Feds Aim for National Cyber Breach Notification Standard

Hardly a day goes by without news of a cyberattack on an American business or government agency.

The threats all Americans face in the cyber world today have become far more aggressive, the attacks more frequent and the techniques employed far more sophisticated than just five years ago. This advancing threat underscores the need to respond with the tools and authorities necessary to protect the nation’s security and financial resources.

President Obama in February signed an executive order, advisory in nature, which urges companies to share cybersecurity threat information with one another and the federal government. The executive order is part of a broader White House effort to strengthen the nation’s cybersecurity infrastructure, which the administration has been pushing on Capitol Hill.

The president also urged Congress to enact a national law on data breach notification in his January State of the Union Speech. He called for an end to the “patchwork” of state laws on cyber breach notification. Forty-seven states already have laws on cyber breach notification, while Alabama, New Mexico and South Dakota do not.

The laws within each state, however, have different definitions of “personal information,” what constitutes a breach and the requirements for notification. In California, the state legislature added provisions on breaches of login information for online accounts when its residents expressed concerned about the rising popularity of e-commerce. Wisconsin has responded to the growth of fingerprint reading software by passing legislation on how to respond to breaches of biometric information.

The U.S. House of Representatives has taken steps to address some of the recent threats in a narrower manner. In April, the Protecting Cyber Networks Act passed the House by a vote of 307-116. The bill would give private companies liability protections when sharing cyber threat data with government civilian agencies, such as the Treasury or Commerce departments. If a company sees a threat or attack, this bill allows it to quickly report the intrusion without fearing a lawsuit, so other companies can take the appropriate measures to guard against the threat. Similar legislation passed the House during previous sessions of Congress.

"This bill will strengthen our digital defenses so that American consumers and businesses will not be put at the mercy of cyber criminals," said House Intelligence Committee Chairman Devin Nunes of California on C-SPAN.

Senate Minority Leader Harry Reid has said that he and Senate Majority Leader Mitch McConnell are committed to acting on their chamber’s companion legislation before Memorial Day. The Senate bill, called the Cybersecurity Information Sharing Act, similarly aims to increase the information sharing between the federal government and private companies to aid defense against cyber threats.