Delaware Adopts Law Requiring the Destruction of Consumers’ Personally Identifiable Information

By Steven Caponi & Elizabeth Sloan

On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice.  The new law is effective on January 1, 2015.

The heart of the new law is the obligation of “commercial entities” to take “all reasonable steps” to destroy consumers’ personal identifying information that is “no longer to be retained by the commercial entity” by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means. …”  By adopting a broad definition of “commercial entity,” the new requirements impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit.  Importantly, the law does not specify when documents must be destroyed, but rather, addresses how records should be destroyed when they will no longer be “retained” by a company.

In light of the definition of “commercial entity,” a company’s size, revenues, number of employees, and charitable status are irrelevant to the impact of the new requirements. The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally.  Evidencing some degree of restraint, the law does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act; health insurers or healthcare facilities that are subject to the Health Insurance Portability and Accountability Act; consumer reporting agencies that are subject to the Federal Credit Reporting; and any government, governmental subdivision, agency, or instrumentality.

The Act also defines personal identifying information as “a consumer’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.”  Also, “record” is defined equally broad so as to encompass information “inscribe[d] on a tangible medium, or that is stored in an electronic or other medium. …” Combined, the two definitions extend the scope of the new law to cover the destruction of both paper documents and all forms of electronic records, including records located on back-up tapes, local storage devices, and those stored in “the cloud.”

Reflecting a bias towards consumer rights, the law provides for both a public and private cause of action. Consumers who incur actual damages due to a reckless or intentional violation may bring a civil action against the commercial entity and obtain treble damages. Additionally, the Attorney General, through the Division of Consumer Protection of the Department of Justice, may bring an enforcement action in law or through an administrative proceeding if a violation has occurred and the Attorney General believes an enforcement action would be in the “public interest.”

A copy of the law and the relevant legislative history can be found at: http://legis.delaware.gov/LIS/lis147.nsf/vwlegislation/E7AF55FF393A832E85257C590067118D

Cyber Legislation Advances on the State and Federal Level

By Steven Caponi

Last year, cyber attacks on computer networks increased to a record level, doubling the number recorded in 2012. According to cybersecurity research firm FireEye, the rate of attacks on enterprises occurred every 1.5 seconds last year, up from once every three seconds the previous year. In the face of this onslaught, it is no surprise that government officials are taking steps to pass cybersecurity legislation. Unfortunately, if the recent announcements by Kentucky and Senator Mark Warner are a harbinger of things to come, it appears that inability of Congresses to enact comprehensive reforms will result in a patchwork of state and federal laws/regulations.

For its part, the Kentucky Senate passed a bill to improve security of personal data located on government computers. Known as House Bill 5, the legislation requires state agencies to better protect private information stored on government computers and also requires state and local government agencies to notify people within 35 days if their personal information is stolen or mishandled. House Bill 5 is a top priority of State Auditor Adam Edelen, who noted, “Every cybersecurity expert agrees that it’s not a matter of if agencies will be hacked. It is just a matter of when.” He further stated that, “From social security numbers, to tax returns, health records, to credit cards, governments possess more sensitive, private data than any other single entity.” These comments are likely a greater reflection on the past than a prediction of the future as a consequence of the 2012 incident when the Kentucky state finance cabinet accidentally posted Social Security numbers and sensitive information on its website.

House Bill 5 cleared the GOP-controlled Senate without opposition and received final approval from the Kentucky House on March 28. So far, the process has been described as bipartisan, and with 74 co-sponsors, a signature from the Governor appears to be a sure thing.

At the federal level, U.S. Senators Mark Warner (D-Va.) and Mark Kirk (R-Ill.) announced that they will introduce a bipartisan amendment creating a law enforcement partnership between the United States and Ukraine to combat cybercrime and improve cybersecurity. This amendment will be attached to an aid package intended to help bolster the Ukrainian government. At first blush, attaching an amendment to an aid package for Ukraine and limiting its focus to fostering cooperation between two countries may seem puzzling. But Ukraine is a known international haven for hackers, as evidenced by the data breach directed at millions of U.S. customers of Target and other leading American retailers. Both attacks were ultimately traced to cybercrime syndicates operating in Ukraine.

