Cyber-security and data breaches are hot-button issues that recently received some well-deserved attention from the federal government. Last year we posted about the FBI’s efforts to combat economic espionage and trade secret theft. At that time, the Assistant Director of the FBI—who was testifying before a Senate subcommittee—offered salient advice on how American companies could protect themselves from trade-secret theft and insider threats. But the Assistant Director noted an important trend: companies who learn about trade secret theft often pursue private negotiations or civil litigation—without alerting law enforcement. The FBI wanted this to change:
The FBI is committed to ensuring companies have an established line of communication to report concerns about possible economic espionage or trade secret theft to law enforcement. But the FBI must assure companies the government will work to protect their proprietary information from disclosure during prosecution, so that more companies are willing to come forward and report concerns about possible trade secret theft.
Nearly a year after that call for change—and after a spate of high-profile data breaches—Congress took heed of the FBI’s advice by passing measures to increase the public-private flow of information about hacking attempts. Lawmakers, government officials, and most industry groups agree that more data will help both sides better understand their attackers and bolster network defenses that have been repeatedly compromised. The Chairman of the House Homeland Security Committee recently explained why such comprehensive cyber-security laws are needed:
Make no mistake. We are in the middle of a silent crisis. At this very moment, our nation’s businesses are being robbed and sensitive government information is being stolen.
THE LEGISLATION. The reluctance that many American companies have with sharing internal data about cyber-attacks has greatly stymied previous efforts to fight the theft of personal information and state-sponsored campaigns to steal American intellectual property. But two bills recently passed by the House are intended to quell these fears by making it easier for private companies to share information about cyber-security threats among themselves and with the government without fear of lawsuits.
On April 22, 2015, The Protecting Cyber Networks Act passed with overwhelming support from House Intelligence Committee leaders, and members from both sides of the aisle. The bill—which is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring—would give companies liability protections when sharing cyber threat data with government civilian agencies, such as the Treasury or Commerce Departments.
Similarly, on April 23, 2015 the House passed the National Cyber-security Protection Advancement Act of 2015, which extends liability protections to companies that follow certain procedures and share information about cyber-attacks with the U.S. Department of Homeland Security.
These bills are two of three measures that Congress must pass to get a comprehensive cyber info-sharing law in place. Under both bills as currently written, companies that share data-breach information with the government would receive liability protection only if that data is stripped of all personal information on two separate occasions—once by the company before it gives the data to the government and another round of cleansing by the government agency that receives the data. These bills will now be merged and sent to the Senate, where similar legislation has bipartisan support.
THE IMPACT. Congress has contemplated various forms of this law for nearly five years. But the recent computer attacks on corporate giants like Sony Pictures Entertainment, Target, Anthem, and JPMorgan Chase—which exposed confidential business information and compromised credit card data, Social Security numbers, and personal health information—has changed the political equation and places the onus on Congress to act. Whether or not these two house bills become law, the Committee of Homeland Security Chairman has made clear that cyber-security will remain a priority for Congress:
Cyber criminals, hacktivists, and nation-states will never stop targeting Americans’ private information and American companies’ and government networks to damage, disturb and steal intellectual property and U.S. Government secrets. One of the greatest cyber threats to the homeland is the weakness of our power grids, and energy and water systems. A successful cyber attack on our critical infrastructure could cripple our economy. Congress must take action to defend America’s vital digital networks and help American businesses better protect themselves.
Should the House and Senate come together on final legislation, it would be the federal government’s most aggressive response. And as these bills go to senate and the white house, we will keep you updated.