Last year proved to be full of unprecedented challenges to the cybersecurity infrastructure of the U.S. economy. Security breaches at Sony Pictures, Target, Apple, JPMorgan, and Home Depot have featured prominently in the news cycle over the past year and highlighted the many risks faced by public companies and their board members. Indeed, the National Association of Corporate Directors has listed cybersecurity as one of the three critical challenges for public company directors in 2015, and not without good reason. Beyond the reputational harm that these breaches may cause, they inflict significant economic costs. The full costs of a breach often extend long beyond the breach itself, as companies like Target and Sony face class action suits in the aftermath of their attacks.
To combat growing cybersecurity threats, the Obama administration and the New York attorney general have recently presented several legislative proposals. Given the bipartisan support for protecting individuals, companies, and government entities against cyber-attacks, new cybersecurity and data privacy legislation in some form appears to have a good chance of passage. We summarize notable recent initiatives here.
The Obama Administration's Proposed Cybersecurity Legislation
On January 12, in a speech at the Federal Trade Commission in Washington, President Obama outlined the new cybersecurity legislation he will propose. The president noted that nearly every state has a unique data breach notification law, making it confusing and costly for companies to notify customers of data breaches. The president plans to introduce a bill, called the Personal Data Notification & Protection Act, that will create a "single, strong national standard" requiring companies to notify consumers within thirty days of a data breach. The president also said that he would introduce legislation to "close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans - even when they do it overseas."
In conjunction with President Obama's January 12 speech and this week's State of the Union address, the White House released three legislative proposals. One proposal would establish a national standard for data breach notification. Business entities that discover security breaches affecting "sensitive personally identifiable information" would have thirty days to notify customers, barring certain exceptions (for instance, notification would be delayed if it would impede a criminal investigation or damage national security). For large-scale data breaches and breaches involving federal government databases or employees, business entities would be required to notify the Department of Homeland Security (DHS). In turn, the DHS would notify appropriate federal agencies. Notably, as proposed, the bill would preempt the incongruent collection of state data breach notification laws.
The administration released a second legislative proposal intended to encourage the private sector to share cyber-threat information with the DHS's National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC could share such information with relevant federal agencies and private- sector organizations (known as Information Sharing and Analysis Organizations). Companies that voluntarily share threat information would receive protection from civil and criminal actions, and the shared information would be shielded from public disclosure or use as evidence in regulatory enforcement actions. This proposed legislation would also preempt state data laws regarding cyber- threat information sharing.
The third legislative proposal would further empower law enforcement to combat cybercrimes. As the White House described in a press release, the legislation
would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.
Additionally, this legislation would allow prosecutors to use the Racketeering Influenced and Corrupt Organizations Act, or RICO, to prosecute cybercrimes. The legislation would also update and clarify several provisions of the Computer Fraud and Abuse Act to expand the government's capacity to target cybercriminals.
During his State of the Union address, President Obama said that his administration is "making sure our government integrates intelligence to combat cyber threats" and urged Congress "to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information." The White House is expected to push forward on the proposed cybersecurity legislation in the coming months.
N.Y. Attorney General's Bill to Strengthen Data Security and Expand Customer Protection
At the same time President Obama is proposing new and uniform federal cybersecurity standards, New York Attorney General Eric T. Schneiderman recently released a proposal that would "overhaul New York State's data security law and require new and unprecedented safeguards for the personal data of consumers."
The attorney general's proposed bill seeks to:
- Expand the definition of "private information" to include both the combination of an email address and password, and the combination of an email address and a security question and answer, as well as to include in the definition pertinent medical information.
- Require entities that collect and/or store private information to have reasonable security measures that include:
- Administrative safeguards to assess risks, train employees, and maintain safeguards.
- Technical safeguards to (i) identify risks in their respective network, software, and information processing; (ii) detect, prevent, and respond to attacks; and (iii) regularly test and monitor systems controls and procedures.
- Physical safeguards, including special disposal procedures, intrusion detection and response measures, and protection of physical areas where information is stored.
- Certification mechanisms, whereby entities that engage in annual independent third-party audits and certifications that confirm their compliance with New York's reasonable data security requirement receive, during litigation, the benefit of a rebuttable presumption that they have reasonable data security measures.
- Provide a legislative safe harbor - which may include the elimination of liability altogether-as an incentive for a company that implements a heightened level of data security.
- Improve data sharing between the government and private companies by providing protections, in the event of a data breach, for a company's voluntary disclosure of internal forensic reports to law enforcement.
The Consumer Privacy Bill of Rights
The Obama administration has also been working to develop a Consumer Privacy Bill of Rights built around a set of core principles. According to details released by the White House, some of these principles include:
- The right for consumers to decide what personal data companies collect from them and how companies use that data.
- The right for consumers to know that their personal information collected for one purpose cannot then be misused by a company for a different purpose.
- The right for consumers to have their information stored securely by companies that are accountable for its use.
The Student Digital Privacy Act
The Obama administration also released details on a proposed Student Digital Privacy Act. According to a White House statement, the legislation "would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school."
As we begin this new year, companies and their directors should continue to monitor the progress of proposed cybersecurity and data privacy initiatives. The government's focus on cybersecurity risks underscores the importance of businesses establishing clear protocols to give consumers confidence that their data is appropriately protected. It is also critical that companies develop the tools they need to protect against security threats and control reputational and economic damage should a data breach occur.