February 2019 Legal Report
This month’s “Legal Report” is a roundup of major security-related legislation considered by the 115th U.S. Congress, which concluded in January 2019. Included in this summary are public laws that went into effect and legislation that was introduced but failed to pass. The bills that failed were nullified, and members of Congress will have to reintroduce them in the 116th Congress.
The U.S. House of Representatives passed a bill that failed to advance in the U.S. Senate that would have created punishments for individuals who have been forcibly removed from the United States or denied admission who enter—or attempt to enter—the country.
The bill (H.R. 3004) would have allowed the United States to fine and imprison—for up to two years—non-U.S. citizens who enter, or attempt to enter, the country after being excluded, deported, removed, or denied admission.
U.S. President Donald Trump signed legislation into law that requires the National Background Investigation Bureau (NBIB) to report on the security clearance backlog.
The SECRET Act of 2018 instructs the NBIB to report to the Executive Office of the President on the current security clearance backlog; the bureau must then create a mitigation plan to identify the cause of the backlog, along with recommendations to address it.
The act also instructs the Office of the Director of National Intelligence to report to Congress and the president about implementing “governmentwide continuous evaluation programs” and U.S. agency initiatives to meet requirements for “reciprocal recognition to access classified information,” according to the law.
President Trump signed legislation into law that created an institute to train local law enforcement and other partners to investigate and prevent cybercrime. The law (P.L. 115-76) authorized a National Computer Forensics Institute within the U.S. Secret Service through 2022 to share information related to investigations and prevention of cyber and electronic crime, and to educate, train, and equip local law enforcement, prosecutors, and judges. The institute will train attendees about methods to obtain, process, and store digital evidence for use in court proceedings. It will also help with the expansion of the Secret Service’s Electronic Crime Task Force by adding officers who have completed training through the institute. Another new law created new requirements for agencies addressing cybersecurity risks.
The act (P.L. 115-236) required the National Institute of Standards and Technology (NIST) to consider small businesses when it creates and supports the development of voluntary, industry-led guidelines and procedures to reduce cyber risk to critical infrastructure. The Senate failed to advance legislation passed by the House that would have required entities to create internal risk control mechanisms to safeguard and govern market data storage.
The Market Data Protection Act of 2017 (H.R. 3973) would have required the U.S. Securities and Exchange Commission, the Financial Industry Regulatory Authority, and the Consolidated Audit Trail—in consultation with a chief economist—to establish comprehensive internal risk control mechanisms to safeguard and govern the storage of market data, market data sharing agreements, and academic research. After the Equifax breach, legislation stalled in the House that would have required some companies that store Americans’ data to meet specific security and privacy requirements.
The Consumer Privacy Protection Act (H.R. 4081) would have required companies that collect and store data on at least 10,000 Americans to implement a “comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity,” according to the bill. Covered data would have included Social Security, driver’s license, and passport numbers; financial account and debit or credit card numbers in combination with PINs; usernames and passwords; and biometric data.
The Senate did not advance legislation introduced for the second time by U.S. Senator Bill Nelson (D-FL) that would have required companies to disclose data breaches within 30 days of becoming aware of the breach.
Under the bill (S. 2179), companies would have had to report the breach, and any individual who concealed data about the breach could have faced up to five years in prison.
Nelson introduced the legislation after it was revealed that Uber paid hackers $100,000 to destroy documents and hide evidence of a data breach of more than 57 million records—including personally identifiable information from customers and drivers.
President Trump signed legislation into law that nullified a payments disclosure requirement instituted as part of financial reform after the 2008 recession.
The resolution (H.J. Res. 41) eliminated the “Disclosure of Payments by Resource Extraction Issuers” rule that the U.S. Securities and Exchange Commission finalized in July 2016. The rule required resource extraction issuers to disclose payments made to governments for the commercial development of oil, natural gas, or minerals.
The House passed legislation that later stalled in the Senate that would have allowed people with concealed carry permits to carry firearms across state lines.
The bill (H.R. 38) would have allowed people with concealed carry permits and a valid government-issued photo ID to carry their firearms into another state. It also would have required agencies to report criminal history records to the FBI’s National Instant Criminal Background Check System (NICS).
