This document proposes legislation for proactive cyber security measures in the private sector. It summarizes and analyzes two existing bills, H.R. 1704 and H.R. 1584, which aim to address cyber security but are reactive in nature. The document finds gaps in these bills and proposes new legislation. It suggests designating the Federal Trade Commission as the regulatory authority for the private sector. The new legislation would mandate proactive requirements like regular cyber risk assessments and data classification policies to better protect confidential data prior to a breach.
1. American Military University
Proactive Cyber Security Bill for Data Confidentiality in the Private
Sector
To
School of Security and Global Studies
American Public University System
By
CPT Matthew C. Kurnava
Homeland Security Program/Cyber Security Concentration
Arlington, VA
May 29, 2016
2. i
TABLE OF CONTENTS i
I. INTRODUCTION AND PROBLEM STATEMENT 1
II. RESEARCH QUESTION 1-2
III HYPOTHESIS 2
IV. RESEARCH METHODOLOGY 2-3
V. LEGISLATION REVIEW 3-6
VI. BILL PROPOSITION 6-12
VII. CONCLUSION 12-14
3. 1
We're trying to remain profitable for our shareholders… So, you make risk-based decisions: What're the most
important things that are absolutely required by law?
Jason Spaltro, 2007 Former Senior Vice President of
Information Security of Sony Pictures
I. INTRODUCTION AND PROBLEM STATEMENT
Many Americans assume that when purchasing an item from a store using their bank card
that the data (bank card number) is protected and the merchant has completed proper cyber security
measures. However, the private sector does not have a federal law requiring them to perform
proactive measures to ensure the data is protected. Any protective measures performed are at the
discretion of the business and there is very little or no oversight. There is a need for a
comprehensive cyber security law that addresses the proactive and reactive measures necessary
for the protection of confidential data in the private sector. Two legislative measures were recently
introduced into Congress to address confidential measures in cyber security: H.R.1704 - Personal
Data Notification and Protection Act of 2015 and H.R.1584 - The CARDER Act of 2015.
Problem Statement: The research is important because it will analyze H.R. 1704 and H.R.
1584 and address any gaps that are discovered upon analyzation.
II. RESEARCH QUESTION
I will attempt to answer the following question: Does H.R. 1704 and H.R. 1584
comprehensively address the issues of cyber security for the private sector in regards to the
protection of confidentiality of individual’s information in a data breach?
4. 2
Secondary Questions:
1. Are the two measures proactive or reactive in protection of the confidentiality of individuals
involved in a data breach?
2. What additional legislation can be included that can address any gaps found in H.R. 1704 and
H.R 1584?
III. HYPOTHESIS
H.R. 1704 and H.R 1584 both propose solutions in cyber security involving the protection of
confidentiality of individuals involved in a data breach. However, I propose that there will be
significant gaps in the legislation identified and that additional legislation will have to be
included to make up for the common deficiencies found in both pieces of legislation.
IV. RESEARCH METHODOLOGY
The research method of this research is a Qualitative Analytical Study. This will be
completed by:
1. Decompose the problem into the right sub problems.
2. Find the root causes of each sub problem.
3. Find the high leverage points for resolving each root cause.
4. Find the solutions for pushing on the high leverage points.1
1
Thwink, Analytical method - tool/concept/definition (2014),
http://www.thwink.org/sustain/glossary/AnalyticalMethod.htm.
5. 3
In this paper the Independent variable is the confidentiality of public and private sectors
information being maintained during a data breach. The Dependent variable is legislation from
Congress addressing how to maintain confidentiality for the private sector
V. LEGISLATION REVIEW
H.R.1704 - Personal Data Notification and Protection Act of 2015[114th Congress (2015-
2016]
Background
Rep. James Langevine introduced H.R.1704 to the House of Representatives on March 26
2015, it was then referred to several committees for review.2
The last action for the bill was a
referral to the Subcommittee on the Constitution and Civil Justice on April 29, 2015.3
The focus
of the bill is to create a National Data Breach Notification Standard (NDBNS). It entails that any
business that has more than 10,000 employees in a 12-month period will promptly notify every
individual when information is compromised during a cyber security breach. The enforcing body
of the NDBNS would be the Federal Trade Commission under the same authority as the Federal
Trade Commission Act (15.U.SC. 41 et seq)4
How would have enacting H.R. 1704 improve cybersecurity?