The Warner/Kirk amendment to the Ukraine aid bill proposes the following:

1) The initiation of formal U.S.-Ukraine bilateral talks on cybercrime to be followed by multilateral talks that include other law enforcement partners such as Europol and Interpol.

2) The establishment of a U.S. standing senior-level working group to conduct regular dialogue on cybercrime concerns and share best practices between law enforcement agencies in the U.S. and Ukraine.

3) The expansion of cyber law enforcement capabilities through a program with Ukraine that includes sending FBI agents to assist Ukrainian investigations and improve law enforcement cooperation.

4) Improved extradition procedures. There currently is no U.S.-Ukraine extradition treaty, which makes Ukraine a safe haven for operators of international cybercrime activities syndicates.

Sen. Warner stated in support of the amendment, “As the United States works to support this new Ukrainian government and as the Senate considers this significant Ukrainian aid package, we have an excellent opportunity to create new structures of cooperation that will better protect American consumers and businesses by working together to crack down on international cybercrime.”

“Our nation is one of the most frequently targeted countries for major cybercrimes and data breaches, accounting for nearly half of the $11 billion of losses on payment cards worldwide,” Sen. Kirk added. “Ukraine is a known hub for cybercrime, and the United States should work with the Ukrainian government to create a framework of cooperation to deter, prevent and counter these cyber criminals and ensure the safety of the newly formed Ukrainian government and financial system.

Whether the amendment remains part of the aid package and achieves positive results remains to be seen. But if it even slightly diminishes the ability of hackers to operate freely in Ukraine, it will be deemed a success.

SEC Cybersecurity Roundtable: Panel 4 – Broker-Dealers, Investment Advisers, and Transfer Agents

This post brings us to an overview of the final panel at today’s SEC Cybersecurity Roundtable. The panel began with a discussion on the nature of the cybersecurity risks faced by broker-dealers, and the steps taken by FINRA to address the issue. FINRA is in the process of developing protocols, particularly when dealing with personally identifiable information. To help develop these protocols, FINRA has been surveying broker-dealers to determine their areas of concern. Interestingly, broker-dealers are focused on (in order of importance): operational risks, insider risks, and hackers penetrating their systems.

The panel members representing investment advisors were primarily concerned with the potential takeover of a client account. Clearly, the notion of a hacker taking control of a trust account is a scary notion. Other areas of concern included activism through denial of service attacks on large financial institutions, and theft by individual employees. Asset managers recognize that cybersecurity and the threat of cyber attacks are not IT problems, but rather enterprise issues to be addressed at the highest levels. In particular, the panelists noted that wealth management firms receive a large volume of e-mails from consumer accounts that were taken over or compromised. This paradigm creates the risk of a very plausible scenario whereby a client seemingly sends a set of instructions, only to discover that it was an attempt at theft by a hacker.

All members of the panel acknowledged that one of the most significant issues facing financial services companies is the struggle to keep up with the changing face of cyber attacks. The rapidly expanding power of technology as well as the sophistication of hackers is allowing more people from around the globe to launch more robust attacks. In short, today’s solutions are useless for defending against tomorrow’s threats.

So, does size matter? With regard to broker-dealers, over 50% of registered broker-dealers are small businesses comprised of less than 10 employees. As a result, they are less prepared and more vulnerable than large financial institutions. While hackers are tempted to attack large companies because they possess more information—on a volume basis—the smaller companies present a softer target. Smaller companies may be an easy point of entry from which to work upstream to the larger institutions. This is exactly what happened in the case of the Target breach.

Raising a very interesting and troubling point, the panel delved into the move from fixed terminals to mobile devises. The venerable BlackBerry was designed from the outset to be highly secure; hence its broad enterprise acceptance. Today’s new phones—Android /IOS—are highly popular, but lack reliable security protocols. Yet, businesses are routinely launching new apps—ironically through these new, less secure mobile devices—to help facilitate consumers with managing their accounts. The need to grow market share and meet consumer demand versus the need for security will therefore continue to be a point of tension in today’s market.