The second provision of the bill was added after the First Baptist Church shooting in Sutherland Springs, Texas, where a gunman was able to purchase a firearm because his criminal record was not entered into the NICS prior to the purchase.
As part of the new U.S. tax law (P.L. 115-97), businesses are now prohibited from deducting the cost of sexual harassment or sexual abuse settlements if the payment is subject to a nondisclosure agreement.
President Trump signed legislation into law that prevents the U.S. Coast Guard from implementing previous identification requirements.
Under the law (P.L. 115-230), the military branch will not implement previously required Transportation Worker Identification Credential (TWIC)-Reader Requirements for the time being.
The law also requires the secretary of homeland security to report to the House Committee on Homeland Security, the Committee on Transportation and Infrastructure, and the Committee on Commerce, Science, and Transportation about the effectiveness of the TWIC program. After this report, the U.S. Department of Homeland Security may propose a new rule to implement TWIC readers.
A new law eliminates a rule requiring employers to create and maintain records of work-related injuries and illnesses.
The resolution (P.L. 115-21) eliminated the rule created by the U.S. Department of Labor in 2016, which required employers to record injuries and illnesses on U.S. Occupational Safety and Health Administration (OSHA) 300 Log and 301 Incident Report forms within seven calendar days of becoming aware that the injury or illness occurred.
President Trump also signed legislation into law that authorizes the U.S. Capitol Police Board to make payments to the U.S. Capitol Police Memorial Fund.
The Wounded Officers Recovery Act of 2017 (P.L. 115-45) allows payments to be given to families of U.S. Capitol Police employees who were killed in the line of duty or sustained serious line-of-duty injuries. The legislation was passed and enacted in response to a shooting in Alexandria, Virginia, that targeted members of Congress who were practicing for the annual Congressional Baseball Game. Two Capitol Police officers were wounded in the incident, along with a member of Congress.
The Senate failed to advance legislation that passed in the House that would have modernized the Committee on Foreign Investment in the United States (CFIUS).
The bill (H.R. 5841) would have made changes to CFIUS to better guard against national security risks to the United States posed by foreign investment. Specifically, the bill would have given CFIUS jurisdiction over joint ventures, minority position investments, and real estate transactions near U.S. military bases and national security facilities.
The bill also would have updated CFIUS’s definition of “critical technologies” to include emerging technologies essential for the United States to maintain a technological advantage over its adversaries.
The House passed legislation that would have updated privacy protections for electronic communications stored by third-party service providers, but the bill stalled in the U.S. Senate.
The Email Privacy Act (H.R. 387) would have updated the Electronic Communications Privacy Act (ECPA) to require all U.S. government agencies to obtain a warrant to search Americans’ online communications, regardless of when the email was written.
The House passed legislation, which did not advance in the Senate, that would have provided grant money for school safety measures.
The Students, Teachers, and Officers Preventing (STOP) School Violence Act (H.R. 4909) would have authorized $750 million in U.S. federal funding for 10 years to train school personnel, students, and law enforcement to prevent student violence.
Grant money could also have been used to develop anonymous reporting systems for threats, implement deterrent measures like metal detectors, or install technology for expedited notification of law enforcement during an emergency.
The bill was introduced after the Marjory Stoneman Douglas High School shooting in Parkland, Florida, which left 17 dead after a former student opened fire on campus.
Congress reauthorized and President Trump signed legislation that allows electronic surveillance tools to continue for another six years.
The law (P.L. 115-118) renews Section 702 of the Foreign Intelligence Surveillance Act, which allows U.S. agencies to monitor communications of foreigners on foreign soil without a warrant.
The Senate failed to advance legislation passed in the House that would have protected diplomats from surveillance by consumer devices.
The bill (H.R. 4989) would have directed the U.S. Department of State to create a policy on the use of location-tracking devices at U.S. diplomatic and consular facilities. Government employees, staff, contractors, and members of other agencies working at those facilities would be subject to the policy.
The bill was introduced in response to revelations that a fitness app used by U.S. military personnel revealed sensitive information about base locations and troop movements.
