The National Cybersecurity Protection Act of 2014 (NCPA) was passed by the House on December 8th, by the Senate on December 10th, and signed by the President on December 18th. Senate Committee on Homeland Security and Governmental Affairs Chairman Tom Carper (D-Del.) issued the following statement regarding the NCPA: “Cybersecurity is one of the biggest national security challenges our country faces. Our laws should reflect that reality. By codifying the Department of Homeland Security’s existing cybersecurity operations center, the National Cybersecurity Protection Act of 2014 bolsters our nation’s cybersecurity while providing the department with clear authority to more effectively carry out its mission and partner with private and public entities. It is critical that the department continues to build strong relationships with businesses, state and local governments, and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur.”
Codification of the National Cybersecurity and Communications Integrity Center: The NCPA codifies the existing cybersecurity and communications operations center at DHS, known as the National Cybersecurity and Communications Integrity Center (NCCIC). The bill directs the NCCIC to provide a number of services, including sharing information about cybersecurity risks and incidents, and providing technical assistance, risk management support, and incident response capabilities to federal and non-federal entities. The NCCIC is to be comprised of representatives of federal civilian and law enforcement agencies, elements of the federal intelligence community, representatives of state and local governments, information sharing and analysis organizations, and owners and operators of critical information systems. The NCPA directs the Secretary of the DHS, within 180 days of its enactment, to submit recommendations to various congressional committees on how to expedite the implementation of information-sharing agreements for cybersecurity purposes between the NCCIC and non-federal entities. The NCPA also imposes reporting obligations for the Secretary of the DHS to various congressional committees regarding NCCIC cybersecurity functions. It directs the Secretary to submit within one year of the enactment of the NCPA, and every year thereafter for three years, an assessment of the NCCIC’s capability to carry out its cybersecurity mission, its personnel composition, and the extent to which it engaged in information sharing with each critical infrastructure sector. It also directs the Comptroller General of the U.S., within two years of the enactment of the NCPA, to submit a report to various congressional committees on the effectiveness of the NCCIC in carrying out its cybersecurity mission.
Federal agency data breach notification law: Beyond codifying the NCCIC, the NCPA also creates a federal agency data breach notification law. It requires federal agencies to notify individuals affected by a data breach “as expeditiously as practicable and without unreasonable delay” after the agency discovers the unauthorized acquisition or access. This language is similar to that in many of the 47 state data breach notification statutes. The NCPA provides for delayed notification if it would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions.
The NCPA also provides that federal agencies affected by a data breach must notify certain congressional committees “expeditiously and not later than 30 days” following the discovery of a breach. The notice to congressional committees must include information about how the breach occurred, an estimate of the number of individuals affected and an assessment of the risk of harm to them, a description of any circumstances requiring delay in notification to them, and an estimate of whether and when the agency will notify them. An intelligence agency required to provide notification of a data breach is only required to provide notice to appropriate committees of Congress.
The NCPA requires the Director of the OMB to ensure that federal agency breach notification policies and guidelines are implemented and periodically updated. It also requires the Director of the OMB to assess, on an annual basis during the first two years of implementation, federal agency implementation of the data breach notification policies and guidelines.
Cyber incident response plans: The NCPA directs the Undersecretary of the DHS, in coordination with appropriate federal departments and agencies, state and local governments, critical infrastructure sector coordinating councils, information sharing and analysis organizations, and owners and operators of critical infrastructure, to develop and regularly update, maintain and test cyber incident response plans to address cybersecurity risks to critical infrastructure.