So, where do we go from here? What should the SEC do or not do? The panel was looking for principle-based guidance and not proscriptive rules because hard and fast rules will be out of date almost immediately after they are issued due to the changing nature of the cyber threat. As a result, guidelines/principles/goals are more likely to be productive and permit companies to comply with the SEC while battling the cybersecurity threat.

Unanimity was achieved amongst the panel on the need to have clear guidelines for sharing threat information with the government while being simultaneously protected from legal liability. Members of the panel expressed the desire to have the various arms of the government (SEC, DHS, FBI, FTC, etc.) coordinate with one another in order to have a harmonious set of enforcement/regulatory regimes. Joining the loud chorus from the other panel discussion takeaways, it was noted that companies have a strong self interest in protecting themselves from cyber attacks, so they are looking for the government to help them and not treat them as a perpetrator.

Moderators: David Grim, Deputy Director, Division of Investment Management, James Burns, Deputy Director, Division of Trading and Markets, Andrew Bowden, Director, Office of Compliance Inspections and Examinations

Panelists:

  • John Denning, Senior Vice President, Operational Policy Integration, Development & Strategy, Bank of America/Merrill Lynch
  • Jimmie H. Lenz, Senior Vice President, Chief Risk and Credit Officer, Wells Fargo Advisors LLC
  • Mark R. Manley, Senior Vice President, Deputy General Counsel, and Chief Compliance Officer, AllianceBernstein L.P.
  • Marcus Prendergast, Director and Corporate Information Security Officer, ITG
  • Karl Schimmeck, Managing Director, Financial Services Operations, Securities Industry and Financial Markets Association
  • Daniel M. Sibears, Executive Vice President, Regulatory Operations/Shared Services, FINRA
  • John Reed Stark, Managing Director, Stroz Friedberg
  • Craig Thomas, Chief Information Security Officer, Computershare
  • David G. Tittsworth, Executive Director and Executive Vice President, Investment Adviser Association

 

SEC Cybersecurity Roundtable: Panel 3 – Key Market Systems

The third panel at today’s SEC Roundtable talked about the various issues related to key market systems, i.e., trading, exchanges, brokerage houses, etc. The panel noted throughout the discussion that financial firms are becoming technology firms, and that continuous cyber-hygiene is increasingly important.

Topic 1:  Common threats to securities market infrastructure

Primarily, the panel focused on the need to share information, and to declassify cyber attack information so that people can work together to tackle risks. Interestingly, no one really talked about what the common threats were. One panelist grouped them together—as does Richard A. Clarke, chairman of Good Harbor Security Risk Management and renowned cyber and homeland security expert—saying that the common threats are: criminal actors, whose objective is to steal money; hactivists, who have a political objective; espionage; and war-like actors, whose objective is to disrupt or degrade.

Topic 2:  Tackling the cyber risk   

The panel focused on structured risk assessments and the need to continually test plans and security measures. They also stressed the need to focus on the gaps to see where the weak points are. However, the panelists also noted the importance of balancing the risk with current business needs; they asserted that using both inside and outside experts would help in that endeavor. Additionally, they once again emphasized the need to bring everyone together to collaborate on cyber threats, awareness, and best practices.

The panelists then focused on insider vs. outside threats. While insider threats were once the main focus of cybersecurity, that is no longer the case. But, the panelists noted that insider threats are still an issue because the insider knows a lot more about how the systems and operations work, which allows the insider to present a higher risk. Further, if these insiders have or are given more access or vetting potential, they will have more opportunities to make a significant attack. In conclusion, there was consensus that there has to be strong internal controls in place to make sure one person can’t take down the whole system.

Topic 3: If an attack occurs, what information should be given to members?

The panelists noted this was a tricky area, stating that there is a tension between knowing a problem and its scope (which is only known at the end) versus an immediate need to know. The panelists agreed that a balance needs to be struck. You must provide notice to your clients, based on what you know, about what occurred. But, the facts are going to change as you uncover what really happened. Consequently, the initial disclosure is going to look quite different from what really happened. One panelists noted that you can’t tell completely, early.

Topic 4: How market systems approach cyber security?

