On January 13, 2015, the Obama Administration presented to Congress an updated legislative proposal to improve American cybersecurity and data privacy protection. The proposal was presented in the wake of "[t]he dramatic increase in cyber intrusions and the recent destructive and coercive attack on Sony Pictures Entertainment." As an update to the Administration's 2011 cybersecurity legislative proposals, which we discussed in our previous post, the 2015 proposals refocus efforts to encourage Congress to pass data privacy and cybersecurity reforms to increase information sharing and streamline data breach notification laws. Namely, the proposals seek to: (1) enhance cybersecurity threat information sharing within the private sector and with the Federal Government; (2) establish a single standard to protect individuals by requiring businesses to notify them if their personal information is compromised; and (3) strengthen the ability of law enforcement to investigate and prosecute cybercrimes.
Enabling Cybersecurity Information Sharing
The Administration's proposal seeks to enable cybersecurity information sharing within the private sector and between private and government entities. To protect information systems and allow for more efficient responses to attacks, the proposal encourages private sector entities to share cyber threat information with the Department of Homeland Security's National Cybersecurity and Communications Integration Center ("NCCIC"). Those who disclose or receive cyber threat information pursuant to the information sharing proposal would be required to take reasonable efforts to minimize disclosure identifying specific persons or information reasonably believed to be unrelated to the threat and to safeguard such information from unauthorized access or disclosure. The proposal also provides for the creation and operation of private-sector Information Sharing and Analysis Organizations ("ISAOs") to facilitate the sharing of cyber threat information. Section 106 of the proposal on information sharing further provides targeted, limited liability protection for those entities disclosing or receiving cyber threat information in accordance with the terms of the proposal.
Law Enforcement Provisions
The Administration's Law Enforcement Provisions proposal seeks to introduce new penalties for cyber criminals and make more statutory mechanisms available for prosecution. The proposal would allow the Attorney General to prosecute and enjoin the use of botnets, and proposes enhancing law enforcement authority and penalties related to the sale of spyware used for cyber theft. Notably, the proposal would add offenses committed in violation of the Computer Fraud and Abuse Act ("CFAA") to the list of racketeering activities in the Racketeering Influenced and Corrupt Organizations Act ("RICO"), which would allow RICO to be used to prosecute cybercrimes. Further, the proposal would modify provisions of the CFAA to purportedly clarify the scope of conduct that would violate the statute and exclude certain violations based on exceeding the scope of authorized access to a computer. The proposed amendments would also enhance the potential penalties for CFAA violations in the hopes of providing more of a deterrent effect. As discussed in previous postings, the CFAA is a statute that has been scrutinized frequently in recent years with respect to its scope and inconsistent application and we would therefore expect a significant amount of debate concerning its amendment. The Administration's proposed Personal Data Breach Notification & Protection Act, discussed below, also provides for the criminalization of trafficking in certain stolen U.S. financial information outside of the U.S.
National Data Breach Reporting
In the proposed Personal Data Breach Notification & Protect Act, the Administration also updated what it proposed in the 2011 Personal Data Privacy and Security Act in an effort to streamline the existing patchwork of state laws that contain security breach reporting requirements into one federal statute. The proposal would apply to all "sensitive personally identifiable information," which is broadly defined and includes items such as unique biometric data "or any other unique physical representation". The proposal would require companies that use sensitive personally identifiable information about more than 10,000 individuals during any twelve month period to notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired in connection with a security breach within thirty days, unless there is no reasonable risk of harm or fraud to such individual. The Administration's proposal also sets forth requirements for proper notice methods, content of notices and limited exemptions from the notice requirements. Compliance with the requirements of the proposed data breach reporting provisions would be enforced by the Federal Trade Commission (FTC), in consultation with the Federal Communications Commission (FCC) and the Attorney General, as well as State Attorneys General, where appropriate. The proposal, if introduced and adopted as legislation, would pre-empt similar state laws and provide some national uniformity concerning this issue.
In the wake of the recent cyber-attack on Sony Pictures Entertainment, the protection of private and business information has come to the forefront of American security concerns. We can therefore expect an evolution in legislation and domestic policy within the near future. Companies should pay close attention to these developments, as they may have widespread and significant impact on commercial practices going forward. While prior federal legislative efforts in this area have failed to result in the passage of new laws, the current national debate seems to demand that something be done. It will be interesting to see which portions of these proposals are introduced and passed into law. If nothing else, these latest proposals are a reminder that now is a good time for companies to assess their cyber-security protection and to test what they would do in the event of a data security breach.