After writing about a study that revealed consumers want more federal government involvement in cybersecurity and data breach resolution, I wanted to learn what, if anything, is happening on the federal government level that addresses these concerns.
As it turns out, there’s been quite a bit of activity on the subject this year, especially in recent weeks. Here’s what I found to be the most relevant pieces of cybersecurity legislation making its way around Capitol Hill:
1. Personal Data Privacy and Security Act
For consumers who want more information about a data breach when it happens, this bill would be just what they are looking for.
The Personal Data Privacy and Security Act was originally proposed in 2005 by Vermont Sen. Patrick Leahy, now the Judiciary Committee chairman. It has been introduced several times since, most recently in January, as a response to the increase of mass data breaches affecting the country. This bill would enact a national data breach notification standard for businesses and federal agencies, giving everyone the same 60-day window to notify individuals whose personally identifiable information has been compromised.
Increased penalties for identity theft, online fraud and other violations of data privacy and security are also included in this proposed legislation.
However, it doesn’t look like this bill will be moving along any time soon. Since its proposal in January, it’s been sitting idle in Congress despite the increasing calls for action from citizens and groups such as the Direct Marketing Association.
According to experts, the path for this type of legislation is complicated. There are 47 states currently abiding by their own data breach notification laws and getting them all to agree to a single standard will take time, said Peter Swire, Future of Privacy Forum senior fellow and a Georgia Tech business professor.
“Each [special-interest] group has different state laws that they like and don’t want to lose anything they have today,” he told Bank Info Security.
2. Cybersecurity Information Sharing Act of 2014
Although this bill doesn’t include a national data breach notification standard, it does promote information transparency.
The Cybersecurity Information Sharing Act of 2014 would encourage transparency between private sector companies and federal agencies to create an information-sharing framework to respond to cybersecurity threats. It would also protect businesses from lawsuits if they voluntarily disclose threat details as a result of trying to help the government or other industry partners address a situation.
Although the bill has gained support from many financial industry groups, some privacy advocates worry that the sharing of information between businesses and the government created by this legislation could expose sensitive consumer data even more.
Despite the controversies, CISA passed the Senate Intelligence Committee with a 12-3 vote July 8, moving it closer to a floor debate.
3. National Cybersecurity and Communications Integration Center Act of 2014
Yes, it’s another information-sharing proposal.
This bill would designate an existing center controlled by the Department of Homeland Security the official hub for federal cybersecurity information distribution.
The current center already acts as a 24/7 communication office for the federal government, intelligence community and other law enforcement bodies, but this legislation would authorize the sharing of information and analysis with citizens and retailers. The act would also provide further incident response and technical assistance to affected parties.
The NCCIC Act of 2014 was introduced June 24 by Senate Homeland Security and Governmental Affairs Committee Chairman Sen. Tom Carper of Delaware and Sen. Tom Coburn of Oklahoma. It was passed by the committee July 1, moving it to the floor for debate.
4. Federal Information Security Modernization Act
This bill would update the existing Federal Information Security Act of 2002, bringing it up to speed with modern technology needs, such as reduced paper communication and a greater emphasis son automated security systems and real-time detection processes.
“Cybersecurity is one of our nation’s biggest challenges,” said Carper in a Senate Homeland Security Committee press release. “That’s why it’s imperative that we face this 21st century threat with a 21st century response.”
FISMA would also clarify who would develop and oversee information security policies at federal agencies to further streamline operations and improve incident response.
It passed with the NCCIC Act by an initial Senate committee on July 1 and awaits further discussion.