The panelists mentioned a variety of tests that they perform, but they all stated that testing is a never-ending cycle. These tests include: vulnerability scans, source code testing, penetration tests, industry-wide tests, table top exercises, and standard operating procedure testing.

Topic 5: Disclosure of information on breaches

The panelists agreed that the need to share information was critical because if someone else is under a similar attack, it is important to know what is going on. Also, getting information back to the government is necessary because the same intrusion could be happening in other places. However, the panelists noted that disclosure issues raise lots of questions, and this needs to be debated further. Also, a panelist noted that the big exchanges around the world have good and common best practices, but the smaller ones don’t. There is a need to get this information to them because they have just as much risk, but not the information to help mitigate it.

At the conclusion, a question was raised by one of the panelists: What can the SEC do to help facilitate best practices? All of the panelists agreed that collaboration is key, i.e., sharing information and mutual training. Also, another panelist suggested that since everything is risk-focused, help could/should be given to help quantify these risks.

Moderator:  James Burns, Deputy Director, Division of Trading and Markets

Panelists included:

  • Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation (DTCC)
  • Mark Graff, Chief Information Security Officer, NASDAQ OMX
  • Todd Furney, Vice President, Systems Security, Chicago Board Options Exchange
  • Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of the Treasury
  • Thomas Sinnott, Managing Director, Global Information Security, CME Group
  • Aaron Weissenfluh, Chief Information Security Officer, BATS Global Markets, Inc.

SEC Cybersecurity Roundtable: An Overview of the Second Panel Discussion

Continuing our live updates from today’s SEC Cybersecurity Roundtable, below is an overview of the second panel discussion, which commenced at 11:15 a.m. EST and covered cybersecurity disclosure issues faced by public companies.

Topic 1: How do cybersecurity risks impact public disclosures and how have disclosures changed over time?

The panel noted that the nature of the cyber threat or attack will have an impact on whether a disclosure is made. For example, a company may not disclose an attack launched by a foreign government, especially when the company was notified of the attack by the government. Conversely, a disclosure is more likely to occur when a breach involves consumer or customer information.

Topic 2: Are cyber risks a unique threat from a disclosure standpoint?

The panel noted the SEC appears to apply a different standard when it comes to cyber risks as compared to other material risks.  This emphasis suggests the SEC will require more comprehensive disclosures.  For example, the SEC guidance discusses the need to disclose whether cyber insurance has been secured.

Topic 3: What is the level of board involvement?

The panel acknowledged that there has been an uptick in the level of attention from boards on the issue of cybersecurity. Boards are more focused on the nature, extent, and consequences of a cyber attack. Boards are also looking at the short, mid-, and long-term impact of a breach, and the company’s breach response. In other words, boards want to ensure that their breach response is conducted in a way that protects the company’s future performance.

There was a disagreement between panel members, however, on the level of board involvement. Several panelists suggested that boards should consider retaining members with cybersecurity expertise who can interact with management to control the threat. Others were concerned that boards may overstep the boundary of overseeing the company to running the company. In the end, all of the panelists agreed that the composition and structure of the board should be considered on a case-by-case basis.

Lastly, the panel discussed whether the audit committee is the right group to manage this risk. All of the panelists agreed that audit committees are becoming overworked and are the default committee for board issues. Although recognizing this problem, many on the panel believe that the audit committee is well positioned to manage cyber risks.

Topic 4: What do investors want to know?

Investor relation members of the panel want greater disclosure as to what information companies collect, how they use it, why it’s collected, how it’s maintained, and how long it’s maintained. The concern is that companies who possess greater amounts of information are more likely to be a target. Knowing this will allow investors to better determine the risk(s) possessed by specific companies.

Topic 5: What drives disclosure?

The panel agreed that securities laws are not the driver of cybersecurity disclosures. Rather, state laws and regulations are what most concern companies who are breached. If a breach is not public, companies are disinclined to disclose a breach due to the potential for lawsuits and regulatory scrutiny. If companies believe there is no obligation to disclose under state law, they will likely decide the breach was not “material” and not deserving of a disclosure under securities laws. Importantly, most companies believe they will be treated not as the victim of a breach, but rather as a perpetrator. These factors indicate why we only hear of breaches involving consumer information instead of breaches involving the theft of intellectual property or security protocols.

