Yesterday, the Senate voted to move forward with a floor debate of the Cybersecurity Act of 2012 (“CSA2012”) (S. 3414), and the White House formally endorsed CSA2012, saying it will strengthen efforts to secure American networks against cyberattacks. As a result of yesterday’s procedural vote, the Senate is likely to consider the current version
On July 19, 2012, Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Jay Rockefeller (D-WV), Dianne Feinstein (D-CA), and Tom Carper (D-DE) introduced a revised version of the Cybersecurity Act of 2012 (“CSA2012”), which they initially introduced in February. The revision includes elements drawn from efforts by Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) to reconcile the CSA2012 with the Republican-sponsored SECURE IT Act (S. 3342).
The new CSA2012 (S. 3414) takes a different approach than the original version to cybersecurity of critical infrastructure. The original bill would have given the Department of Homeland Security (“DHS”) authority to designate “systems or assets” as covered critical infrastructure and to require owners and operators of designated critical infrastructure to meet cybersecurity performance requirements, established by DHS. The new CSA2012, on the other hand, would rely on voluntary private sector compliance with cybersecurity standards. As Senator Lieberman explained, the revised bill relies on “carrots instead of sticks.”…
By David Fagan and Josephine Liu
The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity. The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework. As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress. Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request.
While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:
- National data breach notification. The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach. Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances. These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general.
- Development of critical infrastructure cybersecurity plans. DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks. An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate. Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors. DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient.
- Voluntary sharing of cybersecurity threat information. The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so. DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information.