Internet and Cybersecurity Safety Standards Act

Last Thursday the White House announced that the Obama Administration has transmitted a cybersecurity legislative proposal to the Congress. Citing the approximately 50 cyber-related bills introduced in the last session of Congress, the Fact Sheet for the proposed legislation describes it as “focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers.” The proposal contains the following items:

• National Data Breach Reporting – The legislation would simply and standardize state law requirements regarding notification to customers when a breach has occurred.
• Penalties for Computer Criminals – The legislation would clarify penalties for computer crimes and set mandatory minimums for cyber intrusions into critical infrastructure.
• Voluntary Government Assistance and Information Sharing with Industry, States and Local Government – Clarifies the authority of the Department of Homeland Security (DHS) to assist organizations that suffer a cyber intrusion and provides immunity to businesses, states and local governments that provide cybersecurity information to DHS.
• Critical Infrastructure Cybersecurity Plans – The proposed legislation would require DHS to work with operators of critical infrastructure (i.e. those assets whose disruption “would have a debilitating impact on national security, national economic security, national public health or safety”) to develop frameworks for addressing core cyber-threats.
• Federal Cybersecurity – The legislation contains a number of measures designed to strengthen the cybersecurity of federal government computers, including measures related to the increased use of cloud computing by the federal government.
• Privacy and Civil Liberty – The proposed legislation requires DHS and all other federal agencies to follow privacy and civil liberties procedures in implementing the proposed cybersecurity measures.

Initial reactions to the White House’s proposal appear mixed--see, for example, here and here. Companies should pay close attention to the proposed data breach reporting rules to determine what impact the rules could have on their operations. Operators of critical infrastructure, in particular public utilities, internet service providers and telecommunications providers, should examine the proposed framework for addressing cyber-threats to their assets.

The complete text of the legislative proposal is available here.

read more

U.S. Senator Benjamin Cardin (D-MD) introduced legislation last week that would require the federal government to work with the private sector to work together to reduce the ability of terrorists, criminals and other malicious actors to compromise computer networks and critical infrastructure.

The Internet and Cybersecurity Safety Standards Act, if enacted, would require a cost-benefit analysis “to determine the costs and benefits of requiring providers to develop and enforce minimum Internet and cybersecurity safety standards.” The factors to be considered in this analysis include the effect that these minimum standards may have on “homeland security, the global economy, innovation, individual liberty, and privacy.” read more