SlideShare a Scribd company logo

Proactive Cyber Security Bill

M
Matthew Kurnava

This document proposes legislation for proactive cyber security measures in the private sector. It summarizes and analyzes two existing bills, H.R. 1704 and H.R. 1584, which aim to address cyber security but are reactive in nature. The document finds gaps in these bills and proposes new legislation. It suggests designating the Federal Trade Commission as the regulatory authority for the private sector. The new legislation would mandate proactive requirements like regular cyber risk assessments and data classification policies to better protect confidential data prior to a breach.

1 of 16
Download to read offline
American Military University Proactive Cyber Security Bill for Data Confidentiality in the Private Sector To School of Security and Global Studies American Public University System By CPT Matthew C. Kurnava Homeland Security Program/Cyber Security Concentration Arlington, VA May 29, 2016
i TABLE OF CONTENTS i I. INTRODUCTION AND PROBLEM STATEMENT 1 II. RESEARCH QUESTION 1-2 III HYPOTHESIS 2 IV. RESEARCH METHODOLOGY 2-3 V. LEGISLATION REVIEW 3-6 VI. BILL PROPOSITION 6-12 VII. CONCLUSION 12-14
1 We're trying to remain profitable for our shareholders… So, you make risk-based decisions: What're the most important things that are absolutely required by law? Jason Spaltro, 2007 Former Senior Vice President of Information Security of Sony Pictures I. INTRODUCTION AND PROBLEM STATEMENT Many Americans assume that when purchasing an item from a store using their bank card that the data (bank card number) is protected and the merchant has completed proper cyber security measures. However, the private sector does not have a federal law requiring them to perform proactive measures to ensure the data is protected. Any protective measures performed are at the discretion of the business and there is very little or no oversight. There is a need for a comprehensive cyber security law that addresses the proactive and reactive measures necessary for the protection of confidential data in the private sector. Two legislative measures were recently introduced into Congress to address confidential measures in cyber security: H.R.1704 - Personal Data Notification and Protection Act of 2015 and H.R.1584 - The CARDER Act of 2015. Problem Statement: The research is important because it will analyze H.R. 1704 and H.R. 1584 and address any gaps that are discovered upon analyzation. II. RESEARCH QUESTION I will attempt to answer the following question: Does H.R. 1704 and H.R. 1584 comprehensively address the issues of cyber security for the private sector in regards to the protection of confidentiality of individual’s information in a data breach?
2 Secondary Questions: 1. Are the two measures proactive or reactive in protection of the confidentiality of individuals involved in a data breach? 2. What additional legislation can be included that can address any gaps found in H.R. 1704 and H.R 1584? III. HYPOTHESIS H.R. 1704 and H.R 1584 both propose solutions in cyber security involving the protection of confidentiality of individuals involved in a data breach. However, I propose that there will be significant gaps in the legislation identified and that additional legislation will have to be included to make up for the common deficiencies found in both pieces of legislation. IV. RESEARCH METHODOLOGY The research method of this research is a Qualitative Analytical Study. This will be completed by: 1. Decompose the problem into the right sub problems. 2. Find the root causes of each sub problem. 3. Find the high leverage points for resolving each root cause. 4. Find the solutions for pushing on the high leverage points.1 1 Thwink, Analytical method - tool/concept/definition (2014), http://www.thwink.org/sustain/glossary/AnalyticalMethod.htm.
3 In this paper the Independent variable is the confidentiality of public and private sectors information being maintained during a data breach. The Dependent variable is legislation from Congress addressing how to maintain confidentiality for the private sector V. LEGISLATION REVIEW H.R.1704 - Personal Data Notification and Protection Act of 2015[114th Congress (2015- 2016]  Background Rep. James Langevine introduced H.R.1704 to the House of Representatives on March 26 2015, it was then referred to several committees for review.2 The last action for the bill was a referral to the Subcommittee on the Constitution and Civil Justice on April 29, 2015.3 The focus of the bill is to create a National Data Breach Notification Standard (NDBNS). It entails that any business that has more than 10,000 employees in a 12-month period will promptly notify every individual when information is compromised during a cyber security breach. The enforcing body of the NDBNS would be the Federal Trade Commission under the same authority as the Federal Trade Commission Act (15.U.SC. 41 et seq)4  How would have enacting H.R. 1704 improve cybersecurity? The intent of information security is to protect information through the information security triad (confidentiality, integrity, and availability). In cyber security, this is the protection of cyber data from unauthorized access, use, disclosure, disruption, modification, or destruction in order to 2 James Langevin, Actions - H.R.1704 - 114th congress (2015-2016): Personal data notification and protection act of 2015 (Apr. 29, 2015), https://www.congress.gov/bill/114th-congress/house-bill/1704/all-actions?overview=closed. 3 Ibid 4 Ibid
4 provide confidentiality, integrity, and availability in cyberspace5 H.R. 1704’s intent is address the problem that occurs when a cyber breach breaks confidentiality. When a hacker breaches a system, the information contained in the system is then compromised and any Personal Identifiable Information (PII) is available to the hacker. This includes the bank account numbers, social security numbers, addresses, etc. of employees and customers. H.R. 1704’s intent is to create a mandatory law that requires businesses to contact individuals in a timely manner to let them know that their information has been compromised and a breach has occurred.  What related cyber issues did H.R. 1704 fail to address? H.R.1704 is legislation that seeks to notify only after a cyber breach has occurred. It does not address any proactive measures to implement for confidentiality protection. The legislation does not mandate quarterly or semiannually risk and vulnerability assessment prior [emphasis added] but only considers exemptions from notification if a risk assessment meets the FTC expectations. The risk assessment and cyber vulnerability assessments are valuable assets in the protection of data and insuring the confidentiality of data and information prior to a cyber breach. H.R.1704 legislation does not address the implementation of these or give the Federal Trade Commission (FTC) or any other justifiable authority the ability to regulate the maintenance of periodic vulnerability and risk assessments. This is a significant void in the legislation that should be addressed. 5 Margaret Rouse et al., What is confidentiality, integrity, and availability (CIA triad)? - definition from WhatIs.com (WhatIs.com Nov. 2014), http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA.
5 H.R.1584 - CARDER Act of 2015 [114th Congress (2015-2016)] • Background Rep James Langevin introduced H.R. 1584 Cybercrime Anti-Resale Deterrent and Extraterritoriality Revision (CARDER) Act of 2015 on March 24, 2015.6 The last action on this bill was an assignment to a committee on Dec 2, 2015. It is an amendment to 18 U.S. Code § 1029 - Fraud and related activity in connection with access devices1029, (h). The focus of the bill is to make it easier to prosecute criminals that trade stolen credit cards.7 This increases the law enforcements ability to identify the original hackers that stole the numbers. This includes hackers that may reside outside the United States but the actions occurred within the jurisdiction of the United States, thus giving the United States extraterritorial jurisdiction to prosecute. The amendment removes 18 U.S. Code § 1029 paragraph (h)2. • How would have enacting H.R. 1584 improve cybersecurity? This bill also focuses on information cyber security and confidentiality protection. The elimination of 18 U.S. Code § 1029 paragraph (h)2 removes the requirement for transfer of the stolen articles or funds through U.S. jurisdiction. With this removal, it is easier to prosecute based solely on the requirement that the offense involves an access device, “issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity within the jurisdiction of the United States”8 . This is significant, additional registration that 6 James Langevin, H.R.1584 - 114th congress (2015-2016): CARDER act of 2015 (Feb. 12, 2015), https://www.congress.gov/bill/114th-congress/house 7 Langevin unveils package of consumer protection legislation (Apr. 7, 2015), https://langevin.house.gov/press- release/langevin-unveils-package-consumer-protection-legislation. 8 18 U.S. Code § 1029 - fraud and related activity in connection with access devices (LII / Legal Information Institute Oct. 12, 1984), https://www.law.cornell.edu/uscode/text/18/1029.
