This past year, in the wake of multiple consumer data breaches and growing concerns regarding national security-related cyber threats, there has been a significant increase in congressional oversight activity directed toward federal government agencies and private sector industries.   When the 116th Congress convenes in January, the primary House and Senate committees of jurisdiction are expected to maintain a strong focus on these issues from both investigative and legislative standpoints. 

In the Democratic-controlled House of Representatives, key oversight committee leaders, including Judiciary Committee Ranking Member Jerrold Nadler (D-NY), Oversight and Government Reform (“OGR”) Committee Ranking Member Elijah Cummings (D-MD) and Energy & Commerce (“E&C”) Committee Ranking Member Frank Pallone (D-NJ) have made it clear that they plan to focus their investigative and oversight efforts first and foremost on President Trump’s Administration.  In a post-election media interview, Rep. Cummings stated: “The waste, fraud, and abuse is plain to see, and the most important thing for the Oversight Committee to do is to use its authority to obtain documents and witnesses, and actually hold the Trump administration accountable to the American people.”  In addition to enjoying broad jurisdiction and significant investigative resources, these committee leaders will have subpoena authority to compel the production of documents and witness testimony. 

On November 15, in a letter to Acting Attorney General Matthew Whitaker, FBI Director Christopher Wray and DHS Secretary Kirstjen Nielsen, incoming House Judiciary Committee Chairman Nadler announced his intention to “examine existing vulnerabilities in our election infrastructure, the threats posed to that infrastructure by foreign actors, and any systemic impediments to our voting rights,” and requested that the FBI and DHS provide responses to “unanswered” written requests from Committee Members.  Incoming OGR Committee Chairman Cummings has also publicly stated his intention to pursue multiple federal agency inquiries next year and published a list of 64 subpoena motions denied by the Committee during the last Congress. While Democratic oversight committee chairs will certainly target federal agencies’ cybersecurity infrastructure and data privacy protection initiatives, private sector actors could also be the subject of additional investigative inquiries. In response to media reports regarding Facebook’s December 14 announcement of a bug that allowed access to private photos, incoming House Energy and Commerce Committee Chairman Pallone tweeted: “How many more times is Facebook going to compromise its users’ privacy?  I’ll be taking a closer look at this failure, along with the many other issues, in the next Congress.” 

On the Senate side, oversight committees of jurisdiction, including the Committees on Commerce, Finance, and the Judiciary, are also likely to remain active in scrutinizing both federal government agencies and private sector actors on cybersecurity and data privacy issues.  Most recently, in response to Marriott’s November 30 cybersecurity incident announcement, Senate Commerce, Science, and Transportation Committee leaders sent a letter to CEO Arne Sorenson requesting detailed information regarding the incident, and at a recent hearing on Federal Trade Commission (“FTC”) oversight, Subcommittee leaders questioned FTC Commissioners on the status of investigations regarding certain companies’ data privacy and security practices.  Incoming Senate Finance Committee Chairman Charles Grassley (R-IA) is well-known for his in-depth and aggressive oversight of federal agencies, particularly with respect to the Food and Drug Administration (“FDA”), and he has also been very active on legislative and regulatory policy issues concerning foreign cybersecurity threats and intellectual property espionage. Recently, he wrote to FDA Commissioner Scott Gottlieb requesting information on FDA’s efforts to address medical device cybersecurity threats and highlighting concerns raised in a November 1 HHS Office of Inspector General report that found: “FDA’s efforts to address medical device cybersecurity vulnerabilities were susceptible to inefficiencies, unintentional delays, and potentially insufficient analysis.” Sen. Lindsey Graham (R-SC), who will be replacing Grassley as Chairman of the Judiciary Committee, has been an outspoken advocate for legislation to address cyber threats to U.S. infrastructure and recently stated that he would push for “aggressive oversight of the Department of Justice and FBI” as Chairman. 

While these committee leaders will no doubt be faced with competing investigative and legislative priorities in January, recent developments would indicate that cybersecurity and data privacy will feature prominently on committees’ oversight agendas.