States take the lead
47 states have passed breach notification bills.
Don't expect much action from Congress, it's an election year.
While there may be a new encryption bill as an outgrowth of Apple's confrontation with the FBI, in talking to security industry pros and Washington insiders, the consensus is that when it comes to cybersecurity legislation, including pending national bills on digital privacy and breach notification, nothing will happen until after the election.
“It's unlikely any bills will pass this year,” says Ari Schwartz, now managing director for cybersecurity services at Venable, and up until last fall, the National Security Council's senior director for cybersecurity.
On the plus side, late last year, President Obama signed into law the Cybersecurity Information Sharing Act (CISA), which according to Schwartz, gives companies incentives to share information in the event of a security breach.
And in mid-February, the Department of Homeland Security, which was identified in CISA as the lead agency for managing cybersecurity information sharing, released guidance that requires companies to remove personally identifiable information (PII) before sharing cyberthreat information. It also requires DHS to conduct a privacy review of the information shared by the company that sustained an attack. Final guidance will be released this summer, adds Schwartz.
Of course, privacy advocates, including Sen. Ron Wyden (D-Ore.) and the American Civil Liberties Union (ACLU) cried foul after CISA passed, claiming that the law signed by President Obama has no teeth and would do little to prevent major hacks.
On the federal legislative front, privacy advocates received a glimmer of hope in early February when House Judiciary Committee Chairman Bob Goodlatte (R-Va.) indicated that the Judiciary Committee planned to markup the Email Privacy Act this spring.
The federal privacy legislation aims to reform the Electronic Communications Privacy Act (ECPA) of 1986, a law that was signed around the time email was first being introduced. It's essentially a companion bill to the legislation first introduced three year ago on the Senate side by Sen. Patrick Leahy (D-Vt.) and Sen. Mike Lee (R-Utah). The bill would amend ECPA to require government officials to obtain a warrant to require internet service providers or other online service providers to disclose the private communications of their users. The law as it's currently written also includes personal or proprietary documents stored with cloud service providers.
Following Rep. Goodlatte's announcment, Sen. Leahy said, “updating our digital privacy laws is long overdue and passing this bill should be a no-brainer.”
While many expected the Email Privacy Act to pass in 2015, it was held up by the Securities and Exchange Commission, which, in representing federal civilian agencies, asked for an exemption from the warrant requirement as specified in the updated version of ECPA.