Cyber Security Legislation Privacy Protections are Substantially Similar



Similar documents
Personal Data Security Breach Management Policy

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Audit Committee Charter

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

Hampton Roads Orthopaedics & Sports Medicine. Notice of Privacy Practices

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Creating an Ethical Culture and Protecting Your Bottom Line:

Key Steps for Organizations in Responding to Privacy Breaches

Malpractice and Maladministration Policy

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

LINCOLNSHIRE POLICE Policy Document

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF UPLAND SOFTWARE, INC.

Gravesham Borough Council

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Texas Woman's University University Policy Manual

FINANCIAL SERVICES FLASH REPORT

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. Statement of Thomas F. O Brien. Vice President & Chief Information Officer

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

Accountants and Consulting Professional Liability Program. You have the best coverage. Disciplinary Proceedings. Subpoena Expenses

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

How To Ensure Your Health Care Is Safe

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

Bl$wing the Whistle $n the New Whistlebl$wer Pr$tecti$ns Created by the D$dd-Frank Act. By: Michael James L$mbardin$

1. What insurance coverage is provided for Sigma Chi chapters that are members of the Risk Management Foundation?

Template on written coordination and cooperation arrangements of the supervisory college established for the <XY> Group/<A> Institution

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Privacy and Security Training Policy (PS.Pol.051)

Provision Senate HELP Committee Bill (Affordable Health Choices Act) House Tri-Committee Bill, H.R Individual Mandate

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Process for Responding to Privacy Breaches

UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C FORM WB-DEC

Directors' And Officers' Liability

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Municipal Advisor Registration

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

If I am arrested, does this mean that I am considered guilty of a criminal offence?

SEC FLASH REPORT. June 28, 2011

Small Business, Enterprise and Employment Bill: Insolvency fact sheets Contents

National Australia Bank Limited Group Disclosure & External Communications Policy

How To Deal With A Data Breach In The European Law

UNIVERSITY INCIDENT PLANNING COMMITTEE TERMS OF REFERENCE

Duration of job. Context and environment: (e.g. dept description, region description, organogram)

ADMINISTRATIVE PROCEDURE

REFERENCE ACTION ANALYST STAFF DIRECTOR 1) Insurance, Business & Financial Affairs Policy Committee Reilly Cooper SUMMARY ANALYSIS

Richmond Clinical Commissioning Group Report Summary

COMPREHENSIVE SAFETY ASSESSMENT INSTRUCTIONS for STUDY ABROAD PROGRAMS

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

Department of Justice, Criminal Justice Standards Division Contact: Trevor Allen (919)

Data Protection Act Data security breach management

Revised Memorandum of Understanding between the Departments of Homeland Security and labor Concerning Enforcement Activities at Worksftes

THRIFTY DRUG STORES, INC. d/b/a THRIFTY WHITE DRUG / WHITE DRUG / BELL PHARMACY/VALLEY DRUG/ THRIFTY NYSTROM DRUG NOTICE OF PRIVACY PRACTICES

10 th May Dear Peter, Re: Audit Quality in Australia: A Strategic Review

First Global Data Corp.

Our Privacy Policy and Credit Reporting Privacy Policy. 1. Privacy at FlexiGroup Our Privacy Policy and Credit Reporting Privacy Policy

BIBH Duty Statements and Governance chart reviewed and approved April BIBH Executive Governance & Management Arrangements

Internal Audit Charter and operating standards

How To Get A Credit By Examination

Philadelphia Pittsburgh pa.org

Helicopter Landing Sites Planning, Implementation and Management

Plus500CY Ltd. Statement on Privacy and Cookie Policy

ERISA Compliance FAQs: Fiduciary Responsibilities

TrustED Briefing Series:

Directives to LHINs in respect of Reporting Requirements under the BPSAA. Issued By Minister of Health and Long-Term Care

VCU Payment Card Policy

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Serius Infrmatin Gvernance Incidents - OverVIEW