6 prevents prosecution enables the hackers and traders to continue operations in illegal activities stealing cards, codes, identification numbers and other articles allowing them to commit more crime. The removal of paragraph (h)2 eliminates the red tape of prosecuting those criminals for violating the confidentiality of the citizens bank accounts and or identities. In doing so, the bill assists in the removal of criminals from continuing to break confidentiality of consumers in cyberspace. • What related cyber issues did H.R. 1584 fail to address? The mandating the requirement of identified consumer protection software is not broached or identified. This bill, while it may make the prosecution of the crime easier, is only a Band-Aid to the fixing the problem of the crime occurring in the first place. Currently there is no legislation addressing the issue of consumer cyber- confidentiality protection. H.R. 1584 is a reactive bill and changes the language in the legislation to assist in the making the prosecution easier to catch criminals. The bill does not take a proactive stance in the consumer protection of confidentiality regarding the articles discussed in the bill (i.e. credit cards). The bill may increase the amount of prosecuted hackers and credit card thefts; it says nothing in regards to prevention of the theft in the first place. Proactive prevention methods of credit card numbers from being hacked and stolen then traded is not mentioned this includes risk. VI. BILL PROPOSITION Establishing an Authority (Private Sector) Public sector regulation is not the issue; government agencies can enforce regulation with little effort. Implementing a regulatory authority for the private sector is more difficult because Figure : Hydroelectric system entry point (OccupyTheWeb 2015)
7 these are private organizations and business that do not fall under the authority of the government regarding the operations of their private business. Legislation on the private sector is hard to pass but because private companies can put consumer data at risk then there must be a regulatory authority to implement a protective policy. The legislation review has shown that legislation for cyber confidentiality has resulted in reactive legislation for the end user rather than a comprehensive legislation addressing proactive and reactive solutions to addressing cyber confidentiality protection. Currently there is an abundance of reactive cyber security laws. As of October 2015, “47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of data breach notification laws.”9 While these laws perform a great service do those affected by a cyber-attack there are currently no laws mandating proactive measures at a national level. It is hard to enforce cyber security policy in a proactive way, however the government can get involved in the consequence of private sector companies when their cyber security policies and programs fail to protect its consumers or mislead them. This is evident in the case of Federal Trade Commission (FTC) v. Wyndham Worldwide: …the US Court of Appeals for the Third Circuit upheld the FTC’s authority to enforce a claim for unfair practices. The FTC had, inter alia, alleged that the company, which experienced three cyber- attacks resulting in a theft of consumer data, had not used commercially reasonable methods for protecting consumer data and overstated its cybersecurity protections in its published privacy policy. The decision recognizes the FTC’s authority to bring enforcement actions for what it deems are “unfair cybersecurity practices.”10 9 MP015649, Proactive Approach To Cybersecurity: Recent Sec Guidance And Enforcement Actions Suggest That Reactive Firms May Be In The Sec’s Crosshairs (2015). 10 Ibid,6
8 The issue is not whether the FTC has the ability to consequence, in which as shown in this case they have that authority when the company did not provide adequate cyber security, the issue is that there is no legislation that would enforce upon that company proactive measures to provide preventive measures against the attacks that the company suffered. Currently the laws within the United States involve a multitude of varying privacy laws but there is no comprehensive data protection law and there is no single authority that presides over data protection in the United States. 11 While this may be so, in the private industry the FTC can serve in this role if required or mandated. The FTC has a requirement under 15U.S. Code § 45 - Unfair methods of competition unlawful; prevention by Commission, which states clearly as depicted in the following figure12 : This provides a regulatory authority for the private sector when it comes to privacy enforcement. The law does not give the FTC fining authority but it does give them the ability to provide enforcement actions and as a result of the enforcement actions provide delinquent companies with consent decrees. When a company violates a consent decree13 through law, then the FTC can fine the company. 14 The FTC has the ability to prohibit unfair practices that are unfair or deceptive acts that result in affecting the buying or selling of goods or services. This relates to cyber security because 11 Yoon et al., Data Protection and Privacy in 26 Jurisdictions Worldwide (2014)., 191 12 15 U.S. Code § 45 - unfair methods of competition unlawful; prevention by commission (LII / Legal Information Institute Aug. 23, 1958), https://www.law.cornell.edu/uscode/text/15/45. 13 Settlement contained in a court order 14 Yoon et al., Data Protection and Privacy in 26 Jurisdictions Worldwide (2014).
9 when data is not protected appropriately and PII is at risk for the consumer/merchant then the theft or damage of the privacy data may result in a financial loss affecting commerce. For example, when a major company such as Target does not have adequate cyber security measures and a cyber-attack steals the PII of millions of its consumers, the consumers and Target suffer a financial loss due to the theft as a result of the theft alone or the recuperative efforts (cyber investigations costs money) by the merchant following the attack. Accordingly, if the attack was the result of inadequate cyber security program then the FTC can follow through with enforcement actions. As a result, the FTC is the best authority to the private sector as a regulatory authority for data privacy enforcement, without forming a new organization. Establishing Private Sector Proactive Measures As previously stated, the private sector is concentrated on in this analysis because the public sector can (and does) implement proactive regulation on their own agency authority. Reactive measures are already in place and should be retained in any new proposed legislation. What is lacking in legislation are proactive measures. New legislation would involve regulatory action required prior [emphasis added] to a cyber-attack. This would include the requirement for companies to perform certain actions to protect their systems containing PII of their employees and/or customers. While this is not a fool proof solution, any action regulated prior to a cyber- attack would benefit to businesses and the private sector overall. Certain proactive measures provide better protection than others and because the requirement would span the entire private sector, the minimum requirement should be of high quality and cost effective. Most cyber security strategy program polices fall upon the company but there are constants that can be regulatory mandated and implemented without a hefty price tag. These constants include Cyber Risk Assessments, Data Classification Policies and PII Policy.
