Cybersecurity Legislation Predictably Unpredictable on Capitol Hill

The 2012 legislative session started off looking very promising for the passage of cybersecurity reform -- then suddenly the landscape shifted. On privacy and intellectual property issues, we saw the Internet companies flex lobbying muscle in an unprecedented way.  Finally, even though 2011 saw more major data breach incidents than previous years, data breach reform may be a long way off. Here’s a quick rundown of the major security-related initiatives that CompTIA is tracking:

Cybersecurity Reform

Last month, a bipartisan group comprised of legislative staff from the Senate Commerce Committee and the Homeland Security and Governmental Affairs Committee sought public input on a series of legislative provisions that would ultimately become the Cybersecurity Information Sharing Act of 2012.

The last time we checked, the legislation would reform the Federal Information and Security Information Act.  This would change the process by which federal agencies comply with requirements to keep computer systems secure.  Under existing law, federal agencies have an obligation to report on a quarterly or semi-annual basis that they are complying with various IT security requirements.  The new proposed rule would require a state of “continuous monitoring” of cybersecurity threats and attacks.  This provision of the law is fairly uncontroversial.  Next, the new legislative provisions also would grant oversight authority for cybersecurity matters to the Department of Homeland Security (DHS).  Currently, there are various federal agencies with authority over a variety of cybersecurity-related matters.

Finally, the next major, and perhaps most contentious, legislative provisions of the bill relates to the obligations of the critical infrastructure owners and operators to share information with the federal government related to cybersecurity threats and attacks.  The central issue in the debate focuses on whether the private sector should disclose this information on a voluntary or mandatory basis.  A related point is whether liability should attach and/or whether safe harbor provisions should be included. This provision also raises concerns regarding the protection of trade secrets.

Notwithstanding best efforts by the bipartisan group, the most recent report from Capitol Hill is that this cybersecurity legislation may be stalled.  On the other side of the Capitol, the House has taken a slightly different approach, allowing the various committees to work individual bills through the committee process as opposed to the more sweeping approach currently being pursued in the Senate.

The Stop Online Privacy Act and Protect IP Act

In mid-January 2012, Representative Smith (R-TX) introduced the Stop Online Privacy Act (SOPA), and the Senate companion bill, Protect IP Act (PIPA), was introduced by Senator Leahy (D-VT). The result was a blackout protest in opposition to these bills led by Wikipedia.com, Google and other Internet and IT companies.  In fact, CompTIA also wrote a letter in opposition to the legislation.

Consequently, Congress was inundated with thousands, possibly millions of e-mails, letters and phone calls in opposition to the legislation.  The outcome was that SOPA and PIPA were doomed.  Many industry insiders where surprised and/or shocked at how effectively the Internet companies mobilized their users and outmaneuvered some of the most influential lobbyists in Washington. It remains to be seen how the entertainment and music industry will regroup after expending considerable lobbying resources to pass the legislation.  Although, Rep. Darrell Issa (R-CA) has introduced a watered down version of SOPA and PIPA, there is no great momentum to try to move that legislation forward at this time.

Data Breach

Another important policy area for the IT industry relates to data breach.  Currently, there is a patchwork of state data breach notifications laws across the country.  This has been a significant burden for the IT industry, especially for small and medium-size firms.  IT firms with fewer resources find it extremely burdensome to comply with potentially more than 45 state data breach notification requirements.  Many of these IT firms consist of only a handful of employees without any legal or regulatory training.  Hiring lawyers and regulatory specialists is just not a cost-effective model, and thus these various state data breach laws serve as a barrier to entry for many small and medium-size firms.

Last year, Rep. Bono Mack (R-CA) introduced a data breach bill to address some of these challenges. Unfortunately, it was a non-starter for the industry.  One of the biggest problems with the legislation was that it contained a $5M liability provision that would have devastated small businesses. A small company offering data services would be required to increase their E&O insurance policies to cover a $5M liability.  In addition, there was not an adequate safe harbor provision that would have made distinctions between accidental data breaches versus negligent breaches. A possible reason for the absence of a viable data breach reform proposal may have to do with the fact that there is no consensus on how to manage the consumer protection component of any new data breach legislation.

So while the various pieces of security-related legislation appear to be stalled at the moment, it’s hard to tell when some of these logjams will be broken. To stay in touch with the latest on security policy, subscribe to CompTIA’s blog or follow www.techvoice.org and get involved in making the IT industry’s voice heard.