As the first session of the 112th Congress comes to a close and Washington prepares itself for the most expensive Presidential election in history, there is little doubt that 2012 will be a relatively quiet legislative year in Washington. There is, however, one area where we expect significant legislative activity, and that is with regard to efforts to reform and enhance laws related to cybersecurity.
More than a decade after the Clinton Administration published a policy declaring a “growing potential vulnerability” to a cyber attack, policy makers in Washington finally seem poised to enact legislation that rewrites American law with respect to how industry and the public sector are expected to protect themselves and their costumers from a cyber breach, as well as redefining the federal government’s role and capability to prevent and prosecute cybersecurity incidents.
Cybersecurity legislation will be on the Senate floor in early February. While we strongly believe that Edwards Wildman has the strongest mix of bipartisan talent to provide you with the greatest advocacy opportunities, we stress that those inclined to hire advocates do so very soon. Our relevant contact information is at the end of this circular.
The Current State of Cybersecurity Reform in Washington
In May, the Obama Administration submitted to Congress their version of a comprehensive cybersecurity bill (“Obama Administration bill”). At that time, the President said that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” The Obama Administration bill includes a strong data breach notification standard as well as clarified penalties for computer crimes (including mandatory minimum sentences for intrusions of critical infrastructure).
While neither the House or Senate has voted on the Obama Administration bill, it is clear that after years of inaction, Congress seems similarly prepared to act. As we reported in our September piece “Cyber Security Legislation and the 112th Congress,” Senate Majority Leader Harry Reid (D-NV) and Minority Leader Mitch McConnell (R-KY) have committed to working together on a comprehensive cybersecurity bill. The original intent of the Senate leaders was for this proposal to be voted on before the end of 2011. While this did not happen, likely because of the intense time dedicated to the work of the Joint Select Committee on Deficit Reduction, Senator Reid sent a letter to Senator McConnell on November 16th where he wrote that “Given the magnitude of the threat and the gaps in the government’s ability to respond, we cannot afford to delay action… For that reason, it is my intent to bring comprehensive cyber security legislation to the Senate floor for consideration during the first Senate work period next year.”
The House of Representatives is also going to consider legislation on cybersecurity in early 2012, though as we will explain in more detail below, the substance of that bill is likely to vary in some regard, from the Obama Administration bill and the legislation likely to voted upon in the Senate.
Legislation in the House and Senate are likely to take very different tracks en route to a vote in their respective bodies. In the Senate, Democratic-control will mean that the legislation considered will closely mirror the Obama Administration bill. In fact, many of the bills that have already been approved at the Committee level in the Senate (and that will likely be included in the comprehensive proposal) incorporates key components of the Obama Administration bill. Such provisions include:
- Implementing a national standard for data breach notification to consumers.
- Requiring the Department of Homeland Security (“DHS”) to issue and enforce regulations implementing cybersecurity requirements for private sector critical infrastructure entities.
In the House of Representatives, Speaker Boehner appointed a 12-member House Republican Cybsecurity Taskforce and charged it with developing a series of recommendations from which a House cybersecurity bill would be developed. Though not in the form of a bill or bills, the Task Force released their proposals in October and the Speaker has stated his hope that the Task Force’s report will be turned into legislative language (“Task Force bill”) to be voted on in early 2012.
While there are areas in which the Task Force bill and the Senate bill will overlap (which are outlined below), there is also a fundamental difference that must be considered—whereas the Obama Administration bill will imposes strict standards on industry, the Task Force bill will focus upon voluntary coordination between the government and industry for reform. Their proposal includes a set of voluntary cybersecurity standards geared toward improving private sector security set forth by non-regulatory agencies, such as the National Institute of Standards and Technology (NIST); creation of tax credits to incentivize industry to invest in network security; and lastly urging Congress to “study whether the insurance industry can help play a role in increasing the level of cybersecurity of firms that purchase cyber or date breach insurance.”
Areas of agreement upon which we expect to become law include:
- The creation of a data breach standard (though the Task Force proposal does not describe the notification standard or procedure).
- Revising the Federal Information Security Management Act of 2002 (“FISMA”): Both the President’s proposal and the Task Force recommend revising to give DHS increased authority, particularly with regard to continuous monitoring of systems, and enhancing the compliance-enforcement authorities of agency officials responsible for information systems.
- Damage to Critical Infrastructure: Like the President’s proposal, the Task Force proposes criminalizing the damaging of computers associated with critical infrastructure.
In addition to the Task Force bill, another significant development occurred on December 1, 2011, when the House Permanent Select Committee on Intelligence Committee passed legislation regarding data-sharing. The bill, the Cyber Intelligence Sharing and Protection Act of 2011, was written by the Committee’s chairman, Mike Rogers (R-MI), and its ranking Democrat, Dutch Ruppersberger (MD) and is aimed at encouraging private companies to share information about cyber security threats with the federal government. The information sharing would be completely voluntary and companies would be exempt from any liability associated with sharing the information with government. While the bipartisan support in the House for this legislation makes it a strong candidate for inclusion in the Task Force bill, outright opposition from civil liberties groups as well as strong concerns from the White house about the vulnerability of consumers’ private information make the chances of this legislation being included in the Senate bill unlikely.
Since the Task Force bill has not been written yet, we expect a vote in the spring rather than in late January or February. As soon as the Task Force bill is introduced it will likely be considered in several Committees of jurisdiction including the House Judiciary and the Permanent Select Committee on Intelligence. While the Senate bill has not been formally introduced yet, legislation that make up the components of the bill, like S. 1151, the Personal Data Privacy and Security Act of 2011, have already been approved by the Judiciary Committee in the Senate making quick consideration possible.
Since the Task Force bill and the Senate bill will be different, upon passage of the respective bills, members from each chamber will then go into conference where they will try to resolve the discrepancies between both bills. Conferences on significant legislation can often take several months to resolve, but we certainly expect a compromise to be reached and legislation to become law in 2012.