10 Cyber Risk and Assessments. The National Institute of Standards and Technology (NIST) provides a stepped process in how a risk assessment should be performed15 and these steps can be used to transfer to the private sector as the minimum requirements for a risk assessment. These steps are: 1. Identify and Document Asset Vulnerabilities 2. Identify and Document Internal and External Threats 3. Acquire Threat and Vulnerability Information from External Sources 4. Identify Potential Business Impacts and Likelihoods 5. Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts 6. Identify and Prioritize Risk Responses This is a process that can be mandated for all businesses. This also leaves the businesses open to decide how best to accomplish this risk assessment based on their size and fiscal value. Larger companies with a larger employee and customer base will be able to assess risk and use the appropriate risk management resourcing to meet the requirement and the needs corresponding to a larger organization. A small business, in the same respect, will be able to meet the requirement and use less fiscally costly resourcing. Data Classification Policies. Data Classification Policies provides the company the ability to properly handle data that can damage it based upon its risk that it can pose to the company. The classification of the data is relative to the business. The point of a mandated legislation is to ensure 15 Steven Chabinsky, Best practices for conducting a Cyber risk assessment (Nov. 2, 2015), http://www.securitymagazine.com/articles/86754-best-practices-for-conducting-a-cyber-risk-assessment.
11 one is in place as a protective measure to the company, its employees and its consumers. Typically, businesses use public, business only, and confidential as classification of data16 . While this is a good general business practice, there are some companies that do not have a classification system at all. A proper classification policy helps in the improper release of information that can accessed in a data breach if it is not properly stored and maintained. While a classification system is related more to information management, it is directly applicable to the protection of data information from a cyber breach. Information management involves physical data as well as cyber data, but a breach of cyber data can be the result of improper information management and a classification policy can assist in the prevention of cyber data being exploited by outsider and insider threats. PII Policy Protection of PII is essential in personal data protection policy development. The public sector has regulations regarding the protection of PII protecting the critical information (i.e. Social Security Numbers, Health Data, Bank Account Numbers). However, this is also spread across different laws throughout legislation and also only referencing certain portions of infrastructure as noted by Ms. Virginia Jones: The laws apply to particular private or government sectors, and most of the laws include penalties for non-compliance. Some laws pertain only to government, some only to certain levels or sectors of government, and some only pertain to certain sectors of business such as finance, banking, medical, and telecommunications. Each organization must determine which laws apply to them.17 Having some [emphasis added] PII protection policy is not the issue, the issue is that there is not a comprehensive law and there is not any PII policy targeted specifically for private sector 16 Bill Hayes, Tips for creating a data classification policy (SearchSecurity Jul. 2015), http://searchsecurity.techtarget.com/feature/Tips-for-creating-a-data-classification-policy. 17 Virginia A. Jones, Requirements for Personal Information Protection Part 1: U.S. Federal Law the Metropolitan New York City Chapter of ARMA International (2008).
12 cyber data. In order to protect PII cyber data then there must be a PII policy developed that protects PII on cyber data systems and protect how they are transmitted. A PII policy in legislation should be modeled after already existing PII procedures available in the Public Sector. The Department of Homeland Security (DHS) already has a handbook on PII identification and protection procedures that can be used as a base model for any legislation development. The 2012, Handbook for Safeguarding Sensitive Personally Identifiable Information18 provides “step by step guidance on identifying PII”19 and instructions on “Encrypting Sensitive PII, Securing Sensitive PII when not in use and Disposing of Sensitive PII”20 This handbook can serve as the backbone on the development of a PII policy that can be under a comprehensive law. Data protection requires proactive [emphasis added] and reactive legislation. The United States cyber laws focus on reactive polices, but in order to have a comprehensive data protection then there has to be a proactive policy in place otherwise instead of taking preventive measures prior to an attack, there will only be reaction to an attack. Proactive measures must include: Cyber Risk Assessments, Data Classification Policies and PII Policy. VII. CONCLUSION The research shows that the hypothesis was correct, H.R. 1704 and H.R. 1584 did not have a comprehensive policy in protecting confidentiality in a data breach. Both legislative pieces focused on reactive policies and did not include proactive polices. In answering the research 18 US Department of Homeland Security and DHS Privacy Office, Handbook for Safeguarding Sensitive Personally Identifiable Information (2012). 19 Ibid 20 Ibid
13 question whether H.R. 1704 and H.R. 1584 comprehensively address the issues of cyber security for the public and private sector in regards to the protection of confidentiality of individual’s information in a data breach, the research data has shown that they do not and that they do not form a comprehensive policy. H.R. 1704 and H.R. 1584 both focus on reactive cyber policy solutions regarding data confidentiality. However, in order to have a comprehensive policy it has to include a proactive policy. In determining a proactive policy, a regulatory authority for the private sector has to be determined. Public sectors have regulating authorities as deemed by the higher agency, however, there is no Private sector regulating authority. Due to how the FTC works in close proximity to the private sector under 15U.S. Code § 45, then the FTC would be the most appropriate regulatory authority for the private sector. Public sector regulatory authorities would remain the same. The comprehensive policy would include the already established reactionary measures but would also include the significant addition of proactive measures. This proactive legislation would include Cyber Risk Assessments, Data Classification Policies and PII Policy for the private sector, while the public sector would retain their policies developed through their respective agencies. Legislation regarding improvement to cyber policy have been entered into the House and Senate as bills frequently over the past two decades but they very rarely make it to law. The majority of them die as bills in the House or Senate because the Congress period ends. Many are sent to be reviewed by committees and do not make it back for renewal into the new Congress. There are plausible reasons for this, cybersecurity is still new to the world and while new and unknown about its complexities, representatives are timid in taking action when a new bill hits the floor. This timidity, due to lack of education, can stall a bill from becoming law no matter how
14 comprehensive a cyber bill is. Also technology advances exponentially faster than legislation and this also causes the timidity in passing a bill. Regardless of the reasoning, there is a significant need for a comprehensive bill that includes both proactive and reactive measures. H.R. 1704 and H.R. 1584 do not provide an overall solution in the protection of confidentiality of data for a consumer. The public sector already addresses proactive measures regardless of there being legislation, but there is a huge gap in protecting the private sector. Proactive measures previously discussed could be added to future legislation in order to provide a proactive cyber security for data confidentiality in the private sector. Hopefully, this can be accomplished sooner than later before another significant data breach occurs.