The House passed legislation that would have given nonprofit organizations access to grant funds to prevent terrorist attacks, but it stalled in the Senate.
The bill (H.R. 1486) would have authorized $30 million in grants for nonprofit organizations that the U.S. Department of Homeland Security (DHS) deemed to be at risk of a terrorist attack. The funds would have been used to purchase security equipment, physical and cybersecurity training, target hardening, and terrorism awareness.
President Trump signed legislation into law that created a program to protect food, agriculture, and veterinary systems from acts of terrorism.
The law (P.L. 115-43) directs the assistant secretary for health affairs for DHS to create a program to coordinate its efforts to defend food, agriculture, and veterinary systems against terrorism and other high-consequence events that are a risk to homeland security.
The program will be designed to lead DHS initiatives to prepare for and respond to agricultural terrorism. It will be coordinated with U.S. Customs and Border Protection on activities related to food and agriculture security and screening procedures for domestic and imported products.
President Trump signed legislation into law that will enhance efforts to combat human trafficking in the transportation sector.
The Combating Human Trafficking in Commercial Vehicles Act (P.L. 115-99) directs the U.S. Department of Transportation (DOT) to designate an official to coordinate human trafficking prevention efforts across the U.S. federal government and consider the challenges of combating human trafficking when several transportation modes are used.
President Trump also signed the No Human Trafficking on Our Roads Act (P.L. 115-106) that directs the DOT to disqualify operators of commercial motor vehicles—for life—if they use vehicles to commit a felony involving human trafficking.
The House passed legislation that failed to advance in the Senate that would have reduced the threat of wildfires to electric transmission and distribution facilities.
The resolution (H.R. 1873) would have amended the Federal Land Policy and Management Act of 1976 to ensure that all existing and future rights-of-way established by grant, special use authorization, and easement for electrical transmission and distribution facilities include provisions for utility vegetation management, inspection, and operation and maintenance activities.
The resolution also would have required transmission and distribution facility owners and operators to create a plan for vegetation management that “provides for the long-term, cost-effective, efficient, and timely management of facilities and vegetation within the width of the right-of-way and adjacent federal lands to enhance electricity reliability, promote public safety, and avoid fire hazards.”
Elsewhere in the courts
The U.S. Age Discrimination in Employment Act (ADEA) applies to all public-sector employers regardless of their size, the U.S. Supreme Court ruled. The ADEA prohibits employers from discriminating against employees based on their age, and in its opinion by Associate Justice Ruth Bader Ginsburg, the Court said employers under the law include even public employers with fewer than 20 employees. The ADEA and other relevant laws “...leave scant room for doubt that state and local governments are ‘employer[s]’ covered by the ADEA regardless of their size,” Ginsburg wrote. (Mount Lemmon Fire District v. Guido, U.S. Supreme Court, No. 17-587, 2018)
MPW Industrial Services, Inc., will pay $170,000 to settle a race discrimination lawsuit brought by the U.S. Equal Employment Opportunity Office (EEOC). The suit alleged that MPW subjected two African-American employees to racial harassment, including hangman’s nooses, racial epithets, racist comments and jokes, and a KKK meeting at the worksite. Along with the monetary funds, MPW must train supervisors and managers to spot and prevent racial harassment in the future. (EEOC v. MPW Industrial, U.S. District Court for the Southern District of Ohio, Cincinnati Division, No. 1:18-cv-00063, 2018)
Nursing and healthcare facility Absolut Facilities Management, LLC, will pay $465,000 to settle charges of pregnancy and disability discrimination brought by the EEOC. Absolut “failed to accommodate disabled workers; denied leave as a reasonable accommodation to individuals with disabilities; refused to allow disabled employees to return to work unless they could do so without medical restrictions; and subjected employees to impermissible disability-related inquiries and medical examinations,” according to the EEOC. It also charged that Absolut fired employees based on their pregnancy status and failed to accommodate pregnancy-related medical restrictions. (EEOC v. Absolut Facilities Management, LLC, U.S. District Court for the Western District of New York, No. 1:18-cv-01020, 2018)