Topic 6:  Materiality: Black and White or Grey?

The SEC acknowledged that cyber risks are unique, and an unmovable definition of the term “materiality” is not necessarily useful. The SEC solicited input on how they can work with the private sector to develop a workable standard. Panel members suggested that investors should not focus on cyber risks, i.e., stock prices don’t take a real hit after a breach, so mandating more disclosures are not appropriate. A concern is that the increased disclosures will subject companies to expensive lawsuits and regulatory reviews, which do impact stock prices.

Moderator: Keith Higgins, Director, Division of Corporation Finance, SEC

Panelists:

  • Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, Inc.
  • David Burg, Global and U.S. Advisor Cyber Security Leader, PricewaterhouseCoopers LLP
  • Roberta Karmel, Centennial Professor of Law, Brooklyn Law School
  • Jonas Kron, Senior Vice President, Director of Shareholder Advocacy, Trillium Asset Management LLC
  • Douglas Meal, Partner, Ropes & Gray LLP
  • Leslie T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. and Washington Gas Light Company

Live Updates of Today’s SEC Cybersecurity Roundtable

Today, the SEC is hosting a Cybersecurity Roundtable—in person and via webcast—to discuss cybersecurity and the challenges and issues it raises. The Roundtable will have four panels, each with distinguished panelists. We are blogging live to provide updates to our readers, so stay tuned throughout the day to get updates on each panel.

First Panel: “Cybersecurity Landscape”

The panelists began by generally discussing the three main areas of cybersecurity: the cyber attackers themselves, how to remain vigilant/incident management, and the ability to remain resilient against attacks. The panelists emphasized the importance of bringing everyone (agencies, government, and companies) together to thwart attacks. They noted that the private sector is at the front line for attacks and for defense.

Next, the panelists discussed the types of threats and challenges that companies currently face. They noted that although there have been a wide array of attacks, most of the focus, including the President’s focus, has been on critical infrastructure since it presents the gravest national danger.  Banking has been the most attacked industry, followed by energy, because they not only have a significant level of money involved, but also represent our nation. As a result, they noted that critical infrastructure is way ahead of most companies in their cybersecurity initiatives. Regarding the current challenges, companies should be looking to three questions:

  • How do I figure out what I really need to protect, since I can’t protect everything?
  • How do I manage access to my information by third parties, i.e., vendors and professional services?
  • How do I monitor what is supposed to be protecting the company?

The panel then focused on the board of directors, emphasizing that the board needs to be involved and that there needs to be continuous monitoring with a multi-layered approach. They noted that this will of course take a lot of work and people. Only 1% of boards have someone that is cyber proficient; as a result, the panelists focused on the importance of boards needing to know what questions to ask, having a plan in place, practicing that plan, and continually communicating with those dealing with cybersecurity issues. It was also noted that management needs to make sure that there is a culture in place so that everyone is part of the cyber risk plan because this is a business issue that requires a top-down approach. One panelist stated that boards with the best practices are getting outside expertise to deal with cybersecurity.

The panelists continued with a discussion on the state of preparedness. They again all focused on the need to share information, and that the financial services industry is probably the most advanced in cybersecurity. But, companies can never be 100% prepared, because there is always something new on the horizon. So, companies just have to stay on top of things and keep building safety devices, because “the DNA of a threat is never the same.”

Finally, the panel looked at protecting access and how to facilitate more productive dialogue between interested constituencies. The panelists talked about the Executive Order and the NIST Framework, noting that the NIST Framework is not a checklist per se because you can’t get “framework compliant.” And, right now, there are real barriers preventing government and the private sector from working together because of the lack of clarity on what information can be shared. Currently, companies do not share because they are afraid of incurring risks. The panelists discussed options for having an industry group that aggregates information and shares it with the industry anonymously, and the need to have legislation in place to determine when companies can share information without risk. The panelists stated that there are barriers to sharing on many levels: government to private sector; private sector to government; between government agencies; between governments; and between private sector companies. Barriers need to be identified in each lane of communication so they can be eliminated one by one. No one legislative solution will work.

