"[I]f we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy in ways that are extraordinarily significant.”
– President Obama, December 19, 2014
If you watched President Obama’s State of the Union Address on January 20, you know that passing comprehensive cybersecurity legislation will be a central focus during his final two years in office. The President actually previewed his core legislative proposals in this area about a week before the nationwide address, to lay the groundwork for his cybersecurity agenda.
The administration is advocating passage of two primary pieces of legislation: one aims to allow more information sharing between private companies and government agencies about cyber threats and the other lays out new federal notification requirements in the wake of cybersecurity breaches. Much debate is yet to be had, and there is no way of knowing what provisions will be included in final bills. But President Obama is intent on leaving his mark as an architect of cybersecurity law in the digital age.
Cybersecurity Information Sharing Legislation
The first proposal has the stated purpose of codifying mechanisms for information sharing between private entities and the government about cybersecurity and specific cyber threats. An administration press release stated: “The proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security . . . which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) by providing targeted liability protection for companies that share information with these entities.”
One of the key aspects of this proposed legislation is that it would allow authorized private entities to disclose “lawfully obtained” cyber threat indicators to both ISAOs and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), as long as their purpose is to protect information, identify or mitigate threats, or report a crime. Private entities would have to use reasonable efforts to minimize use of personal identifiers or information that is unrelated to threats. At the moment, the waters are somewhat murky as to whether private entities can or should share such information.
In addition to making it legal for the first time for private entities to share cybersecurity information with the federal government under certain conditions, the proposal also contains guidelines for limiting liability, FOIA protections, and requirements for privacy protections.
Personal Data Notification & Protection Act
The second proposal addresses notice requirements to individuals affected by security breaches involving “sensitive personally identifiable information.” According to the White House, “The Administration’s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and puts in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.”
The proposal would require covered business entities to provide reasonable notice to those affected by a breach in 30 days or less. Like many similar state laws, the proposal addresses the content and methods of notice, as well as different requirements depending on the scope of persons affected. There are additional notice requirements to credit reporting agencies and law enforcement, and the proposal explains that the Federal Trade Commission (FTC) will supervise compliance.
While the President clearly sees the need for a federal notification system, it is not clear how the states will respond to the idea of federal preemption in this area. In particular, some states may take exception to the idea that the FTC will be in charge of notification enforcement. Of course, state attorneys general can also enforce the proposed terms, if there is reason to believe that residents have been threatened or will be adversely affected by noncompliance.
In addition to the proposed legislative changes, the White House will hold a Summit on Cybersecurity and Consumer Protection at Stanford University on February 13th. Attendees will include leaders in financial services, technology and communications, computer security, and law enforcement. They will be asked to share information and help shape public and private sector efforts to protect American consumers and companies from growing threats to digital networks.