The intent of information security is to protect information through the information security
triad (confidentiality, integrity, and availability). In cyber security, this is the protection of cyber
data from unauthorized access, use, disclosure, disruption, modification, or destruction in order to
2
James Langevin, Actions - H.R.1704 - 114th congress (2015-2016): Personal data notification and protection act of
2015 (Apr. 29, 2015), https://www.congress.gov/bill/114th-congress/house-bill/1704/all-actions?overview=closed.
3
Ibid
4
Ibid
6. 4
provide confidentiality, integrity, and availability in cyberspace5
H.R. 1704’s intent is address
the problem that occurs when a cyber breach breaks confidentiality. When a hacker breaches a
system, the information contained in the system is then compromised and any Personal Identifiable
Information (PII) is available to the hacker. This includes the bank account numbers, social
security numbers, addresses, etc. of employees and customers. H.R. 1704’s intent is to create a
mandatory law that requires businesses to contact individuals in a timely manner to let them know
that their information has been compromised and a breach has occurred.
What related cyber issues did H.R. 1704 fail to address?
H.R.1704 is legislation that seeks to notify only after a cyber breach has occurred. It does not
address any proactive measures to implement for confidentiality protection. The legislation does
not mandate quarterly or semiannually risk and vulnerability assessment prior [emphasis added]
but only considers exemptions from notification if a risk assessment meets the FTC expectations.
The risk assessment and cyber vulnerability assessments are valuable assets in the protection of
data and insuring the confidentiality of data and information prior to a cyber breach. H.R.1704
legislation does not address the implementation of these or give the Federal Trade Commission
(FTC) or any other justifiable authority the ability to regulate the maintenance of periodic
vulnerability and risk assessments. This is a significant void in the legislation that should be
addressed.
5
Margaret Rouse et al., What is confidentiality, integrity, and availability (CIA triad)? - definition from WhatIs.com
(WhatIs.com Nov. 2014), http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA.
7. 5
H.R.1584 - CARDER Act of 2015 [114th Congress (2015-2016)]
• Background
Rep James Langevin introduced H.R. 1584 Cybercrime Anti-Resale Deterrent and
Extraterritoriality Revision (CARDER) Act of 2015 on March 24, 2015.6
The last action on this
bill was an assignment to a committee on Dec 2, 2015. It is an amendment to 18 U.S. Code § 1029
- Fraud and related activity in connection with access devices1029, (h). The focus of the bill is to
make it easier to prosecute criminals that trade stolen credit cards.7
This increases the law
enforcements ability to identify the original hackers that stole the numbers. This includes hackers
that may reside outside the United States but the actions occurred within the jurisdiction of the
United States, thus giving the United States extraterritorial jurisdiction to prosecute. The
amendment removes 18 U.S. Code § 1029 paragraph (h)2.
• How would have enacting H.R. 1584 improve cybersecurity?
This bill also focuses on information cyber security and confidentiality protection. The
elimination of 18 U.S. Code § 1029 paragraph (h)2 removes the requirement for transfer of the
stolen articles or funds through U.S. jurisdiction. With this removal, it is easier to prosecute based
solely on the requirement that the offense involves an access device, “issued, owned, managed, or
controlled by a financial institution, account issuer, credit card system member, or other entity
within the jurisdiction of the United States”8
. This is significant, additional registration that
6
James Langevin, H.R.1584 - 114th congress (2015-2016): CARDER act of 2015 (Feb. 12, 2015),
https://www.congress.gov/bill/114th-congress/house
7
Langevin unveils package of consumer protection legislation (Apr. 7, 2015), https://langevin.house.gov/press-
release/langevin-unveils-package-consumer-protection-legislation.
8
18 U.S. Code § 1029 - fraud and related activity in connection with access devices (LII / Legal Information
Institute Oct. 12, 1984), https://www.law.cornell.edu/uscode/text/18/1029.
