Legislative Branch Activity

Data Breach

This week, several Congressional Committees will hold a number of hearings focused on the recent data breaches at Target, Neiman Marcus and other large companies that compromised the financial information of millions of customers. The hearings will focus on how to prevent future data breaches and the appropriate course of action that companies should take if they experience a data breach. Officials from the Department of Homeland Security (DHS) are scheduled to testify at several of the hearings, as well as officials from Target, Neiman Marcus and other private sector representatives.

Many Members of Congress have expressed their concern that companies are not doing enough to notify their customers about data breaches, including Senator Chuck Schumer (D-NY) who called on the Consumer Financial Protection Bureau to launch a federal investigation into the Target breach in addition to the Department of Justice investigation that is already underway. Senator Jay Rockefeller (D-WV) also sent a letter last week to Target asking why it has not reported its data breach to the Securities and Exchange Commission (SEC) and why it has not provided more information to shareholders about the financial impact that the breach will have on Target’s operations. Senator Rockefeller has previously pushed for the SEC to elevate its staff-level guidance on reporting cybersecurity attacks and data breaches to shareholders to ensure that it is a requirement as opposed to a recommendation.

Upcoming Hearings:

  • Monday, February 3: The Senate Banking, Housing and Urban Affairs Subcommittee on National Security and International Trade and Finance will host a hearing titled “Safeguarding Consumers’ Financial Data.”
  • Tuesday, February 4: The Senate Judiciary Committee will hold a hearing titled “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.” The hearing will feature Executive Vice President and Chief Financial Officer of the Target Corporation John Mulligan.
  • Wednesday, February 5: The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade will host a hearing titled “Protecting Consumer Information: Can Data Breaches Be Prevented?” Witnesses at the hearing will include officials from Target and Neiman Marcus.
  • Wednesday, February 5: The House Homeland Security Committee will mark up the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (H.R. 3696).

Executive Branch Activity

NIST Cybersecurity Framework

The Obama Administration and the Department of Homeland Security continue to work with companies and owners and operators of critical infrastructure to encourage them to adopt the cybersecurity standards that will be part of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The President Obama’s February 2013 Executive Order (EO) required NIST to publish the final version of the Cybersecurity Framework within one year of the EO’s release. NIST is in the process of finalizing the Framework document which will be released on February 13.

Federal Acquisition Cybersecurity Recommendations

Last week, the General Services Administration (GSA) and Department of Defense (DOD) issued a report required by the EO that called on the agencies to determine how to factor cybersecurity requirements into federal acquisition contracts. The report included several recommendations for reform that would improve cybersecurity and resilience in the federal acquisition system such as requiring agencies to only work with organizations that meet baseline cybersecurity standards, developing common cybersecurity definitions for federal acquisitions, and instituting a federal acquisition cyber risk management strategy. GSA and DOD will also issue a request for public comments next month to review how this report could be used to impact federal procurement rules.