Recommended

Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)franciscronje
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008ValueMentor Consulting
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 

Recommended

Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)ICT / IT Law (Cyberlaw)
ICT / IT Law (Cyberlaw)franciscronje
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008India Start-ups IT Security & IT Act 2008
India Start-ups IT Security & IT Act 2008ValueMentor Consulting
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
Cyber law-it-act-2000
Cyber law-it-act-2000Cyber law-it-act-2000
Cyber law-it-act-2000Mayuresh Patil
 
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaInternet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaRodney D. Ryder
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
RIB Cybersecurity
RIB CybersecurityRIB Cybersecurity
RIB CybersecurityAndy Kim
 
IT act 2000
IT act 2000 IT act 2000
IT act 2000 PAYAL SINHA
 
An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)Chetan Bharadwaj
 
Cyber laws and patents
Cyber laws and patentsCyber laws and patents
Cyber laws and patentsravijain90
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextJason Nathu
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000 RAJ ANAND
 
it act
it act it act
it act 9535814851
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakDipayan Sarkar
 
IT Act 2000
IT Act 2000IT Act 2000
IT Act 2000Sreelekshmi Mohan
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000Dr. Heera Lal IAS
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Nanda Mohan Shenoy
 
it act 2000
it act 2000it act 2000
it act 2000virtualatall
 
Cyber law final
Cyber law finalCyber law final
Cyber law finaljaskiran_sahni
 
Egan Company Presents - Total Systems Integration: Creating Smarter Buildings
Egan Company Presents - Total Systems Integration: Creating Smarter BuildingsEgan Company Presents - Total Systems Integration: Creating Smarter Buildings
Egan Company Presents - Total Systems Integration: Creating Smarter BuildingsEgan Company
 
Ärztetag.pdf
Ärztetag.pdfÄrztetag.pdf
Ärztetag.pdfunn | UNITED NEWS NETWORK GmbH
 

More Related Content

What's hot

Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaInternet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaRodney D. Ryder
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
RIB Cybersecurity
RIB CybersecurityRIB Cybersecurity
RIB CybersecurityAndy Kim
 
An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)Chetan Bharadwaj
 
Cyber laws and patents
Cyber laws and patentsCyber laws and patents
Cyber laws and patentsravijain90
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextJason Nathu
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000 RAJ ANAND
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakDipayan Sarkar
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000Dr. Heera Lal IAS
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Nanda Mohan Shenoy
 

What's hot (20)

Cyber law-it-act-2000
Cyber law-it-act-2000Cyber law-it-act-2000
Cyber law-it-act-2000
 
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaInternet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in India
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
RIB Cybersecurity
RIB CybersecurityRIB Cybersecurity
RIB Cybersecurity
 
IT act 2000
IT act 2000 IT act 2000
IT act 2000
 
An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)
 
Cyber laws and patents
Cyber laws and patentsCyber laws and patents
Cyber laws and patents
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
Information Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal ContextInformation Security: The Trinidad & Tobago Legal Context
Information Security: The Trinidad & Tobago Legal Context
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000
 
it act
it act it act
it act
 
Information Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K PathakInformation Technology Act 2000 - Santosh K Pathak
Information Technology Act 2000 - Santosh K Pathak
 
IT Act 2000
IT Act 2000IT Act 2000
IT Act 2000
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008
 
it act 2000
it act 2000it act 2000
it act 2000
 
Cyber law final
Cyber law finalCyber law final
Cyber law final
 

Viewers also liked

Egan Company Presents - Total Systems Integration: Creating Smarter Buildings
Egan Company Presents - Total Systems Integration: Creating Smarter BuildingsEgan Company Presents - Total Systems Integration: Creating Smarter Buildings
Egan Company Presents - Total Systems Integration: Creating Smarter BuildingsEgan Company
 
Cronograma de actividades institucionales junio 2014
Cronograma de actividades institucionales junio 2014Cronograma de actividades institucionales junio 2014
Cronograma de actividades institucionales junio 2014JUA MANUEL GONZALEZ
 
Cronograma de actividades para copiar
Cronograma de actividades para copiar Cronograma de actividades para copiar
Cronograma de actividades para copiar mauriar
 
La importancia de la música
La importancia de la músicaLa importancia de la música
La importancia de la músicaLeidyM1408
 
Qué es una plataforma de educación virtual
Qué es una plataforma de educación virtualQué es una plataforma de educación virtual
Qué es una plataforma de educación virtualMiguel Acuña
 
