Recently announced high-profile data breaches have galvanized Senate and House Members to conduct hearings and propose new legislation that, if passed, could increase federal cybersecurity oversight in the private sector. Meanwhile, the White House, pursuant to Executive Order 13636, is releasing the Cybersecurity Framework this week, on February 12, 2014, to provide companies with voluntary cyber-best practices. Highlights to keep on your radar include:
Mandatory Information-Sharing Back on the Table
There is renewed momentum in Congress for legislation requiring the private sector to share data breach information with the federal government for intelligence purposes. At a recent Senate Intelligence Committee hearing, both the Director of National Intelligence and FBI Director emphasized the need for civilian sector involvement in breach investigations. The White House is also prioritizing information sharing initiatives. If Congress fails to act, another Executive Order may be on the horizon to promote the sharing of data between companies and the federal government.
Consensus is Growing for More Federal Government Authority to Impose Cyber-Fines
At a recent hearing before the Senate Banking Committee’s National Security and International Trade and Finance Subcommittee, the FTC Consumer Protection Bureau expressed specific support for legislation requiring companies to meet data security standards and giving the FTC authority to fine companies that do not comply. In the same week, two U.S. Senators introduced legislation to impose stiff fines for companies that fail to implement adequate cyber-safeguards.
What Does This Mean to You?
As of now, agreement has not been reached with the many proposals. However, given all of the attention being paid to data security, it is essential to take steps to protect your organization’s data. Here are some practical steps you should take now to mitigate your legal and operational cyber-risks:
- Make sure you have an up-to-date data breach “response plan”;
- Assemble a team of internal (enterprise-wide) and external (legal, law enforcement, forensics) stakeholders to assist in the company’s response;
- Know the federal, state, international, and contractual obligations triggered upon a breach;
- Have template disclosure documents ready to send when and if necessary;
- Make sure that your website and other publicly available information are consistent and reflect accurate data privacy information;
- Regularly communicate with your Board of Directors and C-Suite to inform them of cyber-risks and compliance programs;
- Identify data that may be helpful intelligence for a breach investigation and have a report ready to generate for law enforcement that includes only the necessary data.