Business Continuity Management Policy

GOVERNORS PHARMACY HIPAA NOTICE OF PRIVACY PRACTICES For Your Protected Health Information

GENERAL MOTORS COMPANY AUDIT COMMITTEE CHARTER. Most Recently Amended: December 8, 2015

Emergency Preparedness Plans. Page 1 of 19

Cell Phone & Data Access Policy Frequently Asked Questions

E-Business Strategies For a Cmpany s Bard

E-ALERT Financial Institutions

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Key Steps to Responding to Privacy Breaches. Nova Scotia Freedom of Information and Protection of Privacy Review Office

FTE is defined as an employee who is employed on average at least 30 hours of service per week.

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

HIPAA HITECH ACT Compliance, Review and Training Services

Represent New College Stamford at both national and regional events and serve on appropriate external committees.

THIRD PARTY PROCUREMENT PROCEDURES

Supersedes: DPS Policy Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5

Chapter 7 Business Continuity and Risk Management

Crnwall Partners in Care

Notice of Protection Provided by Utah Life and Health Insurance Guaranty Association

Health Care Reform: The New Law

Purpose Statement. Objectives

Vermont Health Care Reform

Environment Protection Authority

Monitoring and Audit of Clinical Research Studies

Outsourcing arrangements

Guidelines on Data Management in Horizon 2020

Transcription:

Cyber Security Legislatin Privacy Prtectins are Substantially Similar By Rb Strayer and David Beardwd The fur mst prminent cyber security legislative prpsals the Obama administratin s legislative text; Cyber Intelligence Sharing and Prtectin Act (CISPA), H.R. 3253, spnsred by Cngressman Mike Rgers; the Cybersecurity Act f 2012, S. 2105, spnsred by Senatrs Lieberman, Cllins, Rckefeller and Feinstein; and the Strengthening and Enhancing Cybersecurity by Using Research, Educatin, Infrmatin and Technlgy Act (SECURE IT Act), S. 3342, spnsred by Senatr McCain and several ther Republican senatrs all apply strict cnditins t cyber security infrmatin sharing and have versight measures t prtect privacy and civil liberties. Each prpsal establishes infrmatin-sharing mechanisms that wuld prtect persnal infrmatin frm misuse and mandates nging versight t ensure respect fr privacy and civil liberties. Caviling ver minr differences with its prpsal, the administratin threatens t vet the Huse-passed CISPA, largely based n its privacy prtectins. 1 There is substantial cmmn grund rather than majr divergence amng these prpsals n hw t prtect privacy and civil liberties, as explained belw. PRIVACY AND CIVIL LIBERTIES PROVISIONS IN CURRENT PROPOSALS The Obama Administratin Prpsal The administratin s prpsal assigns the Department f Hmeland Security with the respnsibility f carrying ut cyber security infrmatin sharing. 2 Private-sectr infrmatin used by the gvernment must be related t cyber threats t federal netwrks r critical infrastructure, persnal infrmatin must be prtected frm unauthrized access r disclsure, and thse using federal netwrks must be ntified that their traffic may be mnitred. 3 Shared infrmatin may als be used fr law enfrcement purpses with the apprval f the attrney general if it is evidence f the past, current r imminent cmmissin f a crime. 4 Private sectr, 5 as well as state and Cyber Security Legislatin Privacy Prtectins are Substantially Similar 1