4 de thi hoc sinh gioi hoa 9 va dap an
4 de thi hoc sinh gioi hoa 9 va dap an4 de thi hoc sinh gioi hoa 9 va dap an
4 de thi hoc sinh gioi hoa 9 va dap anHồng Nguyễn
 
Sistema de gestion de mantenimiento empresa sant ex almeida santiago
Sistema de gestion de mantenimiento empresa sant ex almeida santiagoSistema de gestion de mantenimiento empresa sant ex almeida santiago
Sistema de gestion de mantenimiento empresa sant ex almeida santiagoFrancisco Narvaez
 
CII Water Directory - Layout
CII Water Directory - LayoutCII Water Directory - Layout
CII Water Directory - LayoutAnil G
 
Subdivision and cash flow
Subdivision and cash flow Subdivision and cash flow
Subdivision and cash flow Lorelei Bates
 

Viewers also liked (14)

Egan Company Presents - Total Systems Integration: Creating Smarter Buildings
Egan Company Presents - Total Systems Integration: Creating Smarter BuildingsEgan Company Presents - Total Systems Integration: Creating Smarter Buildings
Egan Company Presents - Total Systems Integration: Creating Smarter Buildings
 
Ärztetag.pdf
Ärztetag.pdfÄrztetag.pdf
Ärztetag.pdf
 
Cronograma de actividades institucionales junio 2014
Cronograma de actividades institucionales junio 2014Cronograma de actividades institucionales junio 2014
Cronograma de actividades institucionales junio 2014
 
Meio ambiente em Bom Jardim MA
Meio ambiente em Bom Jardim MAMeio ambiente em Bom Jardim MA
Meio ambiente em Bom Jardim MA
 
Cronograma de actividades para copiar
Cronograma de actividades para copiar Cronograma de actividades para copiar
Cronograma de actividades para copiar
 
La importancia de la música
La importancia de la músicaLa importancia de la música
La importancia de la música
 
Qué es una plataforma de educación virtual
Qué es una plataforma de educación virtualQué es una plataforma de educación virtual
Qué es una plataforma de educación virtual
 
Google drive - Entorno
Google drive - EntornoGoogle drive - Entorno
Google drive - Entorno
 
4 de thi hoc sinh gioi hoa 9 va dap an
4 de thi hoc sinh gioi hoa 9 va dap an4 de thi hoc sinh gioi hoa 9 va dap an
4 de thi hoc sinh gioi hoa 9 va dap an
 
Profesiografia mecanica y motores
Profesiografia mecanica y motoresProfesiografia mecanica y motores
Profesiografia mecanica y motores
 
Sistema de gestion de mantenimiento empresa sant ex almeida santiago
Sistema de gestion de mantenimiento empresa sant ex almeida santiagoSistema de gestion de mantenimiento empresa sant ex almeida santiago
Sistema de gestion de mantenimiento empresa sant ex almeida santiago
 
CII Water Directory - Layout
CII Water Directory - LayoutCII Water Directory - Layout
CII Water Directory - Layout
 
1. introducción al mantenimiento
1. introducción al mantenimiento1. introducción al mantenimiento
1. introducción al mantenimiento
 
Subdivision and cash flow
Subdivision and cash flow Subdivision and cash flow
Subdivision and cash flow
 

Similar to Proactive Cyber Security Bill

Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014- Mark - Fullbright
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Cryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of JusticeCryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of JusticeLoeb Smith Attorneys
 
security issue in e-commerce
security issue in e-commercesecurity issue in e-commerce
security issue in e-commercePalavesa Krishnan
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoJoel A. Gómez Treviño
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?- Mark - Fullbright
 
Cybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection GuideCybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection GuideBenjamin Tugendstein
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceFinancial Poise
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Developing a Legal Framework to Combat Cybercrime
Developing a Legal Framework to Combat CybercrimeDeveloping a Legal Framework to Combat Cybercrime
Developing a Legal Framework to Combat CybercrimeMarcelo Gomes Freire
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agendanationalconsumersleague
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 

Similar to Proactive Cyber Security Bill (20)

Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014Safeguarding Consumers’ Financial Data 2014
Safeguarding Consumers’ Financial Data 2014
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal Risks
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Cryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of JusticeCryptocurrency enforcement framework - Report by the U.S. Department of Justice
Cryptocurrency enforcement framework - Report by the U.S. Department of Justice
 
security issue in e-commerce
security issue in e-commercesecurity issue in e-commerce
security issue in e-commerce
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in Mexico
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
 
Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?Protecting Consumer Information: Can a Breach be Prevented?
Protecting Consumer Information: Can a Breach be Prevented?
 
Cybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection GuideCybersecurity Whistleblower Protection Guide
Cybersecurity Whistleblower Protection Guide
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
Developing a Legal Framework to Combat Cybercrime
Developing a Legal Framework to Combat CybercrimeDeveloping a Legal Framework to Combat Cybercrime
Developing a Legal Framework to Combat Cybercrime
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agenda
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
 