The panelists concluded by focusing on the ever-evolving nature of the cyber threat: what is known today will be different from tomorrow. Thus, we should just go back to the basics—are we already thinking of our business preparedness in a way that we can get to the cyber problem before it becomes an issue?

Moderators:  Thomas Bayer, Chief Information Officer, Keith Higgins, Director, Division of Corporation Finance, James Burns, Deputy Director, Division of Trading and Markets

Panelists:

  • Cyrus Amir-Mokri, Assistant Secretary for Financial Institutions, Department of the Treasury
  • Mary E. Galligan, Director, Cyber Risk Services, Deloitte & Touche LLP
  • Craig Mundie, Member, President’s Council of Advisors on Science and Technology; Senior Advisor to the Chief Executive Officer, Microsoft Corporation
  • Javier Ortiz, Vice President, Strategy and Global Head of Government Affairs, TaaSera, Inc.
  • Andy Roth, Partner and Co-Chair, Global Privacy and Security Group, Dentons US LLP
  • Ari Schwartz, Acting Senior Director for Cybersecurity Programs, National Security Council, The White House
  • Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology
  • Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security

SEC Sets Agenda and Identifies Panelists for Its Cybersecurity Roundtable

By Steven Caponi

In February, the U.S. Securities and Exchange Commission (“SEC”) announced its intention to hold a March 26, 2014 roundtable addressing cybersecurity issues facing market participants and public companies.  In the past few days, the SEC finally released the agenda and panelists for the roundtable.  The event will be held at the SEC’s headquarters in Washington, D.C., and is open to the public on a first-come, first-served basis.  For those unable to attend, the event will be broadcasted live on the SEC website and archived for viewing at a later time.

The full day event begins at 9:30 a.m., concludes at 3:00 p.m., and will be divided into four panels:

Panel 1—The cybersecurity landscape starts at 9:30 a.m. and will be moderated by Thomas Bayer, Chief Information Officer; Keith Higgins, Director, Division of Corporation Finance; and James Burns, Deputy Director, Division of Trading and Markets.

Panel 2—Cybersecurity disclosure issues faced by public companies starts at 10:40 a.m. and will be moderated by Keith Higgins, Director, Division of Corporation Finance.

Panel 3—Cybersecurity issues faced by exchanges and other key market systems starts at 12:45 p.m. and will be moderated by James Burns, Deputy Director, Division of Trading and Markets.

Panel 4—A discussion of how broker-dealers, investment advisers, and transfer agents address cybersecurity issues, including those involving identity theft and data protection will start at 1:45 p.m. This panel will be moderated by David Grim, Deputy Director, Division of Investment Management; James Burns, Deputy Director, Division of Trading and Markets; and Andrew Bowden, Director, Office of Compliance Inspections and Examinations.

The complete agenda and list of panelists for the roundtable can be viewed here.

The House Advances Cybersecurity Legislation?

post_progressBy Steven Caponi

Despite the steady increase of cyber crime, the public recognition of the threat and a steady clamoring for legislation addressing the threat, Washington has yet to meaningfully respond.  Not surprising, given the increasing levels of partisanship and heated fights over even mundane issues.  In this environment, the House Homeland Security Committee’s (“HSC”) October 29, 2013 approval of two bills, H.R. 3107 and H.R. 2952, falls into the category of “be thankful for small miracles.”  While not the comprehensive or even meaningful action sought, the bills are a step in the right direction—a step that will hopefully lead to bigger and bolder action in the future.

Contrary to its current title, “Homeland Security Cybersecurity Boots-on-the Ground Act.”, H.R. 3107 does not directly address cybersecurity or put additional “boots-on-the-ground.”  Rather, the bill directs the Department of Homeland Security (“DHS”) to develop uniform job titles, long-term hiring strategies, and training regiments commensurate with the cybersecurity threat.  Specifically, H.R. 3107 directs the Secretary of Homeland Security to develop:

  • occupation classifications for individuals performing activities in furtherance of the cybersecurity mission of DHS and to ensure that the such classifications may be used throughout DHS and are made available to other federal agencies;
  • a workforce strategy that enhances the readiness, capacity, training, recruitment, and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs; and
  • a process to verify that employees of independent contractors who serve in DHS cybersecurity positions receive initial and recurrent information security and role-based security training commensurate with assigned responsibilities.

