Legislative Branch Activity

Data Breach Issues

Last week, three Congressional Committees – the House Energy and Commerce Committee, Senate Banking, Housing and Urban Affairs Committee, and the Senate Judiciary Committee – held hearings that explored the recent data breaches at Target and Neiman Marcus that compromised the financial data for millions of customers. Officials from Neiman Marcus, Target, the Secret Service, the Federal Trade Commission (FTC), the Department of Justice (DOJ) and the Department of Homeland Security (DHS) testified at the various hearings to discuss the details of the breaches and potential solutions that could prevent future cyber attacks. House Energy and Commerce Subcommittee on Manufacturing and Trade Chairman Lee Terry (R-NE) indicated that his subcommittee may also hold a follow up hearing on the Target and Neiman Marcus breaches once investigators complete the forensic analysis of these incidents.

The hearings also focused on several pieces of legislation related to data security that have been introduced this Congress including Senator Patrick Toomey’s (R-PA) Data Security and Breach Notification Act of 2013 (S. 1193), Senator Patrick Leahy’s (D-VT) Personal Data Privacy and Security Act of 2014 (S. 1897), Senator Tom Carper’s (D-DE) Data Security Act of 2014 (S. 1927), and Senator John Rockefeller’s Data Security and Breach Notification Act of 2014 (S. 1976).  While all of these bills address different components of data security, several would require a federal data breach notification standard to ensure that companies notify their customers in a timely manner after a breach occurs. In the hearings last week, the FTC noted that it would be in support of this type of standard. In addition, Rep. Terry said that he is drafting data breach notification legislation that he plans to introduce in the coming weeks but noted that he has not decided whether to include provisions requiring certain security standards in his bill.

Executive Branch Activity

NIST Cybersecurity Framework

On Thursday, the National Institute of Standards and Technology (NIST) will issue the final version of its Cybersecurity Framework. The Framework is the final product of a provision in the President’s February 2013 Executive Order (EO) that required NIST to work with stakeholders and owners and operators of critical infrastructure to determine a set of voluntary standards that would help protect critical infrastructure from cyber threats. Once the Cybersecurity Framework is released, DHS will continue to work with critical infrastructure to encourage the adoption of the NIST standards.