Washington Update: Likelihood of Cybersecurity Legislation Has Improved Against Backdrop of Increased Regulatory Activity
For several years, policy makers have been debating legislation and regulation to address concern over cybersecurity and data security threats to businesses, consumers, and government. While past Congressional initiatives on this front have foundered, the new Congress seems poised to move, and the President has recently made a push for action. Forward momentum for research and development legislation is building, and there is increased support for some form of information-sharing legislation. In addition, proponents of a federal data breach notification law see opportunities to streamline companies' obligations after cyberattacks like those against Sony, Target, and others.
In the meantime, federal agencies are looking at cybersecurity risk across industry segments, as they utilize and promote the Cybersecurity Framework released last year by National Institute of Standards and Technology (NIST).
The private sector should watch all of these moving parts, which could present challenges and opportunities in 2015.
Momentum Grows for Information-Sharing and Data Breach Legislation
Private industry has advocated for improvements in law to facilitate better information-sharing about cybersecurity threats and responses. Proponents argue that decreasing risks associated with private sector information-sharing will speed up situational awareness and improve the nation's cybersecurity posture without prescriptive regulation. In past Congresses, the House of Representatives has passed legislation to promote private sector information-sharing. This legislation has never passed the Senate, however, due in part to privacy concerns about what information would be shared, with whom and for what purposes.
Relatedly, when a breach or attack occurs, companies currently struggle with a patchwork of varied state laws governing required post-breach actions, including providing notice to consumers. Industry and some observers have long called for federal legislation to create one uniform standard nationwide.
Momentum is building for legislation in these areas. President Obama featured cyber issues prominently in his State of the Union address, and has sent several bills on information sharing and data breach issues to Congress. His proposals would encourage companies to share cyber threat information with the Department of Homeland Security, which would then disseminate it to relevant agencies and private Information Sharing and Analysis Organizations (ISAOs). He offers liability protections and calls on the Privacy and Civil Liberties Oversight Board to develop guidelines for government handling of information. Separately, he proposes modernizing law enforcement authorities to disrupt attacks and empower prosecution of attackers, by clarifying and extending existing federal computer crime laws. Additionally, he offers a single uniform approach to notifying employees and consumers in a security breach.
Debate continues over the adequacy of privacy and liability protections in the President's bills and other proposals, but there appears to be growing consensus toward some action on these issues.
Meanwhile, Increased Federal Regulatory Activity Continues
Several federal agencies have been working on cybersecurity, including implementation of the President's February 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Prominent among these efforts is agency review of the Cybersecurity Framework developed by NIST last year, which lays out a voluntary risk management approach that the government hopes critical infrastructure owners and operators, and others in the private sector, will adopt.
Agencies from the FDA to the FCC are looking at how the industries they regulate are addressing cybersecurity risks, including their use of the Cybersecurity Framework. New or increased regulation and oversight aimed at encouraging such use are possible. For example, regulatory agencies are seeking updates and information about sectors' use of the Framework and other tools. The Department of Defense and other procurement offices are examining how to include better cybersecurity and privacy protections and obligations in procurement effort and oversight. NIST is examining privacy engineering and other best practices that industry may use. In parallel with all these activities, the Federal Trade Commission is aggressively policing security and data privacy using novel theories, and is expected to continue aggressive oversight of the private sector.
Businesses of all sizes should be evaluating these developments, and their own approaches to security and privacy.