Sony hack spurs bipartisan support of cyber security legislationReprints
A Republican-controlled Congress and a Democratic president with strong concerns on the subject may be the magic formula to finally win passage of cyber security legislation.
The two main focuses on legislation are sharing information and a national data breach notification law. Legislation encouraging firms to share information about cyber threats is more likely, although critical issues such as protecting businesses from liability and balancing privacy and security also must be resolved, experts say.
Despite general agreement about the issue's urgency for the past several years, Congress and President Barack Obama failed to forge a bipartisan compromise on cyber security legislation.
That may have changed, driven in part by publicity over the alleged cyber hijacking of Sony Pictures Entertainment Inc. by agents on behalf of North Korea.
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids.” President Obama said during his State of the Union address last month.
Legislation the administration proposes would codify ways to share information about cyber security between private entities and the government, as well as address notice requirements to people whose personally identifiable information is exposed by security breaches.
Many experts think information-sharing legislation has a better chance of passage in Congress.
They say that industry groups already have made progress on their own by forming “information-sharing and analysis organizations,” such as the Financial Services Information-sharing and Analysis Center. It was launched by the financial services industry in 1999 in response to a presidential directive to share information to protect critical U.S. infrastructure.
“Perhaps ironically, both the president and congressional Republican caucus have come to the same conclusion,” which is the need for a voluntary approach to encourage industry and the government to collaborate, said Larry Clinton, president and CEO of the Arlington, Virginia-based Internet Security Alliance, a trade association that includes multiple industries.
“The No. 1 job for the U.S. Chamber of Commerce this year is to get a good cyber information-sharing bill signed into law,” a goal that is as important to the administration as it is to business, said Matthew J. Eggers, the Washington-based chamber's senior director of its national security and emergency preparedness department.
“A lot of the homework has already been done, so I do think we'll see an information-sharing bill of some sort moving forward ... and I expect the president will sign something,” unless something unusual that has nothing to do with cyber security is added to the bill, said Jamie Barnett, a partner at law firm Venable L.L.P. in Washington.
A critical factor is protecting business against legal liability for sharing such information. A Jan. 27 letter signed by 35 organizations, including big and powerful insurance industry trade groups, that the U.S. Chamber of Commerce sent to members of the Senate calls for a law that provides businesses with “legal certainty that they have safe harbor against frivolous lawsuits.”
“That's a huge, huge issue for companies,” said Kevin Kalinich, Chicago-based global practice leader for cyber risk insurance at Aon Risk Solutions. Providing immunity from liability could push such legislation “over the finish line.”
One of the “thornier” issues still to be resolved is the role of the National Security Agency, said Mark Greisiger, president of Gladwyne, Pennsylvania-based cyber risk management and information security service provider Network Standard Co., which does business as NetDiligence.
“We believe that the cyber security integration effort should be headed by a civilian agency, not the NSA, which is a military agency,” and information received by the civilian agency “should not be automatically shared with the NSA,” Mr. Greisiger said.
“I'm afraid ultimately we have to accept” that the issue of privacy must be compromised “if we want to remain secure,” but civil libertarians do not agree, said Ben Beeson, Washington-based vice president of cyber security and privacy at insurance brokerage Lockton Cos. L.L.C.
“A delicate balance” must be achieved between privacy and security, said Matt McCabe, New York-based senior vice president in Marsh L.L.C.'s cyber and technology practice. “These are not simple questions, and there's a good reason why it's difficult to pass federal laws on this.”
Meanwhile, businesses favor the streamlining that would result from a national law rather than having to deal with the current 47 state standards, even if some states, such as California, continue to have more stringent standards.
During a hearing on data breach legislation last week by the House Energy and Committee's Subcommittee on Commerce, Manufacturing and Trade, subcommittee Chairman Michael Burgess, R-Texas, said legislation with bipartisan support is “achievable.”
Those testifying at the hearing included Jennifer Barrett-Glasgow, global privacy officer at Little Rock, Arkansas-based Acxiom Corp., who said the large-scale computer processing services provider strongly supports pre-emptive federal legislation.
“Businesses would gain the benefit of more easily managed and understood compliance obligations, as well as increased regulatory scrutiny,” she said.
However, “the chances are slim to none” of such legislation being approved, said Paul Bond, a partner at Reed Smith L.L.P. in Princeton, New Jersey. The concept has “been pushed year after year by both sides of the aisle,” but “has never gotten anywhere.”
State attorneys general object to the issue being taken out of their hands, observers say.
“They will jealously guard their ability to govern or regulate commerce in their states,” said Robert Parisi, managing director and national cyber risk practice leader at Marsh L.L.C.
However, Francine Friedman, senior policy counsel at Akin Gump Strauss Hauer & Feld L.L.P. in Washington, said that while she believes information-sharing legislation's prospects are better, the working relationship between business and Congress may lead to the successful passage of national data breach notification legislation.