Two legislative proposals revived this week by the Obama administration appear certain to reignite old arguments over the role of the federal government in shepherding better cybersecurity protections for Americans.
On Monday, President Obama called for a national data breach notification law to replace the patchwork of state laws that companies have to comply with presently. The new Personal Data Notification and Protection Act would give companies a standard format for making breach announcements and establish a 30-day period from breach discovery for them to notify affected customers about a breach.
Then on Tuesday, the administration announced plans to revive a controversial 2011 cybersecurity bill that is designed to encourage the private sector to share threat and vulnerability information. The bill would give legal protections for companies that disclose threat intelligence to the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which in turn would provide the data in real-time to the National Security Agency and other federal agencies.
Obama is expected to flesh out the details of these proposals in his State of the Union address next Tuesday. They appear to be part of a broader effort to show the government is responsive to concerns raised by the Sony hack and other high-profile attacks on private companies and government agencies in recent months.
Both cybersecurity measures have been aired previously – and both failed to gain support in Congress. This time around, even with the renewed focus on greater information security, there's little to indicate that former opponents are any more amenable to those proposals.
When the administration last proposed the intelligence-sharing bill in July 2014 in the form of the Cyber Security Information Sharing Act of 2014 (CISA) critics lambasted the bill for posing a threat to privacy.
The information-sharing act is designed to make it easier for organizations to receive, use, and share information on threats to their networks and data. Security analysts have long maintained that sharing information such as malicious Internet protocol addresses, malware signatures, and other threat indicators is critical in helping organizations and industry as a whole to detect, respond and mitigate cyber threats.
But the component in the bill that authorizes real-time threat information sharing between the private sector, the DHS and the National Security Agency has riled privacy advocates. Though proponents of information-sharing insist that only anonymized threat specific data will be shared, many remain unconvinced.
Influential groups such as the Electronic Frontier Foundation and the Center for Democracy and Technology described it as a measure that would allow the government to snoop on private citizens under the pretext of privacy while giving companies that share such information overly broad protection. The Center for Democracy and Technology has described it as a program that would create a “back door wiretap” by authorizing use of cyberthreat information for other law enforcement purposes.
It remains unclear what measures the government has taken to address those concerns. But the fact remains that there really isn’t as much of a need for the bill in the first place, says John Pescatore, director of emerging security threats at the SANS Institute, an information security research and training firm.
“There is a lot of information sharing going on already across industries,” says Mr. Pescatore. “I can’t actually think of any major breach where the root cause was [a lack of] information sharing.”
He is similarly not sold on any benefits the government will gain from gathering threat intelligence data from private companies. “I’ve never actually seen a reason why private industry sending vulnerability, threat, or incident information to the government will increase security."
Meanwhile, other critics see a federal breach notification standard as a nice-to-have but not entirely needed piece of legislation particularly at a time when the focus needs to be on data breach protection and mitigation. In fact, there is some concern that a federal law will only serve to weaken existing consumer privacy protections rather than strengthen them.
Forty-seven states already have a data breach notification law. Some laws such as ones in California and Massachusetts are stricter than laws in other states. Some require companies to notify the state attorney’s general of a data breach in addition to notifying affected customers. Others laws have no such requirement.
A single national law that replaces the multitude of such state regulations could yield some standardization benefits. But the only way a federal law would be really meaningful was if it hewed to the strongest state notification requirements out there, not the weaker ones, says Ken Dort, partner with Drinker Biddle & Reath LLP law firm in Chicago.
A federal law that does not require companies to report a data breach to the state attorney general, for instance, would completely gut notification laws in states where such a requirement currently exists, says Mr. Dort. At the same time, any law that would impose additional reporting requirements on breached entities is almost sure to be opposed by a business friendly Republican Congress.
“If it is just about breach notification a uniform standard isn’t really critical,” says Dort, whose firm has helped several companies draft multistate breach notification letters over the years.
“Most of the state requirements on notices are relatively within eye shot of each other,” he says. For instance, he says, the majority of states have more or less the same definition for a breach, what constitutes personally identifiable information, and how to send out notices.
Many companies will draft breach letters that meet the highest breach notification standards, says Dort. The patchwork of state laws that exists presently “has really not been an impediment to compliance for most companies."
A poorly crafted federal breach notification law or a consumer privacy bill of rights could also complicate enforcement processes against companies that violate data privacy and notification rules, says Lee Tien, staff attorney with the Electronic Frontier Foundation in San Francisco.
For instance, if a state attorney general had to cede authority to the Federal Trade Commission on an enforcement action, that could limit a state’s ability to go after wrongdoers.
“The question is whether you are preempting a state law to create uniformity," says Tien, "or whether you are preempting to lower the standard."