8. 6
prevents prosecution enables the hackers and traders to continue operations in illegal activities
stealing cards, codes, identification numbers and other articles allowing them to commit more
crime. The removal of paragraph (h)2 eliminates the red tape of prosecuting those criminals for
violating the confidentiality of the citizens bank accounts and or identities. In doing so, the bill
assists in the removal of criminals from continuing to break confidentiality of consumers in
cyberspace.
• What related cyber issues did H.R. 1584 fail to address?
The mandating the requirement of identified consumer protection software is not broached
or identified. This bill, while it may make the prosecution of the crime easier, is only a Band-Aid
to the fixing the problem of the crime occurring in the first place. Currently there is no legislation
addressing the issue of consumer cyber- confidentiality protection. H.R. 1584 is a reactive bill
and changes the language in the legislation to assist in the making the prosecution easier to catch
criminals. The bill does not take a proactive stance in the consumer protection of confidentiality
regarding the articles discussed in the bill (i.e. credit cards). The bill may increase the amount of
prosecuted hackers and credit card thefts; it says nothing in regards to prevention of the theft in
the first place. Proactive prevention methods of credit card numbers from being hacked and stolen
then traded is not mentioned this includes risk.
VI. BILL PROPOSITION
Establishing an Authority (Private Sector)
Public sector regulation is not the issue; government agencies can enforce regulation with
little effort. Implementing a regulatory authority for the private sector is more difficult because
Figure : Hydroelectric system entry point (OccupyTheWeb 2015)
9. 7
these are private organizations and business that do not fall under the authority of the government
regarding the operations of their private business. Legislation on the private sector is hard to pass
but because private companies can put consumer data at risk then there must be a regulatory
authority to implement a protective policy.
The legislation review has shown that legislation for cyber confidentiality has resulted in
reactive legislation for the end user rather than a comprehensive legislation addressing proactive
and reactive solutions to addressing cyber confidentiality protection.
Currently there is an abundance of reactive cyber security laws. As of October 2015, “47
states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some
form of data breach notification laws.”9
While these laws perform a great service do those affected by a cyber-attack there are
currently no laws mandating proactive measures at a national level. It is hard to enforce cyber
security policy in a proactive way, however the government can get involved in the consequence
of private sector companies when their cyber security policies and programs fail to protect its
consumers or mislead them. This is evident in the case of Federal Trade Commission (FTC) v.
Wyndham Worldwide:
…the US Court of Appeals for the Third Circuit upheld the FTC’s authority to enforce a claim for
unfair practices. The FTC had, inter alia, alleged that the company, which experienced three cyber-
attacks resulting in a theft of consumer data, had not used commercially reasonable methods for
protecting consumer data and overstated its cybersecurity protections in its published privacy policy.
The decision recognizes the FTC’s authority to bring enforcement actions for what it deems are
“unfair cybersecurity practices.”10
9
MP015649, Proactive Approach To Cybersecurity: Recent Sec Guidance And Enforcement Actions Suggest That
Reactive Firms May Be In The Sec’s Crosshairs (2015).
10
Ibid,6
10. 8
The issue is not whether the FTC has the ability to consequence, in which as shown in this
case they have that authority when the company did not provide adequate cyber security, the issue
is that there is no legislation that would enforce upon that company proactive measures to provide
preventive measures against the attacks that the company suffered.
Currently the laws within the United States involve a multitude of varying privacy laws
but there is no comprehensive data protection law and there is no single authority that presides
over data protection in the United States. 11
While this may be so, in the private industry the FTC
can serve in this role if required or mandated. The FTC has a requirement under 15U.S. Code § 45
- Unfair methods of competition unlawful; prevention by Commission, which states clearly as
depicted in the following figure12
:
This provides a regulatory authority for the private sector when it comes to privacy
enforcement. The law does not give the FTC fining authority but it does give them the ability to
provide enforcement actions and as a result of the enforcement actions provide delinquent
companies with consent decrees. When a company violates a consent decree13
through law, then
the FTC can fine the company. 14
The FTC has the ability to prohibit unfair practices that are unfair or deceptive acts that
result in affecting the buying or selling of goods or services. This relates to cyber security because
11
Yoon et al., Data Protection and Privacy in 26 Jurisdictions Worldwide (2014)., 191
12
15 U.S. Code § 45 - unfair methods of competition unlawful; prevention by commission (LII / Legal Information
Institute Aug. 23, 1958), https://www.law.cornell.edu/uscode/text/15/45.
