Cybersecurity Monitor: October 2016

IN THIS ISSUE

The breach of 500 million Yahoo user accounts amplified calls for Congress to act on breach notification legislation. But the timing for action was not fortuitous, primarily because Congress was in pre-election recess. And with Members unlikely to want to take up another thorny issue during the brief Lame Duck Session, the issue will be passed on to the 115th Congress. But Congress’ inability to agree on legislation during the previous two years, does not bode well for the prospects of legislation during the next two years.

DESPITE YAHOO BREACH, CONGRESS UNLIKELY TO ACT IN 2016

On September 22, Yahoo announced that “a state-sponsored actor” had, in late 2014, stolen information associated with at least 500 million user accounts – making it the largest data breach to date. Although the stolen information included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers, it apparently did not include unprotected passwords, payment card data, or bank account information.

Despite the size of the breach, and questions about what the company knew when, Yahoo was fortunate in this respect: it announced the breach just prior to Congress going into recess so members could campaign. The company was thus spared having CEO Marissa Mayer hauled before multiple congressional committees.

Yahoo still faces numerous challenges. But our aim here is not to focus specifically on the Yahoo breach. Rather, we want to consider the possible impact the breach will have on national cybersecurity policy.

The Hill reported that “[s]upporters of legislation that would dictate how and when companies have to notify customers of a data breach are seizing on the hack of 500 million Yahoo accounts to push their effort forward.” As the article made clear, however, both Congress and the industries lobbying Members on the issue remain far from a consensus as to what legislation should look like.

The chief impediment to legislation now is the calendar. The Lame Duck Session begins on November 14, and the 114th Congress is scheduled to end on December 16 – leaving only 16 legislative days in the House, and 20 days in the Senate. In between, Congress must pass government funding legislation – or a Continuing Resolution – by December 9.

As we wrote in the April Cybersecurity Monitor, in the absence of national legislation establishing cybersecurity standards for the private sector, states are stepping into the vacuum.

In September, for instance, California Governor Jerry Brown signed AB 2828, which amends the state’s data breach notification law. Under AB 2828, businesses in the state must disclose breaches even when encrypted information has been acquired in an unauthorized breach. The law takes effect on January 1, 2017.

Also in September, the New York Department of Financial Services proposed “first-in-the-nation regulation” to require requires banks, insurance companies, and other financial services institutions regulated by the NYDFS to establish cybersecurity programs. Programs would be required to, among other things: identify internal and external cyber risks; detect cybersecurity events (defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an Information System or information stored on such Information System”); respond to identified cybersecurity events to mitigate any adverse effects; and recover from cybersecurity events.

At this point in time, the only certainty about how the 115th Congress, which formally opens on January 3, 2017, is that it will face additional data breaches – and pressure from both the public and the private sector to act. The major sticking point for the 115th Congress, as it was for the 114th, will be the competition between the various committees with jurisdiction over cybersecurity to advance their own bills.