Breach Notification , Governance & Risk Management , Incident & Breach Response
Cybersecurity Bills: Latest DevelopmentsInfo-Sharing Bill Advances; Breach Notice Measure Unveiled
The House Intelligence Committee has approved cyberthreat information sharing legislation that its leaders developed, one of four such proposals pending before Congress (see House Panel Offers Cyberthreat Info-Sharing Bill).
Meanwhile, the co-chairman of the House Cybersecurity Caucus, Rep. Jim Langevin, D-R.I., has introduced a national data breach notification bill modeled on language proposed earlier this year by the White House.
The leaders of the House Intelligence Committee recently introduced the cyberthreat information sharing bill known as the Protecting Cyber Networks Act. After incorporating some additional privacy protections proposed by the White House and committee remembers, the bill was unanimously approved by the panel in a closed session on March 26. It now goes to the full House for consideration.
"This bill will help defend U.S. networks against a wide array of cybercriminals who are becoming more active and more threatening every day," committee chairman Devin Nunes, R-Calif., said in a statement after the bill was approved. "It's a bipartisan approach with strong privacy protections that will have a deep impact on this growing problem."
Nunes told reporters that the approved version of the bill included a manager's amendment - a single amendment that contains a number of smaller amendments from several committee members from both sides of the aisle, as well as the White House - aimed at strengthening the bill's privacy protections, The Hill reports.
Committee ranking member Adam Schiff, D-Calif., said in a statement that he's "optimistic about its prospects for passage," especially in light of the bill having been updated to reflect requests from the White House, although he did not identify what those requests or resulting changes were.
Four information-sharing bills are currently pending, including the Senate's Cybersecurity Information Sharing Act. The Senate Intelligence Committee approved CISA in a closed session on March 12 (see Senate Intel Panel OK's Info-Sharing Bill). CISA offers liability protection to businesses that share cyberthreat information with each other, as well as with the government.
Earlier this month, Rep. Mike McCaul, R-Texas, introduced competing draft legislation called the National Cybersecurity Protection Advancement Act, which gives businesses that share such information immunity from related lawsuits, provided they have not committed "willful misconduct or gross negligence." Meanwhile a fourth measure, the Cyber Threat Sharing Act, sponsored by Sen. Tom Carper, D-Del., hews more closely to a White House proposal. It designates the Department of Homeland Security's National Cybersecurity and Communications Integration Center as the key government agency to collaborate with the private sector through information sharing and analysis organizations, known as ISAOs, to share cyberthreat information.
New Data Breach Notification Bill
Beyond its consideration of cyberthreat information-sharing bills, Congress has been increasingly focused on the prospect of passing national data breach notification legislation.
On March 26, Rep. Jim Langevin, D-R.I., introduced the Personal Data Notification and Protection Act of 2015, which is modeled on a January 2015 proposal from the White House. It includes a 30-day notification requirement after an organization discovers a breach. But the U.S. Secret Service or FBI would be able to delay such notifications on national security grounds, or if it would jeopardize related investigations.
"We have seen time and again the vulnerability of companies large and small, and consumers deserve to know as quickly as possible when their personal information has been compromised," Langevin said in a statement.
His bill would apply to any business that maintains records on 10,000 or more people in a 12-month period. Breached businesses would also be required to not only notify consumers whose personal information was exposed, but also media outlets if more than 5,000 records are breached that relate to consumers in a single state. They also would be required to notify credit-reporting agencies for any breach involving 5,000 records or more. The measure would expand the Federal Trade Commission's definition of deceptive acts or practices to include noncompliance with the law.
Organizations would be exempt from breach notifications - though only with the FTC's approval - if they determined that there was no risk that consumers would actually be harmed by the breach.
Rival Breach Notification Bill
Langevin's bill competes with the Data Security and Breach Notification Act of 2015, which the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade approved March 25 (see National Breach Notification Bill Advances). Its provisions include a requirement for organizations to report any breaches that expose personal information, no matter how many records they maintain. Such notifications would not be required within 30 days of the breached organization having concluded a related digital forensics investigation and repaired affected systems. The bill would also require businesses to "implement and maintain reasonable security measures and practices to protect and secure personal information" and supplant any such requirements at the state level.
Some Democratic members of the House subcommittee had attempted to amend the Data Security and Breach Notification Act of 2015 so states could retain stronger breach-protection and notification requirements than the bill proposes. But those amendments were voted down before the subcommittee approved the bill, which now advances to the full Energy and Commerce Committee.
Both pending breach notification bills, if enacted, would usurp the patchwork of breach notification laws now in place across 51 different jurisdictions - 47 states, three territories and Washington, D.C. - in favor of a single federal statute.
Both of the bills would also exempt from compliance organizations that must comply with the Health Insurance Portability and Accountability Act's breach notification requirements.
Proposal: Cyberspace Office
Langevin this week also reintroduced his Executive Cyberspace Coordination Act - first proposed in August 2013 - which would create a new National Office for Cyberspace at the White House to coordinate all government-level cyberspace-related initiatives, as well as review all related budgets.
"A cybersecurity coordinator, freed from other budgetary pressures, would be able to offer independent analysis as to whether departments and agencies are adequately defended," Langevin said in a statement. "Making these smart investments now will save us paying a much higher price later."