|July 24, 2013|
Previously published on July 22, 2013
Over the first half of the year there has been a lot of activity surrounding government efforts to confront growing concern over “Cybersecurity.” This flurry of activity comes in the wake of two years during which lawmakers have been unable to define legislatively what, exactly, “cybersecurity” is, what it means, and how it should be mandated and implemented. But Congress’ failures have not halted the piecemeal charge that is pushing unabated into the cybersecurity realm. For example, the Pentagon is seeking roughly $23 billion to fund computer network defense and computer network attack initiatives through FY 2018, beginning with a $4.65 billion bump for such efforts in FY 2014. It is clear that the government is in the midst of a “cyber-gold rush” and savvy and innovative contractors practicing in this realm are poised to benefit. However, the increased attention cybersecurity is getting will also pose significant hurdles to businesses throughout the country.
In an effort to assist companies navigating the myriad issues related to the extra focus on cybersecurity, the Government Contracts Law Blog will endeavor to keep readers abreast of the policy and practicality of such developments. Let’s start with some of the current happenings affecting the rest of this Summer (along with a brief recap of what we have seen so far this year)...
Background and Updates
- In January 2013, the President signed the National Defense Authorization Act of 2013 (Pub. L. No. 112-239), which included a section (Section 941) requiring the Secretary of Defense to establish mandatory procedures governing reporting requirements on covered defense contractor where a successful cyber-penetration has occurred.
- In February, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” as a roadmap for the Executive branch to address threats to critical infrastructures, align cybersecurity regulations, and increase sharing of key information.
- In May, the General Services Administration and the Department of Defense Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition issued a request for information from the public to help implement E.O. 13636 (particularly from an acquisition perspective).
- And in June, the House of Representatives proposed new language in the National Defense Authorization Act of 2014 (H.R. 1960, Section 5101 - not yet approved by the Senate) to provide agency-level chief information officers increased authority as an effort to revitalize and centralize information technology.
But beyond the cybersecurity mandates that will, no doubt, come out of the Defense Authorization Act and E.O. 13636, there are at least two other recent events that deserve a bit of attention.
Congress Kicks the Cybersecurity Tires with the “Data Security and Breach Notification Act of 2013”
On June 20, 2013, a bill was introduced in the U.S. Senate called “The Data Security and Breach Notification Act of 2013” (S. 1193). As its name suggests, the purpose of the law is to ensure that companies collecting and storing personal information are securing that information and, should a breach of security occur, that the companies inform the affected individuals of the data breach. The effort, of course, is focused on one, uniform data breach notification standard to replace the patchwork of laws currently effecting businesses and individuals, and (if passed) the law would preempt similar breach notification laws found in 46 states and the District of Columbia. However, as described below, the introduced bill is not without its drawbacks.
In an example of less than precise language, the proposed law is broadly worded and would require individual notification when personal information was, in fact, “accessed and acquired by an unauthorized person.” But it would also require notification if a company “reasonably believed” that personal information was “accessed and acquired by an unauthorized person.” What’s more, the notification requirement would be triggered when the breached entity holding the personal information “reasonably believes” that the personal information “accessed and acquired” “has caused or will cause identity theft of other actual financial harm.” And, if the breach or perceived breach effects 10,000 or more individuals, the holding entity must notify the U.S. Secret Service or the FBI of the breach/potential breach and the perceived exposure.
Once triggered, the proposed law would have the notification made “as expeditiously as practicable and without reasonable delay.” Fortunately, this “reasonable delay” period is not “immediately,” allowing effected entities time to determine the “scope of the breach of security, to identify individuals affected by the breach of security, and to restore the reasonable integrity of the data system that was breached.” However, the notification timeline may be extended by the government through a “written request” if it is believed that such notification may impact a civil or criminal investigation or a national security matter.
Enforcement of this proposed law would fall to the Federal Trade Commission and its authority under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) prohibiting unfair and deceptive practices in or affecting commerce. Under that authority, there would be a maximum civil penalty of $500,000 for violations of the law. Notably, companies in certain industries would be exempt from the proposed cybersecurity law, including companies covered under the Gramm-Leach-Bliley Act (relating to the financial services industry) and companies subject to the Health Insurance Portability and Accountability Act (relating to medical providers and individuals retaining personal, protected health information).
While the bill’s intentions are admirable, this current version of the bill still raises some concerns.
- First off, the bill fails to define or reference a definition for “personal information” - a pretty big gap, considering that one of the main aims of the bill is to protect personal information. A clear definition of “personal information” will be required to identify not only the entities to whom the law is targeted, but also to delineate the starting point for the notification requirements when there is a data breach.
- Second, the bill’s “reasonably believes” standard requires companies to be ever vigilant as to what may have happened to its stored data. In an attempt to move to one harmonized standard, the proposed language leaves a lot of room for different “reasonable beliefs” that may reasonably be interpreted differently by different companies. So much for uniformity; and so much for predictability.
- Third, effected companies will have to know whether the acquired personal information can be, may be, or might be used to steal an identity or effect the poorly defined “other actual financial harm.” Maybe with regard to credit card information or social security numbers, that is an easy question. But what about with regard to something like password breaches to social networking sites? Would that count? Should it?
- And, finally, if a company is required to notify the FBI or the Secret Service after a significant breach, it is entirely unclear as to if and to what extent those agencies will be permitted to access, park on, and monitor the breached system.
As this is only the first draft of the bill (the bill is currently sitting in Committee), it is uncertain what the eventual law will look like. But, suffice it to say, Congress is working on creating a uniform law of the land related to the reporting of data breaches that will require all companies holding sensitive information to increase their respective efforts in retaining that information. Expect a long bumpy ride as this law hits the road.
Chime In by July 29 to NIST RFI on Computer Security Incident Responses
On June 28, 2013, the National Institute of Standards and Technology (NIST) issued a request for information regarding what it should do to augment its Computer Security Incident Coordination (CSIC) and to improve the standards relating to responding to security incidents. See 78 Fed. Reg. 38949. NIST is accepting comments on this topic until July 29, 2013.
In pertinent part, NIST is attempting to collect examples and information related to security incident technical best practices, impediments to information sharing and response, risks of collaborative incident response, helpful or ineffective technical standards, and suggestions for guidance. The information will be examined by NIST and used in the drafting of a Special Publication (through an open public review) outlining technical standards, methodologies, procedures, and processes that facilitate prompt and effective response by Computer Security Incident Response Teams (CSIRTs) in responding to computer security incidents. NIST is spearheading this effort in consultation with the Department of Homeland Security, the National Security Agency, the Office of Management and Budget, and other interested federal agencies.
If you are part of a cybersecurity or IT company that has the type of “helpful” technology and technical standards that may be employed to assist in security incident responses, you may want to take note of the NIST’s efforts and respond promptly to this request for information.