Legislative Branch Activity

Data Breach Hearings and Legislation

In response to the recent Target data breach which compromised the credit and debit card data of millions of customers, several committees will host hearings in the coming weeks to examine data breaches and their effect on customers. The Senate Judiciary Committee will hold a hearing on Tuesday, February 4 which will feature Target Chief Financial Officer John Mulligan, while the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade plans to hold a hearing on data breaches the same week. Members of the Senate Banking, Housing and Urban Affairs Committee, the Senate Commerce, Science and Transportation Committee, the House Financial Services Committee and the House Judiciary Committee have also called for hearings in their respective committees on the issue of data security and subsequent legislation that has been introduced in response to the recent data breaches reported in the news. Subcommittee on Commerce, Manufacturing, and Trade Chairman Lee Terry (R-NE) and Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-DE) have both indicated that they plan to introduce data breach legislation in the coming weeks to go along with the bill that Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has already introduced this Congress to create a national standard for data breach notification.

Upcoming Hearings:

  • Tuesday, February 4: The Senate Judiciary Committee will hold a hearing titled “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.” The hearing will feature Executive Vice President and Chief Financial Officer of the Target Corporation John Mulligan.

Executive Branch Activity

NIST Cybersecurity Framework

As required by President Barack Obama’s cybersecurity Executive Order (EO) released in February 2013, the National Institute of Standards and Technology (NIST) will unveil the final version of its Cybersecurity Framework by February 13. NIST recently reviewed the comments from over 200 stakeholders that discussed their concerns about the preliminary Cybersecurity Framework that NIST released in October. In response to these comments, NIST noted that it plans to scale back its original privacy recommendations after a number of industry representatives criticized NIST for calling on companies to minimize the personally identifiable information they collect and share about their customers as part of the preliminary Framework. While NIST has not explicitly stated how it will change this section of the Cybersecurity Framework, it did note in a recent update that it would incorporate alternative methodologies and additional context on privacy based on the comments and public input it received.

After NIST releases the Framework next month, the Department of Homeland Security will continue to work on turning the standards set out by the Framework into a voluntary program for critical infrastructure owners and operators. In addition, NIST has also indicated that it may sponsor another workshop in the next four to six months to review the stakeholder experience with the Cybersecurity Framework and discuss questions about the long-term governance of the Framework.