In 2011, President Obama issued the Cybersecurity Legislative Proposal to give the private sector and government the tools needed to combat cyber threats. Congress failed to pass cybersecurity legislation, but the administration issued an executive order to protect critical infrastructure by establishing baseline cybersecurity standards.
In 2014, President Obama announced a new Cybersecurity Legislative Proposal to address the challenges of information sharing that included revisions to the 2011 legislative proposal. The updated proposal includes:
- Cybersecurity Legislative Proposal Enabling Cybersecurity Information Sharing
These provisions promote cybersecurity information sharing between the private sector and government—and enhance information sharing within the private sector. The proposal encourages the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which will then share it with relevant federal agencies and private-sector Information Sharing and Analysis Organizations.
- Modernizing Law Enforcement Authorities to Combat Cybercrime
These provisions allow prosecution for the sale of botnets, criminalize the overseas sale of stolen U.S. financial information, expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft and give courts the authority to shut down botnets engaged in distributed denial-of-service attacks and other criminal activity.
- National Data Breach Reporting
The provisions update security breach/identity theft reporting by simplifying and standardizing the current 46 state consumer protection laws into one federal statute for companies notifying their employees and customers about security breaches.
Cyberattacks on Sony Pictures, Home Depot, JPMorgan Chase, Target and Anthem have prompted the administration to support the passage of the National Cybersecurity Protection Act. This bill would increase legal liability protections for private-sector members who share cybersecurity threat information with the federal government. In an effort to reduce concerns about lawsuits for sharing consumers’ information and jeopardizing privacy rights, an amendment was proposed that stipulates only collected data may be used for addressing cybersecurity incidents and all collected data must be “scrubbed” of personal information that’s not related to a cybersecurity threat. Two rounds of personal information scrubbing would be required—one round by the company and another by a civilian agency that receives the data prior to submission to the government.
For more information about BKD’s cybersecurity solutions, please contact us.