Following a year when there were constant reports that a data breach occurred at some retail establishment exposing the financial and personal data of millions of consumers, President Obama convened a cybersecurity summit at Stanford University to announce executive action calling for greater cooperation between the government and the private sector on cyberthreats and make it easier for federal agencies to share relevant, classified information with companies.
The Executive Order issued by President Obama builds upon a foundation established two February 2013 executive actions—Executive Order 13636 (Improving Critical Infrastructure Cybersecurity), and Presidential Policy Directive-21 (Critical Infrastructure Security and Resilience).
In his remarks, the president said, “There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners.” The order calls for a common set of standards, including protections for privacy and civil liberties, so that the government can share threat information with the private sector.”
Legislative package. President Obama also noted that he was proposing new legislation to promote greater information sharing between government and the private sector, including liability protections for companies that share information about cyber threats. He added, “Today, I’m once again calling on Congress to come together and get this done.”
Cybersecurity. The administration’s cybersecurity information sharing proposal would encourage the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations by providing targeted liability protection for companies that share information with these entities.
Breach notification. The administration’s proposal would also safeguard Americans’ personal privacy by establishing a national data breach notification standard. The notification proposal would also provide a “safe harbor” exemption in which a business entity is exempt from notice to individuals if a risk assessment conducted by or on behalf of the business entity concludes that there is no reasonable risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach.
Updating law enforcement tools. The final set of legislative proposals would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. It also updates the Racketeering Influenced and Corrupt Organizations Act so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
Common-sense principles. Even before the administration’s legislative proposals have been sent to Capitol Hill, a number of financial trade groups called on Congress to help protect their constituents from feeling the impact of identity theft and financial account fraud resulting from data breaches by considering the following three common-sense principles:
- A National Data Security and Breach Standard: strong national data protection and consumer notification standards with effective enforcement provisions must be part of any comprehensive data security regime.
- Building on Existing Standards: Congress has already placed robust standards on certain sectors, such as healthcare and banking. These existing standards must be recognized, and can also serve as a model that can be adapted to other sectors where no such standards exist.
- Shared Responsibility: all parties must share the responsibility, and the costs, for protecting consumers. The costs of a data breach should ultimately be borne by the entity that incurs the breach.
The groups—American Bankers Association, Consumer Bankers Association, Credit Union National Association, Financial Services Roundtable, Independent Community Bankers of America, National Association of Federal Credit Unions, and The Clearing House—wrote to Congress in response to a letter by the National Retail Federation and the National Association of Convenience Stores regarding purported claims about data breaches and fraud.
For more information about cybersecurity and data breaches, subscribe to the Banking and Finance Law Daily.