Proactive Cyber Security Bill

  • 1. American Military University Proactive Cyber Security Bill for Data Confidentiality in the Private Sector To School of Security and Global Studies American Public University System By CPT Matthew C. Kurnava Homeland Security Program/Cyber Security Concentration Arlington, VA May 29, 2016
  • 2. i TABLE OF CONTENTS i I. INTRODUCTION AND PROBLEM STATEMENT 1 II. RESEARCH QUESTION 1-2 III HYPOTHESIS 2 IV. RESEARCH METHODOLOGY 2-3 V. LEGISLATION REVIEW 3-6 VI. BILL PROPOSITION 6-12 VII. CONCLUSION 12-14
  • 3. 1 We're trying to remain profitable for our shareholders… So, you make risk-based decisions: What're the most important things that are absolutely required by law? Jason Spaltro, 2007 Former Senior Vice President of Information Security of Sony Pictures I. INTRODUCTION AND PROBLEM STATEMENT Many Americans assume that when purchasing an item from a store using their bank card that the data (bank card number) is protected and the merchant has completed proper cyber security measures. However, the private sector does not have a federal law requiring them to perform proactive measures to ensure the data is protected. Any protective measures performed are at the discretion of the business and there is very little or no oversight. There is a need for a comprehensive cyber security law that addresses the proactive and reactive measures necessary for the protection of confidential data in the private sector. Two legislative measures were recently introduced into Congress to address confidential measures in cyber security: H.R.1704 - Personal Data Notification and Protection Act of 2015 and H.R.1584 - The CARDER Act of 2015. Problem Statement: The research is important because it will analyze H.R. 1704 and H.R. 1584 and address any gaps that are discovered upon analyzation. II. RESEARCH QUESTION I will attempt to answer the following question: Does H.R. 1704 and H.R. 1584 comprehensively address the issues of cyber security for the private sector in regards to the protection of confidentiality of individual’s information in a data breach?
  • 4. 2 Secondary Questions: 1. Are the two measures proactive or reactive in protection of the confidentiality of individuals involved in a data breach? 2. What additional legislation can be included that can address any gaps found in H.R. 1704 and H.R 1584? III. HYPOTHESIS H.R. 1704 and H.R 1584 both propose solutions in cyber security involving the protection of confidentiality of individuals involved in a data breach. However, I propose that there will be significant gaps in the legislation identified and that additional legislation will have to be included to make up for the common deficiencies found in both pieces of legislation. IV. RESEARCH METHODOLOGY The research method of this research is a Qualitative Analytical Study. This will be completed by: 1. Decompose the problem into the right sub problems. 2. Find the root causes of each sub problem. 3. Find the high leverage points for resolving each root cause. 4. Find the solutions for pushing on the high leverage points.1 1 Thwink, Analytical method - tool/concept/definition (2014), http://www.thwink.org/sustain/glossary/AnalyticalMethod.htm.
  • 5. 3 In this paper the Independent variable is the confidentiality of public and private sectors information being maintained during a data breach. The Dependent variable is legislation from Congress addressing how to maintain confidentiality for the private sector V. LEGISLATION REVIEW H.R.1704 - Personal Data Notification and Protection Act of 2015[114th Congress (2015- 2016]  Background Rep. James Langevine introduced H.R.1704 to the House of Representatives on March 26 2015, it was then referred to several committees for review.2 The last action for the bill was a referral to the Subcommittee on the Constitution and Civil Justice on April 29, 2015.3 The focus of the bill is to create a National Data Breach Notification Standard (NDBNS). It entails that any business that has more than 10,000 employees in a 12-month period will promptly notify every individual when information is compromised during a cyber security breach. The enforcing body of the NDBNS would be the Federal Trade Commission under the same authority as the Federal Trade Commission Act (15.U.SC. 41 et seq)4  How would have enacting H.R. 1704 improve cybersecurity? The intent of information security is to protect information through the information security triad (confidentiality, integrity, and availability). In cyber security, this is the protection of cyber data from unauthorized access, use, disclosure, disruption, modification, or destruction in order to 2 James Langevin, Actions - H.R.1704 - 114th congress (2015-2016): Personal data notification and protection act of 2015 (Apr. 29, 2015), https://www.congress.gov/bill/114th-congress/house-bill/1704/all-actions?overview=closed. 3 Ibid 4 Ibid
  • 6. 4 provide confidentiality, integrity, and availability in cyberspace5 H.R. 1704’s intent is address the problem that occurs when a cyber breach breaks confidentiality. When a hacker breaches a system, the information contained in the system is then compromised and any Personal Identifiable Information (PII) is available to the hacker. This includes the bank account numbers, social security numbers, addresses, etc. of employees and customers. H.R. 1704’s intent is to create a mandatory law that requires businesses to contact individuals in a timely manner to let them know that their information has been compromised and a breach has occurred.  What related cyber issues did H.R. 1704 fail to address? H.R.1704 is legislation that seeks to notify only after a cyber breach has occurred. It does not address any proactive measures to implement for confidentiality protection. The legislation does not mandate quarterly or semiannually risk and vulnerability assessment prior [emphasis added] but only considers exemptions from notification if a risk assessment meets the FTC expectations. The risk assessment and cyber vulnerability assessments are valuable assets in the protection of data and insuring the confidentiality of data and information prior to a cyber breach. H.R.1704 legislation does not address the implementation of these or give the Federal Trade Commission (FTC) or any other justifiable authority the ability to regulate the maintenance of periodic vulnerability and risk assessments. This is a significant void in the legislation that should be addressed. 5 Margaret Rouse et al., What is confidentiality, integrity, and availability (CIA triad)? - definition from WhatIs.com (WhatIs.com Nov. 2014), http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA.
  • 7. 5 H.R.1584 - CARDER Act of 2015 [114th Congress (2015-2016)] • Background Rep James Langevin introduced H.R. 1584 Cybercrime Anti-Resale Deterrent and Extraterritoriality Revision (CARDER) Act of 2015 on March 24, 2015.6 The last action on this bill was an assignment to a committee on Dec 2, 2015. It is an amendment to 18 U.S. Code § 1029 - Fraud and related activity in connection with access devices1029, (h). The focus of the bill is to make it easier to prosecute criminals that trade stolen credit cards.7 This increases the law enforcements ability to identify the original hackers that stole the numbers. This includes hackers that may reside outside the United States but the actions occurred within the jurisdiction of the United States, thus giving the United States extraterritorial jurisdiction to prosecute. The amendment removes 18 U.S. Code § 1029 paragraph (h)2. • How would have enacting H.R. 1584 improve cybersecurity? This bill also focuses on information cyber security and confidentiality protection. The elimination of 18 U.S. Code § 1029 paragraph (h)2 removes the requirement for transfer of the stolen articles or funds through U.S. jurisdiction. With this removal, it is easier to prosecute based solely on the requirement that the offense involves an access device, “issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity within the jurisdiction of the United States”8 . This is significant, additional registration that 6 James Langevin, H.R.1584 - 114th congress (2015-2016): CARDER act of 2015 (Feb. 12, 2015), https://www.congress.gov/bill/114th-congress/house 7 Langevin unveils package of consumer protection legislation (Apr. 7, 2015), https://langevin.house.gov/press- release/langevin-unveils-package-consumer-protection-legislation. 8 18 U.S. Code § 1029 - fraud and related activity in connection with access devices (LII / Legal Information Institute Oct. 12, 1984), https://www.law.cornell.edu/uscode/text/18/1029.