The bill also requires the DHS Chief Human Capital Officer and Chief Information Officer to assess the readiness and capacity of DHS to meet such mission; and the Secretary to provide Congress with annual updates regarding such strategies, assessments, and training.  At first glance, H.R. 3107 will be of greater interest to human resource officers than chief information security officers.

H.R. 2952, dubbed the Critical Infrastructure Research and Development Advancement Act, comes closer to addressing current needs by focusing the Homeland Security Act of 2002 on critical infrastructure.  Unfortunately, this bill also addresses long-term planning and process more than it address immediate needs.  On the positive side, the bill does directly require the Science and Technology Directorate to develop within 180 days, a strategic plan to guide “the overall federal physical security and cybersecurity technology research and development efforts for protecting critical infrastructure.”  Providing some insight into the thinking in Congress, the bill requires the strategic plan include specific elements such as:

  • An identification of critical infrastructure security risks and the associated security technology gaps.
  • A set of critical infrastructure security technology needs that is prioritized based on risk and gaps identified under paragraph.
  • An identification of laboratories, facilities, modeling, and simulation capabilities that will be required to support the research, development, demonstration, testing, evaluation, and acquisition of the security technologies.

Like its sister bill, H.R. 2952 has a reporting requirement directing the Secretary for Science and Technology to report to Congress on DHS utilization of “public-private research and development consortiums for accelerating technology development for critical infrastructure protection.”

While not the comprehensive solution so many are seeking, these two bills prove some in Congress are willing to address this important issue.  Hopefully the bills portent a new level of cooperation in Washington that is built on the need to address the growing cybersecurity threat.

Cybersecurity Reform Derailed by Snowden and Budget Battles

By Steven Caponi

This year began with a massive security leak by Edward Snowden, then turned to talk of war with Syria, and now looks to be ending in a budget stalemate that has all but crippled the federal government.  In the face of these events, it is no surprise that meaningful cybersecurity reform legislation is unlikely to make its way into law.  The lack of progress comes a year after the failed effort to advance cybersecurity reform, and months after President Obama called on lawmakers to advance legislation.  The tepid pace of reform seems unlikely to change despite the continuing assault on our nations’ IT infrastructure by the Chinese, Iranians, and Syrians.

The fate of cybersecurity reform continues to be bogged down by lingering disputes over protections for information sharing, litigation reform, and privacy standards.  Earlier this year, the House passed the Cyber Intelligence Sharing and Protection Act (“CISPA”).  The bill went nowhere after drawing objections from Senate Democrats and the White House, who backed a different bill but failed to woo skeptical Republicans and critical interest groups.  For its part, the Senate has yet to draft a major cybersecurity bill.

Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.), who led the Senate’s intelligence efforts, have not released a draft bill, despite extensive negotiations.  Instead, they have been preoccupied with the fallout from Snowden’s surveillance leaks and the debate over reforming the National Security Agency.  On a substantive level, Chambliss acknowledged that a major hang-up includes the fight over lawsuit immunity for companies that act on government data that proves to be incorrect.

As for the House, there have been efforts to modify CISPA to overcome the Democrats’ concerns and to secure additional support.  Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) tightened CISPA’s privacy protections, but remained unable to obtain support from the Administration and Senate Democrats.  Rep. Adam Schiff (D-Calif.), a member of the House Intelligence Committee, noted “I do think we’ve been too slow to deal with this issue,” and that it has been “much more difficult” to pass cybersecurity legislation for reasons including Snowden’s leaks.

For its part, the White House is too preoccupied with the budget stalemate to spend its precious resources on cybersecurity legislation.  “The most important thing that Congress can do for the nation’s cybersecurity right now is to fund the entire government, including cybersecurity missions and operations,” a White House spokesman said.

Giving little room for optimism, when asked if a cybersecurity bill would become law this year, Rogers stated, “You might not expect it, but you ought to pray for it.”

To read more on delayed cybersecurity reform, click here for an article by Politico.