13
Settlement contained in a court order
14
Yoon et al., Data Protection and Privacy in 26 Jurisdictions Worldwide (2014).
11. 9
when data is not protected appropriately and PII is at risk for the consumer/merchant then the theft
or damage of the privacy data may result in a financial loss affecting commerce. For example,
when a major company such as Target does not have adequate cyber security measures and a
cyber-attack steals the PII of millions of its consumers, the consumers and Target suffer a financial
loss due to the theft as a result of the theft alone or the recuperative efforts (cyber investigations
costs money) by the merchant following the attack. Accordingly, if the attack was the result of
inadequate cyber security program then the FTC can follow through with enforcement actions. As
a result, the FTC is the best authority to the private sector as a regulatory authority for data privacy
enforcement, without forming a new organization.
Establishing Private Sector Proactive Measures
As previously stated, the private sector is concentrated on in this analysis because the
public sector can (and does) implement proactive regulation on their own agency authority.
Reactive measures are already in place and should be retained in any new proposed legislation.
What is lacking in legislation are proactive measures. New legislation would involve regulatory
action required prior [emphasis added] to a cyber-attack. This would include the requirement for
companies to perform certain actions to protect their systems containing PII of their employees
and/or customers. While this is not a fool proof solution, any action regulated prior to a cyber-
attack would benefit to businesses and the private sector overall. Certain proactive measures
provide better protection than others and because the requirement would span the entire private
sector, the minimum requirement should be of high quality and cost effective. Most cyber
security strategy program polices fall upon the company but there are constants that can be
regulatory mandated and implemented without a hefty price tag. These constants include Cyber
Risk Assessments, Data Classification Policies and PII Policy.
12. 10
Cyber Risk and Assessments. The National Institute of Standards and Technology
(NIST) provides a stepped process in how a risk assessment should be performed15
and these
steps can be used to transfer to the private sector as the minimum requirements for a risk
assessment. These steps are:
1. Identify and Document Asset Vulnerabilities
2. Identify and Document Internal and External Threats
3. Acquire Threat and Vulnerability Information from External Sources
4. Identify Potential Business Impacts and Likelihoods
5. Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and
Impacts
6. Identify and Prioritize Risk Responses
This is a process that can be mandated for all businesses. This also leaves the businesses
open to decide how best to accomplish this risk assessment based on their size and fiscal value.
Larger companies with a larger employee and customer base will be able to assess risk and use the
appropriate risk management resourcing to meet the requirement and the needs corresponding to
a larger organization. A small business, in the same respect, will be able to meet the requirement
and use less fiscally costly resourcing.
Data Classification Policies. Data Classification Policies provides the company the ability
to properly handle data that can damage it based upon its risk that it can pose to the company. The
classification of the data is relative to the business. The point of a mandated legislation is to ensure
15
Steven Chabinsky, Best practices for conducting a Cyber risk assessment (Nov. 2, 2015),
http://www.securitymagazine.com/articles/86754-best-practices-for-conducting-a-cyber-risk-assessment.
13. 11
one is in place as a protective measure to the company, its employees and its consumers. Typically,
businesses use public, business only, and confidential as classification of data16
. While this is a
good general business practice, there are some companies that do not have a classification system
at all. A proper classification policy helps in the improper release of information that can accessed
in a data breach if it is not properly stored and maintained. While a classification system is related
more to information management, it is directly applicable to the protection of data information
from a cyber breach. Information management involves physical data as well as cyber data, but a
breach of cyber data can be the result of improper information management and a classification
policy can assist in the prevention of cyber data being exploited by outsider and insider threats.
PII Policy Protection of PII is essential in personal data protection policy development.
The public sector has regulations regarding the protection of PII protecting the critical information
(i.e. Social Security Numbers, Health Data, Bank Account Numbers). However, this is also spread
across different laws throughout legislation and also only referencing certain portions of
infrastructure as noted by Ms. Virginia Jones:
The laws apply to particular private or government sectors, and most of the laws include
penalties for non-compliance. Some laws pertain only to government, some only to certain levels
or sectors of government, and some only pertain to certain sectors of business such as finance,
banking, medical, and telecommunications. Each organization must determine which laws apply
to them.17
Having some [emphasis added] PII protection policy is not the issue, the issue is that there
is not a comprehensive law and there is not any PII policy targeted specifically for private sector
16
Bill Hayes, Tips for creating a data classification policy (SearchSecurity Jul. 2015),
http://searchsecurity.techtarget.com/feature/Tips-for-creating-a-data-classification-policy.
