Cybersecurity legislation requires consolidation
In January’s State of the Union address, President Barack Obama called for cyber information sharing legislation. Lawmakers must have listened, because in the first three months of 2015, 14 bills related to cybersecurity were introduced. So far, two have passed the House.
Sounds good, right? Except that the legislation is all over the map. As many as 46 states have enacted data breach notification laws; at least seven states have laws regarding data security standards; and, at the federal level, there are at least five major cybersecurity regulations, including HIPAA, HITECH, GLBA, FISMA, and FERPA. In addition, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and the Federal Trade Commission’s Red Flags Rule also have elements of cybersecurity.
Our own Michigan Representative John Conyers Jr. even got into the act. In January, he introduced the Cyber Privacy Fortification Act. This bill, still under review by the congressional committee, requires that anyone aware of a data breach must notify the U.S. Secret Service or the FBI. Responsible individuals are at risk of criminal penalties of up to one million dollars and five years in prison for failure to provide breach notices. It will be interesting to see whether or not it comes to fruition.
And then there’s the Protecting Cyber Networks Act (PCNA), passed by the House on April 24. It provides a process for private and public sectors to voluntarily share cyber threat data and to obtain liability protection. Fearing litigation, the private sector has been cautious about sharing data with government agencies. This new bill not only provides liability protection for participating companies but goes further to allow companies to monitor and deploy defensive measures on systems belonging to others, such as customers with authorization and written consent who use systems for cybersecurity purposes. But does this allow government agencies to monitor company networks with authorization and written consent?
Some civil liberty groups worry this could increase the federal government’s access to personal information that, in the past, was protected by the Electronic Communications Privacy Act (or the Wiretap Act). Under PCNA, companies and government agencies will be required to remove any personal information that’s not related to the threat and can be held liable for failing to do so. The bill also establishes a Cyber Threat Integration Center to consolidate cyber threat information. The center will analyze and share the data with other government agencies.
The very next day, the House passed the National Cybersecurity Protection Advancement Act (NCPAA) for the private sector to share cyber threat data with the Department of Homeland Security. This bill will authorize the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) to collect the information provided by companies. It also enables the setup of a National Cybersecurity Preparedness Consortium to provide training and technical assistance to government cybersecurity personnel. A standard agreement will be available on the NCCIC website that companies can use. This bill also requires NCCIC to redact personal information that’s not relevant to the cyber threat.
The key difference between these two bills is that the NCPAA only authorizes collaboration with the Department of Homeland Security, while PCNA allows collaboration with a number of other government agencies, including the Department of Justice, the Department of Commerce, the Department of the Treasury, the Office of the Director of National Intelligence, and the Department of Energy. Although President Obama offered support for both bills, he also expressed reservations on liability protections.
While the information sharing bills are necessary to fight today’s cybersecurity threats, we need to simplify the multiple federal and state laws. As we introduce new bills, it will be difficult for companies to understand and follow the various federal and state regulations. Fewer consolidated laws is the way to go.