Welcome to The Jeff Eller Group’s new monthly publication, Cybersecurity Monitor. In each issue we highlight the policies and broader political developments shaping the public debate on cybersecurity, and provide you with insights into how these developments could impact your business and reputation.
IN THIS ISSUE
Cybersecurity has been high on the 114th Congress’ agenda. But with the exception of the Cybersecurity Act of 2015, Congress has been unable to pass legislation on such key cyber issues as breach notification. State lawmakers and regulators are stepping into the gap. And as the cyber threat environment evolves – we are closely monitoring the growing awareness, and exploitation, of cyber vulnerabilities in the health care industry, for instance – the states will continue to take the lead in addressing these threats.
STATES TAKE THE LEAD ON BREACH NOTIFICATION
Tennessee is one of 47 states to have passed breach notification laws. The state recently tightened the requirements for reporting a breach in the system of a person, state agency, or business that owns or licenses computerized data that includes personal information. Under SB 2005, which Gov. Bill Hallam signed on March 24, holders of such information must notify Tennessee residents of a breach within 45 days. As law firm Baker & Hostetler LLP noted, “While the vast majority of states require notification in the ‘most expedient time possible’ and ‘without unreasonable delay,’ Tennessee becomes the eighth state to enact legislation that sets a specific time period for notification to affected individuals.” Furthermore, the new law, which takes effect on July 1, removes an exemption from notification requirements if the personal information involved in the breach was encrypted.
Several breach notification bills have been introduced in the U.S. Senate and House of Representatives. To date, however, none have received floor votes. And with only about 35 legislative days left before Congress adjourns for the party conventions and August campaigning, it looks unlikely that Congress will pass legislation until at least after the November 8 elections.
SEN. PETERS PROMOTES NATIONAL AUTO CYBERSECURITY LAB
Sen. Gary Peters (D-Mich.) told a cybersecurity forum he would prefer that the automotive industry, rather than the federal government, address the cybersecurity of connected vehicles. “The way to prevent Congress from pushing it further is for the industry to step up,” Sen. Peters said. “The technology is moving so fast that the problem will be the regulators not being able to keep up.” In particular, Peters proposed establishing a national laboratory for automotive cybersecurity. “No question, we need a national facility,” he told the forum. “These exist in other parts of the world and we have to be competitive.” Sen. Peters would like the laboratory built at a former auto manufacturing site near Detroit that has been designated for development as an $80 million automated-vehicle testing facility.
Sen. Peters’ proposal puts him at odds with fellow Senate Democrats Edward Markey (Mass.) and Richard Blumenthal (Conn.). In July 2015, Markey and Blumenthal introduced S. 1806, the Security and Privacy in Your (SPY) Car Act. The bill would require the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to issue motor vehicle cybersecurity regulations man-dating that motor vehicles manufactured for sale in the U.S. protect against unauthorized access. “Drivers shouldn’t have to choose between being connected and being protected,” Sen. Markey said. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.” To date, the SPY Act has no additional sponsors — and of particular note, no Republican sponsors — which means the bill will likely die in the Senate Commerce, Science and Transportation Committee.
MARKEY ALSO TARGETS AIRLINE INDUSTRY
More recently, Sen. Markey introduced legislation require the disclosure of information relating to cyber attacks on aircraft systems and establish standards to identify and address cybersecurity vulnerabilities to the U.S. commercial aviation system. Specifically, S. 2764, the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act, would mandate that the Department of Transportation require airlines, aircraft manufacturers, and manufacturers of electronic control, communications, maintenance, or ground support systems for aircraft, “to disclose to the Federal Aviation Administration any attempted or successful cyber attack on any system on board an aircraft, whether or not the system is critical to the safe and secure operation of the aircraft, or any maintenance or ground support system for aircraft, operated by the air carrier or produced by the manufacturer.”
EXECS, BOARDS UNPREPARED FOR CYBER BREACHES
C-suite executives and boards of directors regularly list cybersecurity among the top risks their companies face. And yet a recent study found that a significant percentage of executives and directors around the globe are unprepared to address a cyber event, such as a data breach. The study, which was commissioned by Nasdaq and cybersecurity firm Tanium Inc., found that 91 percent of non-executive directors at highly vulnerable companies cannot read a cybersecurity report; nearly 100 percent of those companies do not track devices on their network; only 9 percent said their systems were regularly updated in response to cyber threats; and 87 percent of them do not consider their malware, antivirus software, and patches to be 100 percent up-to-date at all times. “As legislation across the globe evolves to make organizations accountable for loss of personal data as a result of cybercrime,” the Wall Street Journal (paywall) wrote, “board mem-bers need to become as capable of reading a cyber report as they are of analyzing balance sheets.”