On May 12, 2011, the White House issued a press release and sent a package of legislative proposals to Congress outlining the Administration’s recommendations to enhance protection of the American people, federal systems, and critical infrastructures from cyber attacks. Senate Majority Leader Harry Reid welcomed the proposal which came in response to a request from Reid and fellow Senators for the Administration’s input on federal cybersecurity legislation. In Sen. Reid’s statement, he states that he hopes to pass legislation on this topic this summer.
The White House proposal addresses a broad range of cyber issues. The legislative package includes:
- Federal Data Breach legislation which would pre-empt existing breach laws in 47 States. Giving Rulemaking and enforcement authority primarily to the Federal Trade Commission. No private right of action. The legislation also provides a safe harbor from notice requirements if a risk assessment finds that there is no reasonable risk of harm. A breach would include employee access to sensitive personal information in “excess of authorization.”
- Updates to Section 1030 of Title 18, the Computer Fraud and Abuse Act which would allow RICO to be used for 1030 violations, rationalizing and enhancing penalties for 1030 violations.
- New and more formalized authority for DHS to regulate “critical infrastructures.” The legislation creates criteria for use by the Secretary to designate critical infrastructures and establishes a series of new requirements for covered entities. These requirements include the development of security plans, third party evaluations, reports on evaluations in annual SEC filings, and notification to DHS of any “significant” cybersecurity incidents.
- New authority for DHS to respond to cyber threats and the creation of a new Cybersecurity Center. DHS is given broad scope to respond to risks to federal systems, including the ability to conduct intercepts on communications transiting federal systems and deploying cyber countermeasures. DHS may request the assistance of the private sector in obtaining content in transmission or storage relating to a cyber threat. The legislation also creates new provisions to allow private sector entities to share communications that were lawfully intercepted and pertain to cyber threats. Companies that provide such information in accordance with the provisions or render assistance to DHS under the section would be given immunity from suit. The proposal also includes a good faith defense for companies that rely on legislative or statutory authorizations to determine that their actions are permitted. Section 247 also pre-empts state intercept laws to the extent that they are inconsistent with the title.
- Additional provisions range from provisions to allow companies flexibility on which state to locate data centers in, proposals to increase qualified cyber personnel, and FOIA exemptions to facilitate industry information sharing with the government.
The Senate must reconcile these provisions with the many cybersecurity bills that have been introduced in the 111th and 112th Congresses and determine what shape the bill that ultimately goes forward will take. While there are certainly some changes recommended in the White House proposal that companies would be happy to see in a cyber bill, companies will also need to carefully evaluate how the new DHS responsibilities and regulatory requirements for critical infrastructures are likely to impact their businesses.