President Obama today unveiled plans to revive a controversial 2011 cybersecurity bill designed to encourage the private sector to share threat and vulnerability information. The legislation would give legal protections for companies that disclose threat intelligence to the U.S. Dept. of Homeland Security’s National Cybersecurity and Communications Integration Center, which would then provide that information to the National Security Agency and other govt. agencies.
Obama’s proposal came a day after he called for a national data breach notification law to replace the series of state laws that companies have to comply with presently. The new Personal Data Notification and Protection Act would give companies a standard format for making breach announcements and establish a 30-day period from breach discovery for them to notify affected customers about a breach.a
Florida Senator Bill Nelson said today he is preparing to file similar legislation.
“How many more consumers will be affected before something is done?” said Nelson, reacting to recent breeches at companies like Target, Home Depot, Staples and of course Sony Pictures. “Now is the time Congress must act,” the state’s senior Senator proclaimed.
Nelson’s bill would make companies, under most circumstances, notify consumers of data breaches within 30 days. It also would direct the Federal Trade Commission (FTC) to develop security standards to help businesses protect consumers’ personal and financial data. Additionally, the legislation would provide incentives to businesses who adopt new technologies to make consumer data unusable or unreadable if stolen during a breach.
Both proposals put forward by President Obama have been floated previously, and neither one received sufficient votes for Congress. Even with the renewed focus on greater information security, however, the Christian Science Monitor reported today that “there’s little to indicate that former opponents are any more amenable to those proposals.”
Here is a draft summary of Nelson’s proposal:
Data Security and Breach Notification Act of 2015
The Data Security and Breach Notification Act of 2015 has two primary components: a data security mandate and a breach notification mandate. The bill would direct the FTC to promulgate data security rules for commercial and nonprofit organizations that own or possess data containing “personal information” or those that contract with third parties to maintain such data. Such entities would be required to develop a data security program. The Commission would be directed to consider the size, nature, and scope of activities; existing state-of-the-art protections for such data; and the costs of implementation, including its effect on small businesses.
The bill would define “personal information” as an individual’s non-truncated Social Security number or financial account number (including those for credit and debit cards) and any code or password, as well as a combination of various identifiers. Under the Administrative Procedure Act, the FTC would be able to expand the definition of personal information if it furthers the purpose of the Act and does not unnecessarily burden interstate commerce.
It would also establish breach notification obligations in the wake of a data breach of electronic information. Specifically, the bill would require a breached entity to notify consumers of a data breach unless the company determines there is no reasonable risk of identity theft, fraud, or unlawful conduct as a result of the breach. In so doing, the bill would also establish a rebuttable presumption of an absence of such reasonable risk when the breached data is “rendered unusable, unreadable, or indecipherable through a security technology or methodology” as established by rules or guidance from the FTC in consultation with the National Institute of Standards and Technology (NIST). A breached entity would be required to notify consumers in a timely manner – no later than 30 days following the discovery of the breach – unless it is not feasible to provide such notice within that timeframe or unless the FBI or the Secret Service has notified the breached entity that notification would impede criminal investigation or national security. The bill also would provide for substitute notification – consisting of email, Internet postings, and print/broadcast media – under certain circumstances. Breached entities would also be required to provide affected consumers with free credit reports for two years unless the FTC determines that such a provision is not feasible due to excessive costs relative to the level of harm.
The bill would authorize both the FTC and state attorneys general to enforce the data security and breach notification provisions of the Act. Violations of the Act would be considered violations of a rule defining unfair or deceptive acts or practices under Section 18 of the FTC Act. By so doing, the FTC would be empowered to seek civil penalties for such violations in addition to its full panoply of equitable remedies. It would preempt state data security and breach notification laws.
Finally, to aid law enforcement, the bill would require covered entities to report security breaches to a federal entity to be designated by the Department of Homeland Security when the breach (1) is of a certain magnitude, (2) involves data bases owned by the federal government, or (3) involves information on personnel in national security or law enforcement. The Department of Justice would be authorized to enforce this provision of the bill, which would also establish criminal penalties for certain willful violations.