Not a Member?  Become One Today!

Cybersecurity a Hot Issue on Capitol Hill

By Bill Leonard  2/25/2014
Copyright Image Permissions


The reaction to a massive data breach at Target stores hit Capitol Hill with full fury during the first week of February 2014 as both chambers of Congress held multiple hearings on the causes of the breach and how to prevent it from recurring.

As discussions of the issue reverberated through congressional hearing rooms, the House of Representatives took the first substantive step on Feb. 5, when the Homeland Security Committee voted unanimously to approve the National Cybersecurity and Critical Infrastructure Protection Act (H.R. 3696). The committee vote is a rare example of strong bipartisan support for a bill from a Congress that has struggled with deep political divides and been essentially gridlocked for the past four years.

“I am proud of the bipartisan effort of this committee to approve this critical piece of legislation,” said Chairman Michael McCaul, R-Texas. “H.R. 3696 has been endorsed by industry and privacy advocates and, if enacted, will establish equal cybersecurity partnerships between private industry and DHS [Department of Homeland Security] while ensuring Americans’ civil liberties are protected.”

Even though the legislation primarily focuses on steps to protect the nation’s “critical infrastructure,” some of its provisions could affect a wide range of private-sector employers. According to a Congressional Research Service summary, the measure would require the secretary of Homeland Security to coordinate with federal, state and local governments; critical infrastructure owners; and other business groups to facilitate a national effort to strengthen and protect important infrastructure from cyberthreats. In addition, the legislation would require DHS officials, when asked, to provide risk-management assistance to businesses and education to critical infrastructure operators. Under another provision, the DHS would have to develop and then coordinate a research-and-development strategy for cybersecurity technology.

While the Homeland Security Committee met to vote on H.R. 3696 the House Subcommittee on Commerce, Manufacturing and Trade held a hearing on protecting consumer information and preventing data breaches. And on Feb. 4 the Senate Judiciary Committee also examined the increase in cybercrime and discussed ways to protect critical personal data from online predators.

“Like many Americans, I am alarmed by the recent data breaches at Target, Neiman Marcus and Michaels Stores,” said Judiciary Chairman Patrick Leahy, D-Vt. “The investigations into those cyberattacks are ongoing. Yet, it is already clear that these attacks have compromised the privacy and security of millions of American consumers—potentially putting 1 in 3 Americans at risk of identity theft and other cybercrimes.”

In early January, Leahy introduced the Personal Data Privacy and Security Act (S. 1897). The bill is similar to a cybercrime-prevention measure he introduced in 2010, but the legislation failed to gain traction. During the hearing, Leahy said he believed that the data breaches at Target and Neiman Marcus were wake-up calls for Congress to act quickly and pass legislation that ensures privacy protections for all consumers and U.S. workers.

“For organizations that have critical information assets—such as customer data, intellectual property, trade secrets and proprietary corporate data—the risk associated with a data breach is now higher than ever before,” Fran Rosch, senior vice president of security products and services at Symantec Corp., told the committee. “Simply put, stealing data is big business; most major breaches are part of sophisticated criminal enterprises that trade on stolen identities and credit card numbers. The cost impacts of and the metrics associated with worldwide data breaches are significant.”

Rosch recommended that all businesses be aware of the security threats posed by cybercriminals, who are growing more sophisticated every day in their methods to hack into and extract personal records and financial data from companies.

All businesses need to practice “good cyber hygiene,” Rosch said, and take steps to make sure their employees adhere to the organization’s computer and online usage policies.

“Preventing data breaches and protecting privacy starts with good cyber hygiene,” he said. “Having security software installed, using strong passwords and not responding to suspicious e-mails” are essential precautions.

He stressed to the committee members that strong passwords remain the foundation of good security on all electronic devices.

“Passwords must be different, because using a single password for multiple accounts or system logons means that a breach of one account exposes all accounts. Using a second authentication factor—such as a text message, a smart card, biometrics or a token with a changing numeric password—significantly increase the security of a login.”

Rosch told the senators that they could strengthen privacy protections and help prevent data breaches by passing legislation that would apply to every organization that collects, maintains or sells records with sensitive personal data.

“These requirements should affect the public and private sectors equally,” he said. “Any new legislation should also consider existing federal regulations and not create duplicative, additional or conflicting rules.”

Bill Leonard is a senior writer for SHRM.

House bill link:

Senate bill link:

Copyright Image Permissions


Swipe for more!