17
Virginia A. Jones, Requirements for Personal Information Protection Part 1: U.S. Federal Law the Metropolitan
New York City Chapter of ARMA International (2008).
14. 12
cyber data. In order to protect PII cyber data then there must be a PII policy developed that protects
PII on cyber data systems and protect how they are transmitted.
A PII policy in legislation should be modeled after already existing PII procedures
available in the Public Sector. The Department of Homeland Security (DHS) already has a
handbook on PII identification and protection procedures that can be used as a base model for any
legislation development. The 2012, Handbook for Safeguarding Sensitive Personally Identifiable
Information18
provides “step by step guidance on identifying PII”19
and instructions on
“Encrypting Sensitive PII, Securing Sensitive PII when not in use and Disposing of Sensitive PII”20
This handbook can serve as the backbone on the development of a PII policy that can be under a
comprehensive law.
Data protection requires proactive [emphasis added] and reactive legislation. The United
States cyber laws focus on reactive polices, but in order to have a comprehensive data protection
then there has to be a proactive policy in place otherwise instead of taking preventive measures
prior to an attack, there will only be reaction to an attack. Proactive measures must include: Cyber
Risk Assessments, Data Classification Policies and PII Policy.
VII. CONCLUSION
The research shows that the hypothesis was correct, H.R. 1704 and H.R. 1584 did not have
a comprehensive policy in protecting confidentiality in a data breach. Both legislative pieces
focused on reactive policies and did not include proactive polices. In answering the research
18
US Department of Homeland Security and DHS Privacy Office, Handbook for Safeguarding Sensitive Personally
Identifiable Information (2012).
19
Ibid
20
Ibid
15. 13
question whether H.R. 1704 and H.R. 1584 comprehensively address the issues of cyber security
for the public and private sector in regards to the protection of confidentiality of individual’s
information in a data breach, the research data has shown that they do not and that they do not
form a comprehensive policy. H.R. 1704 and H.R. 1584 both focus on reactive cyber policy
solutions regarding data confidentiality. However, in order to have a comprehensive policy it has
to include a proactive policy. In determining a proactive policy, a regulatory authority for the
private sector has to be determined. Public sectors have regulating authorities as deemed by the
higher agency, however, there is no Private sector regulating authority. Due to how the FTC works
in close proximity to the private sector under 15U.S. Code § 45, then the FTC would be the most
appropriate regulatory authority for the private sector. Public sector regulatory authorities would
remain the same. The comprehensive policy would include the already established reactionary
measures but would also include the significant addition of proactive measures. This proactive
legislation would include Cyber Risk Assessments, Data Classification Policies and PII Policy for
the private sector, while the public sector would retain their policies developed through their
respective agencies.
Legislation regarding improvement to cyber policy have been entered into the House and
Senate as bills frequently over the past two decades but they very rarely make it to law. The
majority of them die as bills in the House or Senate because the Congress period ends. Many are
sent to be reviewed by committees and do not make it back for renewal into the new Congress.
There are plausible reasons for this, cybersecurity is still new to the world and while new and
unknown about its complexities, representatives are timid in taking action when a new bill hits the
floor. This timidity, due to lack of education, can stall a bill from becoming law no matter how
16. 14
comprehensive a cyber bill is. Also technology advances exponentially faster than legislation and
this also causes the timidity in passing a bill. Regardless of the reasoning, there is a significant
need for a comprehensive bill that includes both proactive and reactive measures. H.R. 1704 and
H.R. 1584 do not provide an overall solution in the protection of confidentiality of data for a
consumer. The public sector already addresses proactive measures regardless of there being
legislation, but there is a huge gap in protecting the private sector. Proactive measures previously
discussed could be added to future legislation in order to provide a proactive cyber security for
data confidentiality in the private sector. Hopefully, this can be accomplished sooner than later
before another significant data breach occurs.