lcal, 6 cperatin with the federal gvernment is prtected frm public disclsure. Finally, versight f these measures wuld be prvided by the chief privacy and civil liberties fficers f DHS and DOJ thrugh annual reprts t Cngress, 7 and separately by the Privacy and Civil Liberties Oversight Bard (PCLOB), which wuld prvide an initial evaluatin t Cngress within tw years f enactment. 8 CISPA The Cyber Intelligence Sharing and Prtectin Act, H.R. 3523, passed the Huse by a bipartisan vte f 248-168. 9 It wuld allw the directr f natinal intelligence (DNI) t establish intelligence-sharing mechanisms between the intelligence cmmunity and the private sectr. CISPA grants mre cntrl t the private sectr than the ther prpsals in limiting the use f infrmatin prvided t the federal gvernment r ther private sectr entities. It allws cmpanies submitting infrmatin t set additinal annymizatin standards 10 and prhibit sharing f the infrmatin with specific federal agencies. 11 Shared infrmatin is prtected frm public disclsure 12 r use fr unfair trade advantage. 13 Data prvided t the gvernment may nly be used fr cyber security purpses, investigating and prsecuting crimes which culd result r have resulted in death, serius bdily har m, r the explitatin f a minr, and in cases f threats t natinal security. 14 Persnal recrds n library use, bk sales and purchases, firearm sales, tax returns, educatin, and medical histry are als excluded frm use in intelligence sharing. 15 The inspectr general f the intelligence cmmunity prvides versight thrugh annual reprts t Cngress, 16 but the PCLOB is nt required t participate in versight under the bill. 17 The Cybersecurity Act f 2012 The Cybersecurity Act f 2012, S. 2105, authrizes additinal public-private infrmatin sharing with DHS, similar t the Obama administratin s prpsal, and amng private sectr entities. The bill requires that DHS establish guidelines fr sharing cyber security threat and vulnerability infrmatin t prtect privacy and civil liberties, in cnsultatin with the attrney general and DNI. 18 It wuld als establish a full-time privacy fficer t ensure cmpliance with the guidelines. 19 The federal gvernment must als explicitly prtect against the disclsure f persnal infrmatin, and any cyber intelligence shared with the gvernment wuld be prtected frm public disclsure. 2021 Cyber Security Legislatin Privacy Prtectins are Substantially Similar 2

The gvernment may nly use shared infrmatin against cyber threats 22 and t prevent, investigate, r prsecute the past, current, r imminent cmmissin f a crime with the apprval f the attrney general with the attrney general weighing the value f any such law enfrcement actin against the need t prtect persnal infrmatin. 23 Businesses may share cyber intelligence as lng as they fllw these restrictins and d nt use shared infrmatin t gain an unfair trade advantage. 24 Oversight wuld cme frm the chief privacy and civil liberties fficers f DHS and DOJ thrugh annual reprts t Cngress, 25 as well as the PCLOB, which wuld prvide an initial evaluatin t Cngress within tw years f enactment, as in the administratin s prpsal. 26 The inspectr general f each relevant agency wuld als prvide annual evaluatins. 27 The SECURE IT Act The SECURE IT Act, S. 3342, wuld establish cyber intelligence sharing between the private sectr and multiple cyber security centers thrughut the federal gvernment. 28 These centers must fllw standards set by the secretaries f cmmerce and hmeland security t prtect persnal infrmatin and trade infrmatin, 29 and thse prviding infrmatin wuld be prtected frm legal reprisal r public disclsure f shared cntent. 30 Additinal cntrl is prvided t the private sectr, as thse sharing infrmatin must prvide cnsent befre infrmatin may be shared with state, lcal r tribal gvernments fr any reasn. 31 Any shared infrmatin may again nly be used fr cyber security, natinal security, r law enfrcement purpses, althugh this bill is the mst permissive fr law enfrcement use by allwing any federal agency t use infrmatin against any crime cdified in sectin 2516 f title 18 f the U.S. Cde. 32 Oversight is carried ut by the PCLOB and all agency and department heads verseeing cyber security centers wh, tgether, must submit an initial evaluatin t Cngress within ne year f enactment and biennial reprts thereafter. 33 The inspectr general f each relevant agency wuld als prvide annual evaluatins. 34 Additinally, the Cuncil f the Inspectrs General n Integrity and Efficiency is authrized t cnduct versight, thugh n requirements are placed n the frequency f their review. 35 Cyber Security Legislatin Privacy Prtectins are Substantially Similar 3

MEASURES IN COMMON TO PROTECT PRIVACY AND CIVIL LIBERTIES All fur prpsals allw a gvernment agency t set enfrceable guidelines fr the sharing f cyber security infrmatin between the private sectr and the gvernment, as fllws: Administratin s Prpsal: The secretary f hmeland security, with review and apprval by the attrney general. 36 CISPA: The directr f natinal intelligence, in cnsultatin with the secretary f hmeland security. 37 Cybersecurity Act: The directr f the Department f Hmeland Security s cyber security center, in cnsultatin with the attrney general, DNI, and the privacy fficer f the DHS center. 38 SECURE IT Act: The secretary f cmmerce, in cnsultatin with the secretary f hmeland security. 39 Persnally identifiable infrmatin (PII) may nt be included in the infrmatin shared, unless it is necessary t include that infrmatin fr security purpses. 40 Each prpsal requires the prtectin f PII whenever it is nt critical fr security purpses. This keeps PII limited t the cmpany entrusted t prtect it, as well as relevant gvernment investigatrs. There are als prvisins in each bill that prevent the disclsure f persnal infrmatin t the public in the critical circumstances when it is shared. CISPA als allws fr prviders t set additinal requirements fr annymizatin. There must be cntinuus versight f cmpliance with privacy and civil liberty measures, as well as evaluatin f their impact. 41 Oversight will help t prevent intentinal r accidental abuse and identify develping needs in regulatins. The Privacy and Civil Liberties Oversight Bard s membership awaits Senate cnfirmatin. Once its members are cnfirmed, the PCLOB will serve as an independent agency t versee activity acrss the gvernment, and each f the fur initiatives, except CISPA, wuld include the Bard in versight, 42 thugh the riginally filed versin f CISPA included the Bard. 43 Cyber Security Legislatin Privacy Prtectins are Substantially Similar 4

The three prpsals that include the PCLOB als prescribe ther grups f gvernment fficers t lead dual versight, with the administratin prpsal and the Cybersecurity Act invlving the chief privacy and civil liberties fficers f DHS and DOJ, 44 the SECURE IT Act requiring reprting frm the relevant agency r department heads and chief privacy and civil liberties fficers 45 as well as the Cuncil f the Inspectrs General n Integrity and Efficiency, 46 and bth the Cybersecurity and SECURE IT Acts requiring versight by the inspectr general f each agency using shared infrmatin. 47 CISPA wuld require the inspectr general f the intelligence cmmunity t cnduct multi-agency versight. 48 Infrmatin shared with the federal gvernment may nly be used fr cyber security, fr natinal security purpses, and by law enfrcement t prsecute a crime; and nt regulatry actin. 49 Cyber intelligence prvided t the federal gvernment is prtected frm public disclsure thrugh the Freedm f Infrmatin Act (FOIA) r ther means. 50 This cnditin is necessary fr intelligence sharing, as disclsed exchanges culd reveal vulnerabilities in private security r cause reputatinal harm pssibilities which currently may preclude mre rbust infrmatin sharing. CONCLUSION The fur majr prpsals frm the administratin, Huse, and Senate establish cmmn grund n many privacy prtectins. The bills vary t limited degrees n the mechanism f the sharing, cntrl ver the prcess by the private sectr, and agency respnsibilities, but the cre prvisins n privacy and civil liberties are largely agreed upn. These differences are f the type that typically can be wrked ut thrugh the legislative prcess as bills mve thrugh the cmmittees t flr actin and eventual cnference between the Huse and Senate, and d nt amunt t an issue that shuld pse an insurmuntable bstacle t the enactment f cyber security legislatin. 1 Executive Office f the President, Office f Management and Budget, Statement f Administratin Plicy: H.R. 3523 Cyber Intelligence Sharing and Prtectin Act. 25 April 2012. Cyber Security Legislatin Privacy Prtectins are Substantially Similar 5

2 White Huse, Cmprehensive Natinal Cybersecurity Initiative, available at: http://www.whitehuse.gv/cybersecurity/cmprehensive-natinal-cybersecurity-initiative; White Huse, Cybersecurity Authrity and Infrmatin Sharing Act f 2011 (Cybersecurity Authrity Act) 3 Cybersecurity Authrity Act 244(b) 4 244(b)(3) 5 White Huse, Cybersecurity Regulatry Framewrk fr Cvered Critical Infrastructure Act 7(d) 6 Cybersecurity Authrity Act 245(f) 7 248(e) 8 248(f) 9 Final Vte Results fr Rll Call 192. 26 April 2012. 10 H.R. 3523 (RFS) 2 (50 U.S.C. 1104(b)(3)(A)) 11 2 (50 U.S.C. 1104(b)(3)(C)(iv)) 12 2 (50 U.S.C. 1104(b)(3)(D)) 13 2 (50 U.S.C. 1104(b)(3)(B)) 14 2 (50 U.S.C. 1104(c)(1)) 15 2 (50 U.S.C. 1104(c)(4)) 16 2 (50 U.S.C. 1104(e)(1)) 17 H.R. 3523 (IH) 2 (50 U.S.C. 1104(c)) 18 S. 2105 (PCS) 243(c)(5) 19 242(j) 20 704(d-f) 21 704(g)(4) 22 704(g)(1) 23 704(g)(2) 24 702(b) 25 704(g)(5) 26 704(g)(6) 27 201 (44 U.S.C. 3556(c)) 28 S. 3342 101(5): Cyber security centers that culd cnduct infrmatin sharing include the DOD Cyber Crime Center, U.S. Cyber Cmmand Jint Operatins Center and NSA/CSS Threat Operatins Center, the ODNI Intelligence Cmmunity Incident Respnse Center, the FBI Natinal Cyber Investigative Jint Task Frce, the DHS Natinal Cybersecurity and Cmmunicatins Integratin Center, and any subsequently established federal cyber security center. Available at: http://www.hutchisn.senate.gv/files/dcuments/s%20%203342%20secure%20it.pdf 29 201 (44 U.S.C. 3553(a)(1)) 30 102(c)(3-7) 31 102(c)(2) 32 102(c) 33 105(a) 34 201 (44 U.S.C. 3554(a)(4)) 35 106 36 Cybersecurity Authrity Act 248 37 H.R. 3523 2 (50 U.S.C. 1104(b) (Prcedures and Guidelines)) 38 S. 2105 243(c)(5) Cyber Security Legislatin Privacy Prtectins are Substantially Similar 6

39 S. 3342 201 (44 U.S.C. 3553) 40 Cybersecurity Authrity Act 248(a)(2); H.R. 3523 2 (50 U.S.C. 1104(b)(3)(A)); S. 2105 243(c)(1)(E)(i); 702(b)(1); S. 3342 102(d)(1)(C) 41 Cybersecurity Authrity Act 248; H.R. 3523 2 (50 U.S.C. 1104(e)); S. 2105 704(g)(4-7); S. 3342 104; 106; 201 (44 U.S.C. 3554 (a)(4)) 42 Cybersecurity Authrity Act 248(f); S. 2105 704(g)(6); S. 3342 105 43 H.R. 3523 (IH) 2 (50 U.S.C. 1104(c)) 44 Cybersecurity Authrity Act 248(e); S. 2105 704(g)(5) 45 S. 3342 105(a) 46 106 47 S. 2105 201 (44 U.S.C. 3556(c)); S. 3342 201 (44 U.S.C. 3554(a)(4)) 48 H.R. 3523 (RFS) 2 (50 U.S.C. 1104(e)) 49 Cybersecurity Authrity Act 244(b); Cybersecurity fr Critical Infrastructure Act 8(a)(1)(C); H.R. 3523 (RFS) 2 (50 U.S.C. 1104(c)); S. 2105 704(g)(1-2); S. 3342 102(c)(1) 50 Cybersecurity Authrity Act 245(f); Cybersecurity fr Critical Infrastructure Act 7(d); H.R. 3523 2 (50 U.S.C. 1104(b)(3)(D)); S. 2105 704(d); S. 3342 102(c)(3-7) Cyber Security Legislatin Privacy Prtectins are Substantially Similar 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information