On May 12, 2011, the White House released the long-expected cybersecurity legislative proposal in response to the need to protect Americans from cyber threats. The proposal is the culmination of several years of work following the White House’s release of the Cyberspace Policy Review in 2009 and includes the following sections:
- Computer Security Law Enforcement – This section is intended to clarify and synchronize the elements of cyber crimes and to create standardized penalties for violations of the law.
- Data Breach Notification – These provisions would establish a national data breach reporting system. The provisions are aimed at standardizing the requirements for reporting security breaches by, among other things, establishing statutory definitions of a “security breach” and “sensitive personally identifiable information.”
- Cybersecurity Information Sharing – This section would create a system intended to encourage, incentivize and protect the voluntary sharing of cyber incident and cybersecurity information between federal, state and local governments and private industry.
- Protecting Critical Infrastructure – These provisions would require the Department of Homeland Security (“DHS”) to develop, in coordination with industry, a list of covered critical infrastructure facilities and a set of risk-based standards for those covered facilities. Under the provisions, covered facilities would be mandated to develop cybersecurity plans to meet the risk-based standards. The plans would be required to be signed by a responsible corporate officer, audited by a third party and certified annually to the DHS or the Securities and Exchange Commission.
- Coordination of Federal Information Security Policy – This section is aimed at establishing a coordinated approach to federal information security and grants DHS primary authority for information security across the federal government, including formalizing DHS’s responsibility for implementation of the Federal Information Security Management Act.
- Data Centers – These provisions would bar states from requiring data centers to be located in a state to do business in that state, except where authorized by federal law.
- Privacy and Civil Liberties – These provisions require DHS to implement its cybersecurity program in accordance with privacy and civil liberties procedures developed by experts and obligate business and state and local governments to remove identifying information unrelated to cybersecurity threats before sharing information with DHS.
If enacted, the Administration’s cybersecurity legislative proposal would have a broad impact across all levels of government and industry sectors. The heaviest impacts are likely to be felt by the financial services, energy and IT/communication sectors.