In the State of the Union address in January 2015, President Obama declared cybersecurity as a priority for the US Government and noted that the legislature would take a more active role in this arena to ensure prevention and mitigation of future cyber-attacks in the US. The US's concerns regarding cybersecurity have been encapsulated in President Obama's Executive Orders over the last few years, which have provided a fundamental basis for the growth of cybersecurity in the US.
Specifically, the orders include:
- the development of a framework for cybersecurity. This resulted in the development of the National Institute of Standards and Technology (NIST) Cybersecurity Framework in 2014; and
- the promotion of a cybersecurity information sharing system. This in turn has resulted in the drafting of a Bill known as the Cyber Information Sharing Act (the Bill).
The Bill seeks to reduce the threat and impact of cyber-attacks on the US's economic health and overall national security by allowing private sector companies to disclose to the US Government the types of cyber-attacks they face, the methods used to prevent such attacks and the methods used to mitigate the effect of such attacks. Such information will allow the US Government to assess current measures and develop recommendations.
The Bill comes with controversy as the invasive nature of the powers granted under the Bill (ironically, to protect consumers) heavily restricts the consumer protection afforded under US privacy laws and rights of recovery under consumer law. This is evident in the following ways:
- The information obtained under the Bill can be used by any or all Federal Government sectors (however, for the purpose of cybersecurity):
- Companies that disclose information under the Bill are exempt from disclosure requirements under the Freedom of Information Act:
- Companies that disclose information under the Bill enjoy immunity from fines/penalties imposed by US privacy laws and US antitrust (competition) laws:
- The Bill requires information regarding cyber-attacks to be shared in 'real-time'. Therefore, there is a real concern that the personal data of customers may not be adequately removed from the information provided to the US Government. This in turn will allow the government to access the private information of customers of the private companies (such as bank account details, credit card history, etc), thereby allowing the government to investigate people of interest. These concerns have also been voiced by the US's Department of Homeland Security.
The Bill will likely be tabled at the US Senate's September session.
The outcome of the session will be important to both the Australian Government and the Australian private sector because the Australian Government has been mirroring the US's position on cybersecurity. This is evident through ASIC Report 429: Cyber Resilience, which recommends:
- the ASIC population to consider adopting the NIST Cybersecurity framework; and
- the likely introduction of mandatory data breach notification laws later this year/early 2016.
As the Australian Government firms up its position on cybersecurity laws, cyber-liability insurance policies will become increasingly important in the Australian Insurance market and it is expected more businesses will take out such policies to obtain cost protection of complying with the legislative requirements such as notification requirements.
To see our blog on ASIC Report 429, click here.
To see our blog on the ACSC Cyber Threat Report 2015, click here.