BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Cybersecurity legislation requires consolidation

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 18 Jun 2015 20:06:13 -0600
http://www.crainsdetroit.com/article/20150618/BLOG109/150619855/cybersecurity-legislation-requires-consolidation

In January’s State of the Union address, President Barack Obama called for
cyber information sharing legislation. Lawmakers must have listened,
because in the first three months of 2015, 14 bills related to
cybersecurity were introduced. So far, two have passed the House.

Sounds good, right? Except that the legislation is all over the map. As
many as 46 states have enacted data breach notification laws; at least
seven states have laws regarding data security standards; and, at the
federal level, there are at least five major cybersecurity regulations,
including HIPAA, HITECH, GLBA, FISMA and FERPA. In addition, the Fair
Credit Reporting Act, the Children’s Online Privacy Protection Act and the
Federal Trade Commission’s Red Flags Rule also have elements of
cybersecurity.

Our own Michigan Rep. John Conyers Jr. even got into the act. In January,
he introduced the Cyber Privacy Fortification Act. This bill, still under
review by the congressional committee, requires that anyone aware of a data
breach must notify the U.S. Secret Service or FBI. Responsible individuals
are at risk of criminal penalties of up to $1 million and five years in
prison for failure to provide breach notices. It will be interesting to see
whether or not it comes to fruition.

And then there’s the Protecting Cyber Networks Act (PCNA), passed by the
House on April 24. It provides a process for private and public sectors to
voluntarily share cyber threat data and obtain liability protection.
Fearing litigation, the private sector has been cautious about sharing data
with government agencies. This new bill not only provides liability
protection for participating companies but goes further to allow companies
to monitor and deploy defensive measures on systems belonging to others,
such as customers with authorization and written consent who use systems
for cybersecurity purposes. But does this allow government agencies to
monitor company networks with authorization and written consent?

Some civil liberty groups worry this could increase the federal
government’s access to personal information that, in the past, was
protected by the Electronic Communications Privacy Act (or the Wiretap
Act). Under PCNA, companies and government agencies will be required to
remove any personal information that’s not related to the threat and can be
held liable for failing to do so. The bill also establishes a Cyber Threat
Integration Center to consolidate cyber threat information. The center will
analyze and share the data with other government agencies.

The very next day, the House passed the National Cybersecurity Protection
Advancement Act (NCPAA) for the private sector to share cyber threat data
with the Department of Homeland Security. This bill will authorize the
Department of Homeland Security’s National Cybersecurity and Communications
Integration Center (NCCIC) to collect the information provided by
companies. It also enables the setup of a National Cybersecurity
Preparedness Consortium to provide training and technical assistance to
government cybersecurity personnel. A standard agreement will be available
on the NCCIC website that companies can use. This bill also requires NCCIC
to redact personal information that’s not relevant to the cyber threat.

The key difference between these two bills is that the NCPAA only
authorizes collaboration with the Department of Homeland Security, while
PCNA allows collaboration with a number of other government agencies,
including the Department of Justice, the Department of Commerce, the
Department of the Treasury, the Office of the Director of National
Intelligence, and the Department of Energy. Although President Obama
offered support for both bills, he also expressed reservations on liability
protections.

While the information sharing bills are necessary to fight today’s
cybersecurity threats, we need to simplify the multiple federal and state
laws. As we introduce new bills, it will be difficult for companies to
understand and follow the various federal and state regulations. Fewer
consolidated laws is the way to go.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: