Cyber-security Regulation - Proposed Regulation

Proposed Regulation

The U.S. Congress has proposed numerous bills that expand upon cyber-security regulation. The Consumer Data Security and Notification Act amends the Gramm-Leach-Bliley Act to require disclosure of security breaches by financial institutions. Congressmen have also proposed “expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card.” Congress has proposed cyber-security regulations similar to California’s Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers “ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals.”

In addition to requiring companies to improve cyber-security, Congress is also considering bills that criminalize cyber-attacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) is a bill of this type. This bill which focuses on phishing and spyware bill that was passed on May 23, 2005 in the United States House of Representatives and is currently in committee in the Senate. This bill “makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect or induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software.”

On May 12, 2011, U.S. President Obama proposed a package of cyber-security legislative reforms to improve the security of U.S. persons, the federal government, and critical infrastructure. A year of public debate and U.S. Congress hearings followed, resulting in the U.S. House of Representative passing an information sharing bill and the U.S. Senate developing a compromise bill seeking to balance national security, privacy, and business interests.

In July 2012, the Cybersecurity Act of 2012 was proposed by Senators Joseph Lieberman and Susan Collins. The bill would have required creating voluntary "best practice standards" for protection of key infrastructure from cyber attacks, which businesses would be encouraged to adopt through incentives such as liability protection. The bill was put to a vote in the Senate but failed to pass. President Obama had voiced his support for the Act in a Wall Street Journal op-ed and it also received support from officials in the military and national security including John O. Brennan, the chief counterterrorism adviser to the White House. According to The Washington Post, experts said that the failure to pass the act may leave the United States "vulnerable to widespread hacking or a serious cyberattack." The act was opposed by Republican senators including John McCain who was concerned that the act would introduce regulations that would not be effective and could be a "burden" for businesses. After the senate vote, Republican senator Kay Bailey Hutchison stated that the opposition to the bill was not a partisan issue, but rather that the Act did not take the right approach to cybersecurity.The senate vote was not strictly along partisan lines, six Democrats voted against the Act, while five Republicans voted in favor. Critics of the bill included the U.S. Chamber of Commerce, advocacy groups including the American Civil Liberties Union and the Electronic Frontier Foundation, cybersecurity expert Jody Westby and The Heritage Foundation, both of whom argued that although the government does need to act on cybersecurity, the 2012 bill was flawed in its approach and represented "too intrusive a federal role".