In a flurry of activity on cybersecurity in the waning days of the 113th Congress, Congress unexpectedly approved, largely without debate and by voice vote, four cybersecurity bills that: (1) clarify the role of the Department of Homeland Security (“DHS”) in private-sector information sharing, (2) codify the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework, (3) reform oversight of federal information systems, and (4) enhance the cybersecurity workforce. The President is expected to sign all four bills. The approved legislation is somewhat limited as it largely codifies agency activity already underway. With many observers expecting little legislative activity on cybersecurity before the end of the year, however, that Congress has passed and sent major cybersecurity legislation to the White House for the first time in 12 years may signal Congress’ intent to address systems protection issues more thoroughly in the next Congress.
On December 11, the House passed Senate legislation codifying DHS’s National Cybersecurity and Communications Integration Center (“NCCIC”) making it the central hub for public-private information sharing. That bill, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (“NCCIPA”), is the Senate version of similar legislation passed by the House this past summer. The NCCIPA now heading to the President is a pared-down version of the original House bill, leaving out a number of industry-desired provisions that would have eased cybersecurity information sharing with the NCCIC. Notably, industry has been calling for legal protections for companies engaged in sharing information with the government. Nevertheless, the version of the bill headed to the President lacks an extensive legal safe harbor for information-sharing. As well, this version of NCCIPA lacks language from the original House bill that explicitly gave SAFETY Act protections to cybersecurity products. Thus, while passage of NCCIPA is an important and largely unexpected step forward on cybersecurity policy, liability concerns will continue to hamper cybersecurity information sharing.
Later in the evening on December 11, the House and Senate passed the Cybersecurity Enhancement Act of 2014, which authorizes NIST to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure. The bill essentially codifies the ongoing process begun earlier this year through which the NIST Cybersecurity Framework was developed. That process remains voluntary under the bill, with no new regulatory authority added to the Framework. The bill also authorizes the federal government to support research, raise public awareness of cyber risks, and improve the nation's cybersecurity workforce.
Earlier in the week, on December 8, the Senate passed by voice vote and without debate the Federal Information Security Modernization Act of 2014, which overhauls the 12 year-old Federal Information Security Management Act (“FISMA”). This legislation replaces FISMA’s current requirement that agencies must file annual checklists that show the steps they have taken to secure their IT systems, and puts the Department of Homeland Security (“DHS”) in charge of “compiling and analyzing data on agency information security” and helping agencies install tools “to continuously diagnose and mitigate against cyber threats and vulnerabilities, with or without reimbursement.” DHS has been increasingly performing this role already and similar legislation passed the House of Representatives in April 2013. That bill, however, was subject to jurisdictional disagreements between the House Homeland Security and Oversight and Government Reform Committees. Surprisingly, Oversight and Government Reform Chairman Rep. Darrell Issa (R-CA) dropped objections to the Senate’s FISMA reform bill and the House passed it on Wednesday evening by voice vote. The House also passed the Senate’s Homeland Security Cybersecurity Workforce Assessment Act as a rider to the Border Patrol Agent Pay Reform Act.
This spate of cybersecurity legislation is more limited in scope than the measures that have been sought by the private sector. Indeed, rather than provide new cybersecurity tools, the bills approved by Congress largely make pre-existing actions official. Still, with the 113th Congress effectively ending this week, passage of any cybersecurity bills is very surprising. Legislative activity on cybersecurity this week indicates a seriousness by policymakers to confront issues vital to information systems protection. In its waning days, the Senate may be attempting to set its mark on future cybersecurity policy. For its part, the House’s sudden action on Senate cybersecurity bills may point to a willingness by House committees to overcome internal jurisdictional disagreements that have hampered similar legislation in the past. The significance here is the recognition by Congress that legislative success now builds momentum for systems-protection policies in the next Congress, such as information-sharing liability protection or data breach legislation. How the 114th Congress confronts those issues is important to businesses seeking to enter public-private partnerships and information-sharing agreements.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code