  • 8. 6 prevents prosecution enables the hackers and traders to continue operations in illegal activities stealing cards, codes, identification numbers and other articles allowing them to commit more crime. The removal of paragraph (h)2 eliminates the red tape of prosecuting those criminals for violating the confidentiality of the citizens bank accounts and or identities. In doing so, the bill assists in the removal of criminals from continuing to break confidentiality of consumers in cyberspace. • What related cyber issues did H.R. 1584 fail to address? The mandating the requirement of identified consumer protection software is not broached or identified. This bill, while it may make the prosecution of the crime easier, is only a Band-Aid to the fixing the problem of the crime occurring in the first place. Currently there is no legislation addressing the issue of consumer cyber- confidentiality protection. H.R. 1584 is a reactive bill and changes the language in the legislation to assist in the making the prosecution easier to catch criminals. The bill does not take a proactive stance in the consumer protection of confidentiality regarding the articles discussed in the bill (i.e. credit cards). The bill may increase the amount of prosecuted hackers and credit card thefts; it says nothing in regards to prevention of the theft in the first place. Proactive prevention methods of credit card numbers from being hacked and stolen then traded is not mentioned this includes risk. VI. BILL PROPOSITION Establishing an Authority (Private Sector) Public sector regulation is not the issue; government agencies can enforce regulation with little effort. Implementing a regulatory authority for the private sector is more difficult because Figure : Hydroelectric system entry point (OccupyTheWeb 2015)
  • 9. 7 these are private organizations and business that do not fall under the authority of the government regarding the operations of their private business. Legislation on the private sector is hard to pass but because private companies can put consumer data at risk then there must be a regulatory authority to implement a protective policy. The legislation review has shown that legislation for cyber confidentiality has resulted in reactive legislation for the end user rather than a comprehensive legislation addressing proactive and reactive solutions to addressing cyber confidentiality protection. Currently there is an abundance of reactive cyber security laws. As of October 2015, “47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of data breach notification laws.”9 While these laws perform a great service do those affected by a cyber-attack there are currently no laws mandating proactive measures at a national level. It is hard to enforce cyber security policy in a proactive way, however the government can get involved in the consequence of private sector companies when their cyber security policies and programs fail to protect its consumers or mislead them. This is evident in the case of Federal Trade Commission (FTC) v. Wyndham Worldwide: …the US Court of Appeals for the Third Circuit upheld the FTC’s authority to enforce a claim for unfair practices. The FTC had, inter alia, alleged that the company, which experienced three cyber- attacks resulting in a theft of consumer data, had not used commercially reasonable methods for protecting consumer data and overstated its cybersecurity protections in its published privacy policy. The decision recognizes the FTC’s authority to bring enforcement actions for what it deems are “unfair cybersecurity practices.”10 9 MP015649, Proactive Approach To Cybersecurity: Recent Sec Guidance And Enforcement Actions Suggest That Reactive Firms May Be In The Sec’s Crosshairs (2015). 10 Ibid,6
  • 10. 8 The issue is not whether the FTC has the ability to consequence, in which as shown in this case they have that authority when the company did not provide adequate cyber security, the issue is that there is no legislation that would enforce upon that company proactive measures to provide preventive measures against the attacks that the company suffered. Currently the laws within the United States involve a multitude of varying privacy laws but there is no comprehensive data protection law and there is no single authority that presides over data protection in the United States. 11 While this may be so, in the private industry the FTC can serve in this role if required or mandated. The FTC has a requirement under 15U.S. Code § 45 - Unfair methods of competition unlawful; prevention by Commission, which states clearly as depicted in the following figure12 : This provides a regulatory authority for the private sector when it comes to privacy enforcement. The law does not give the FTC fining authority but it does give them the ability to provide enforcement actions and as a result of the enforcement actions provide delinquent companies with consent decrees. When a company violates a consent decree13 through law, then the FTC can fine the company. 14 The FTC has the ability to prohibit unfair practices that are unfair or deceptive acts that result in affecting the buying or selling of goods or services. This relates to cyber security because 11 Yoon et al., Data Protection and Privacy in 26 Jurisdictions Worldwide (2014)., 191 12 15 U.S. Code § 45 - unfair methods of competition unlawful; prevention by commission (LII / Legal Information Institute Aug. 23, 1958), https://www.law.cornell.edu/uscode/text/15/45. 13 Settlement contained in a court order 14 Yoon et al., Data Protection and Privacy in 26 Jurisdictions Worldwide (2014).
  • 11. 9 when data is not protected appropriately and PII is at risk for the consumer/merchant then the theft or damage of the privacy data may result in a financial loss affecting commerce. For example, when a major company such as Target does not have adequate cyber security measures and a cyber-attack steals the PII of millions of its consumers, the consumers and Target suffer a financial loss due to the theft as a result of the theft alone or the recuperative efforts (cyber investigations costs money) by the merchant following the attack. Accordingly, if the attack was the result of inadequate cyber security program then the FTC can follow through with enforcement actions. As a result, the FTC is the best authority to the private sector as a regulatory authority for data privacy enforcement, without forming a new organization. Establishing Private Sector Proactive Measures As previously stated, the private sector is concentrated on in this analysis because the public sector can (and does) implement proactive regulation on their own agency authority. Reactive measures are already in place and should be retained in any new proposed legislation. What is lacking in legislation are proactive measures. New legislation would involve regulatory action required prior [emphasis added] to a cyber-attack. This would include the requirement for companies to perform certain actions to protect their systems containing PII of their employees and/or customers. While this is not a fool proof solution, any action regulated prior to a cyber- attack would benefit to businesses and the private sector overall. Certain proactive measures provide better protection than others and because the requirement would span the entire private sector, the minimum requirement should be of high quality and cost effective. Most cyber security strategy program polices fall upon the company but there are constants that can be regulatory mandated and implemented without a hefty price tag. These constants include Cyber Risk Assessments, Data Classification Policies and PII Policy.
