security on all covered contractor information systems,”(those systems that house or touch “covered defense information.”). The new DFARS requirements mandate that covered contractors must meet more than 100 security requirements specified by the National Institute of Standards and Technology (NIST) SP 800-171. Non-defense contractors subject to the Federal Acquisition Regulation are required to protect information systems that process, store or transmit “Federal contract information.” These systems are subject to 15 standards, relating to six of the fourteen security control families in NIST SP 800-171.
- California: The California Department of Justice (CDOJ) has promulgated guidelines that cite 20 security controls identified by the Center for Internet Security that “constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.”
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Computer Fraud and Abuse Act (“CFAA”), enacted in 1986 and repeatedly amended in the years following, governs the criminality of hacking and other unauthorized access to computers. CFAA provides, essentially, that whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer, if the conduct involved an interstate or foreign communication, shall be punished under the Act. The CFAA is primarily applied as a criminal law, but was amended in 1994 to allow civil actions as well.
CFAA specifically prohibits seven types of criminal activity:
- Obtaining national security information
- Compromising confidentiality
- Trespassing in a government computer
- Accessing to defraud and obtain value
- Damaging a computer or information
- Trafficking in passwords; and
- Threatening to damage a computer.
A violation of the CFAA may occur either when an individual trespasses into a computer “without authorization,” or when an individual “exceeds authorized access,” but courts have been unable to reach consensus of the meaning of those terms, leading to a split among Circuit Courts of Appeal on the scope of applicability of the CFAA to various kinds of conduct.
The CFAA is the subject of considerable controversy, since many believe the law is ambiguous, has failed to keep pace with changes in technology, and does not address the many ways in which insiders and outsiders may access or steal data. To date, however, there has been no consensus on reform, despite several proposals before Congress, most notably “Aaron’s Law,” a bipartisan bill introduced in 2013, and a subsequent reform proposal by the Obama administration in 2015.
What technology development will create the most legal change in the jurisdiction?
The rapid deployment of blockchain technologies and digital currencies is likely to significantly transform a large number of industries – banking, domestic and international commerce, real estate transactions, privacy/cybersecurity, just to name a few – in coming years. That transformation will drive legal and regulatory change, as existing laws may not be easily applied to innovative blockchain solutions, forcing the development and adoption of new rules. In addition, the rise of blockchain technologies – smart contracts and sovereign digital identities in particular – are likely to change the kinds of work that lawyers do, and to replace existing legal protections such as real estate title searches and data privacy regimes with seamless, self-governing and self-executing solutions.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
US laws addressing critical technology issues tend to fall into one of two groups. The first group -- including the Electronic Communications Privacy Act, the Stored Communications Act, and the Computer Fraud and Abuse Act, all originally enacted in 1986 – include specific prohibitions and permissions, but are outdated and inapplicable to modern internet, data sharing and storage practices. Efforts to apply these laws to current practices have led to splits among the circuit courts, and confusion and frustration among the US technology companies as to what conduct they may engage in.
The second group of laws – including those intended to protect consumer financial and healthcare privacy (the Gramm-Leach-Bliley Act and HIPAA), as well as the Federal Trade Commission (“FTC”) Act, which has been interpreted to permit the FTC to regulate privacy and cybersecurity – suffers from the opposite problem. Rather than incorporating specific provisions that can become outdated, these laws suffer from vagueness and overbreadth, prohibiting such things as “unfair or deceptive” practices and admonishing companies to ensure they have “reasonable and appropriate administrative, technical and physical safeguards” or face legal sanctions. Companies subject to these broadly worded laws are forced to guess as to how they will be applied in a rapidly evolving technological and business landscape.
Do you believe the legal system specifically encourages or hinders digital services?
To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?
The legal industry is uniquely ready to deal with the issues Artificial Intelligence raises, because it was constructed with flexibility in mind. As new ways of doing business, of communicating, and of memorializing human interactions have come (and sometimes gone), the legal industry has adapted and changed the way attorneys practice - as well as how attorneys support their clients. And, too, in addition to justice, the practice of law is part intentional contrivance and part pageantry - rules determined by people, for people. In that same vein, attorneys, judges, and the legislature will determine the extent to which Artificial Intelligence supports and furthers legal work, rather than simply being pulled along the march of progress generally.