Federal cyber security legislation possible in 2015Reprints
This looks like the year some form of cyber security legislation will finally win congressional approval and be signed into law, according to Washington observers.
But the questions remain: What will a law look like? And how effective will it be? Opinion is sharply divided among cyber security legal experts and others.
Two issues dominate the cyber security debate. One is how to encourage private entities to share information about cyber threats and responses without incurring liability and without endangering privacy. The other is how to bring some sort of uniformity to the reporting of cyber breaches.
By large bipartisan margins, the House has passed two bills dealing with information sharing. The National Cybersecurity Protection Act, H.R. 1731, and the Protecting Cyber Networks Act, H.R. 1560, would, among other things, give private entities a certain amount of protection from liability that might arise while sharing information.
Both have gone to the Senate, where another bill dealing with information sharing, the Cybersecurity Information Sharing Act, S. 754, was introduced this year. Several other pieces of legislation touching on cyber security have been introduced in both chambers as well.
“We expect the Senate will pass a cyber security bill, the House and Senate bills will be reconciled, and the final bill will be signed into law this year,” said a spokesman for the House Intelligence Committee.
For its part, the Risk & Insurance Management Society Inc. is particularly interested in uniform cyber threat reporting standards.
“The key to cyber legislation is uniformity, particularly as it relates to laws governing notifications following a data breach,” Nathan Bacchus, senior government affairs manager for the New York-based risk management professional organization, said in an email.
“There are currently 47 different state laws governing how notifications must be carried out,” he said. “RIMS' hope is that Congress can enact a federal standard that would increase efficiency for any organization (that) experiences such a breach, while also ensuring that those affected are properly informed and notified. RIMS board of directors will continue to review and make recommendations to better protect organizations and the public against cyber threats.”
A series of high-profile cyber breaches at such well-known businesses as retailers Target Corp. and The Home Depot Inc. as well as health insurer Anthem Inc. focused public and congressional attention on the need for companies and the government to bolster cyber defenses, one of which is sharing information about cyber attacks and responses.
“We are very supportive of the idea of information sharing, and we would very much like to see a voluntary real time cyber threat information sharing bill passed with meaningful liability protections,” said Angela Gleason, associate counsel of the Washington-based American Insurance Association, which is working with the Protecting America's Cyber Networks Coalition to ensure a bill passes this session. “Cyber information sharing will allow us to strengthen our nation's resiliency against cyber-attacks and allows us to come together against a common bad actor.”
Ben Beeson, vice president for cyber security and privacy with Lockton Cos. L.L.C. in Washington, also is optimistic about legislative action.
“Ultimately all three bills are trying to achieve the same end, with some nuances. In some shape or form, there is going to be cyber security legislation in 2015,” said Mr. Beeson.
Prominent cyber security attorney Howard Waltzman, a partner at Mayer Brown in Washington, agrees, pointing to the overwhelming majority by which both House bills passed. He added that the official statement of administration policy “was a little critical, but compared to the last Congress, it was materially better and more positive about the legislation to get to the point where the president will sign it.”
Though the White House supported passage of the House bills, it called for amendments to rein in the scope of liability protections granted businesses.
“I'm sure there will be amendments; I feel very good about the fact that the Senate will pass it,” Mr. Waltzman said. He noted that Senate Majority Leader Sen. Mitch McConnell, R-Ky., has made cyber security a priority. Sen. McConnell said in April that he hoped to bring cyber security legislation to the floor for debate in “the near future.”
Michael R. Overly, a partner at Foley & Lardner L.L.P. in Los Angeles, acknowledged that pressure on lawmakers “to give the illusion of some progress in this area” would get something passed but he's not sure about what. “Let's be honest, this particular Congress has not been a house afire with passing substantive useful legislation.”
He said that the idea of information sharing is well entrenched in the information security industry. But “the information you share could be used by the government to prosecute you for matters unrelated to cyber security,” thus creating liability for a company.
“What is new is that a certain level of liability protection will be included in the final law,” said Mr. Overly. There also are the risks inherent in information sharing. “Whenever you share information about your information security measures someone could use that information to gain access to your company,” he said.
Erin F. Fonté, a member of law firm Dykema Cox Smith in Austin, Texas, notes that the outlook for information-sharing and uniform reporting standards legislation are not the same.
“If we do get something, I think the odds are the cyber security sharing component is probably what will pass,” she said. “The baseline issue is how bad is the problem?” she asked. The federal government can understand the scope only if threats are accurately reported, she said.
Besides, a national data breach notification law, favored by businesses that operate nationally, could run into problems, she said.
State attorneys general and the states themselves like the ability to highlight the issue and do the enforcement because they like to be seen as protecting consumers, she said. “I think there's a bit of territorial issue,” with states asking whether the federal standard will offer as potent protection against cyber threats. “You have a lot of competing interests at play.”