UPDATE: Both bills were passed by the House 307 to 116 on April 23 and will now be combined into one bill and moved to the Senate for review.
As the list of corporate data breaches gets longer — from Target and P.F. Chang’s to Home Depot and Sony Pictures — it may seem as if nothing can be done to stop cybersecurity threats and the theft of sensitive consumer information such as payment card and Social Security numbers.
While we may not be able to completely deter hackers from going after our digital data, better understanding the threats — and attacks — they make against large companies is a good first step to slowing down their progress.
Federal lawmakers are getting closer to passing two bills aimed at sharing cyberthreat information among companies and organizations without jeopardizing consumer privacy.
The newest piece of legislation, The National Cybersecurity Protection Advancement Act of 2015, was passed unanimously April 14 by the House Committee on Homeland Security. Now ready for full House review this week, the bill includes a number of privacy and civil liberty protections for consumers and corporations.
This legislation would require that cyberthreat information processed through the National Cybersecurity and Communications Integration Center (NCCIC) — the existing hub for cybersecurity information sharing — cannot be used for law enforcement or intelligence purposes. The goal is to keep as much consumer information out the hands of any government organization or group that doesn’t need it for an investigation.
The bill would also give greater liability protection to those who share cyberthreat data with the Department of Homeland Security.
“Unfortunately, in the current environment, companies do not feel they have the adequate legal protection to share this vital cyberthreat information with the federal government,” said U.S. Rep. Michael McCaul of Texas, the committee chairman, in remarks introducing the bill. “Industry needs a safe harbor where legal barriers are removed, appropriate privacy protections are in place and companies are incentivized to be a full participant with the NCCIC. This bill … creates that safe harbor by providing liability protection for the voluntary sharing of cyberthreat information with the NCCIC or between private entities.”
If companies are encouraged to report cyberthreat findings, maybe they will also report breaches faster, instead of waiting for evidence while hackers wreak havoc with consumers’ personal information. An overwhelming 86 percent of consumers have already expressed a desire for faster data breach response times, according to the National Consumers League.
In exchange for the liability protections, companies must take steps to safeguard consumers’ information. Companies would be required to remove personally identifiable information — such as consumer email addresses and Social Security numbers — unrelated to a potential breach before passing along the data to the NCCIC.
This means that unless your credit card information or identifying details such as your address, email or phone number are vital to understanding a new incident of cybercrime, your sensitive data points should not escape the reporting company’s database.
Then, before the NCCIC could pass that data along to any other government agencies or private organizations involved, it would have to comb the data again and remove any further pieces of consumer information not relevant to the ongoing investigation.
Republicans and Democrats both expressed strong support for this bill.
Democratic Rep. Bennie Thompson of Mississippi called it a product of, “months of bipartisan stakeholder outreach and collaboration,” according to a Federal News Radio report.
The second cybersecurity bill up for review this week — the House of Representatives Intelligence Committee’s Protecting Cyber Networks Act — is similar to the first except cyberthreat information would be sent to a federal government organization run by the Department of Homeland Security, not the NSA or Department of Defense, to further remove sensitive information from unnecessary hands. Threat data would also be scrubbed of sensitive consumer information before being shared.
Again, the fewer times your information transfers hands (or computers, in this case) the fewer opportunities others — good or bad guys — have to collect it.
Under this second bill, private companies would get liability protections from lawsuits as long as they follow the consumer privacy protection guidelines. But again, if they do not follow the bill’s protocols, companies will lose liability protections, according to the House bill summary. If passed, an oversight committee would review the privacy and civil liberty impacts of this bill biannually to ensure everyone is benefiting from such oversight, consumers included.
The House is scheduled to take up the bills Wednesday, April 22 and Thursday, April 23. Both are expected to pass, and after the President’s cybersecurity call to action in 2011 that contained many of the same concepts, the bills are likely to be signed into law if they get to his desk.
These federal activities may not solve all the cybersecurity issues the country faces today — or get your stolen credit card numbers back — but they’re a start.