  • 12. 10 Cyber Risk and Assessments. The National Institute of Standards and Technology (NIST) provides a stepped process in how a risk assessment should be performed15 and these steps can be used to transfer to the private sector as the minimum requirements for a risk assessment. These steps are: 1. Identify and Document Asset Vulnerabilities 2. Identify and Document Internal and External Threats 3. Acquire Threat and Vulnerability Information from External Sources 4. Identify Potential Business Impacts and Likelihoods 5. Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts 6. Identify and Prioritize Risk Responses This is a process that can be mandated for all businesses. This also leaves the businesses open to decide how best to accomplish this risk assessment based on their size and fiscal value. Larger companies with a larger employee and customer base will be able to assess risk and use the appropriate risk management resourcing to meet the requirement and the needs corresponding to a larger organization. A small business, in the same respect, will be able to meet the requirement and use less fiscally costly resourcing. Data Classification Policies. Data Classification Policies provides the company the ability to properly handle data that can damage it based upon its risk that it can pose to the company. The classification of the data is relative to the business. The point of a mandated legislation is to ensure 15 Steven Chabinsky, Best practices for conducting a Cyber risk assessment (Nov. 2, 2015), http://www.securitymagazine.com/articles/86754-best-practices-for-conducting-a-cyber-risk-assessment.
  • 13. 11 one is in place as a protective measure to the company, its employees and its consumers. Typically, businesses use public, business only, and confidential as classification of data16 . While this is a good general business practice, there are some companies that do not have a classification system at all. A proper classification policy helps in the improper release of information that can accessed in a data breach if it is not properly stored and maintained. While a classification system is related more to information management, it is directly applicable to the protection of data information from a cyber breach. Information management involves physical data as well as cyber data, but a breach of cyber data can be the result of improper information management and a classification policy can assist in the prevention of cyber data being exploited by outsider and insider threats. PII Policy Protection of PII is essential in personal data protection policy development. The public sector has regulations regarding the protection of PII protecting the critical information (i.e. Social Security Numbers, Health Data, Bank Account Numbers). However, this is also spread across different laws throughout legislation and also only referencing certain portions of infrastructure as noted by Ms. Virginia Jones: The laws apply to particular private or government sectors, and most of the laws include penalties for non-compliance. Some laws pertain only to government, some only to certain levels or sectors of government, and some only pertain to certain sectors of business such as finance, banking, medical, and telecommunications. Each organization must determine which laws apply to them.17 Having some [emphasis added] PII protection policy is not the issue, the issue is that there is not a comprehensive law and there is not any PII policy targeted specifically for private sector 16 Bill Hayes, Tips for creating a data classification policy (SearchSecurity Jul. 2015), http://searchsecurity.techtarget.com/feature/Tips-for-creating-a-data-classification-policy. 17 Virginia A. Jones, Requirements for Personal Information Protection Part 1: U.S. Federal Law the Metropolitan New York City Chapter of ARMA International (2008).
  • 14. 12 cyber data. In order to protect PII cyber data then there must be a PII policy developed that protects PII on cyber data systems and protect how they are transmitted. A PII policy in legislation should be modeled after already existing PII procedures available in the Public Sector. The Department of Homeland Security (DHS) already has a handbook on PII identification and protection procedures that can be used as a base model for any legislation development. The 2012, Handbook for Safeguarding Sensitive Personally Identifiable Information18 provides “step by step guidance on identifying PII”19 and instructions on “Encrypting Sensitive PII, Securing Sensitive PII when not in use and Disposing of Sensitive PII”20 This handbook can serve as the backbone on the development of a PII policy that can be under a comprehensive law. Data protection requires proactive [emphasis added] and reactive legislation. The United States cyber laws focus on reactive polices, but in order to have a comprehensive data protection then there has to be a proactive policy in place otherwise instead of taking preventive measures prior to an attack, there will only be reaction to an attack. Proactive measures must include: Cyber Risk Assessments, Data Classification Policies and PII Policy. VII. CONCLUSION The research shows that the hypothesis was correct, H.R. 1704 and H.R. 1584 did not have a comprehensive policy in protecting confidentiality in a data breach. Both legislative pieces focused on reactive policies and did not include proactive polices. In answering the research 18 US Department of Homeland Security and DHS Privacy Office, Handbook for Safeguarding Sensitive Personally Identifiable Information (2012). 19 Ibid 20 Ibid
  • 15. 13 question whether H.R. 1704 and H.R. 1584 comprehensively address the issues of cyber security for the public and private sector in regards to the protection of confidentiality of individual’s information in a data breach, the research data has shown that they do not and that they do not form a comprehensive policy. H.R. 1704 and H.R. 1584 both focus on reactive cyber policy solutions regarding data confidentiality. However, in order to have a comprehensive policy it has to include a proactive policy. In determining a proactive policy, a regulatory authority for the private sector has to be determined. Public sectors have regulating authorities as deemed by the higher agency, however, there is no Private sector regulating authority. Due to how the FTC works in close proximity to the private sector under 15U.S. Code § 45, then the FTC would be the most appropriate regulatory authority for the private sector. Public sector regulatory authorities would remain the same. The comprehensive policy would include the already established reactionary measures but would also include the significant addition of proactive measures. This proactive legislation would include Cyber Risk Assessments, Data Classification Policies and PII Policy for the private sector, while the public sector would retain their policies developed through their respective agencies. Legislation regarding improvement to cyber policy have been entered into the House and Senate as bills frequently over the past two decades but they very rarely make it to law. The majority of them die as bills in the House or Senate because the Congress period ends. Many are sent to be reviewed by committees and do not make it back for renewal into the new Congress. There are plausible reasons for this, cybersecurity is still new to the world and while new and unknown about its complexities, representatives are timid in taking action when a new bill hits the floor. This timidity, due to lack of education, can stall a bill from becoming law no matter how
  • 16. 14 comprehensive a cyber bill is. Also technology advances exponentially faster than legislation and this also causes the timidity in passing a bill. Regardless of the reasoning, there is a significant need for a comprehensive bill that includes both proactive and reactive measures. H.R. 1704 and H.R. 1584 do not provide an overall solution in the protection of confidentiality of data for a consumer. The public sector already addresses proactive measures regardless of there being legislation, but there is a huge gap in protecting the private sector. Proactive measures previously discussed could be added to future legislation in order to provide a proactive cyber security for data confidentiality in the private sector. Hopefully, this can be accomplished sooner than later before another significant data breach occurs.