Two bills, currently in the Senate, have the potential to change the U.S. cybersecurity landscape if passed into law. The first is the ‘Cybersecurity Disclosure Act of 2019’, introduced by Senator Jack Reed (D-RI) on 28 February 2019. The second is the ‘Mind Your Own Business Act of 2019’, introduced by Senator Ron Wyden (D-OR) last week on 17 October 2019.
The Cybersecurity Disclosure Act of 2019 is a relatively small change of wording to the Cybersecurity Disclosure Act of 2017, but with potentially far-reaching effects. There are three relevant paragraphs in the new act. The first, which is unchanged from the 2017 version, requires the disclosure of whether anybody at board level has cybersecurity expertise, and the nature of that expertise, in the organization’s annual report or annual proxy statement to the Securities and Exchange Commission (SEC).
The second paragraph is amended. Wording changes from “what other cybersecurity steps taken by the reporting company were taken into account” to “what other aspects of the reporting company’s cybersecurity were taken into account by any person…” There is now more focus on the existing cybersecurity posture and a ‘person’ to be involved.
The third paragraph in both versions of the act says the FTC should consult with NIST, with reference to the NIST SP 800-181 Cybersecurity Workforce Framework, to “define what constitutes expertise or experience in cybersecurity… using commonly defined roles…”
The NIST document does not define a chief information security officer role or tasks (the title is mentioned just three times). Nevertheless, it is difficult to see how the position of the ‘person’ as required by the new act, could be fulfilled by any single person other than an organizational CISO or CSO. The effect of the new act will therefor increase pressure on organizations to have a named CISO with a voice on the board as the most efficient way of fulfilling the legal requirement.
It should be noted that this is not the stated purpose of the act. In describing his act, Jack Reed said, “This legislation advances that goal [bolstering our nation’s cybersecurity] by encouraging publicly traded companies to be more transparent about whether and how their Boards of Directors and senior management are prioritizing cybersecurity.”
Noticeably, the New York Department of Financial Services’ 23 NYCRR 500 regulation, which served a similar purpose but for financial entities in the state of New York, did not hesitate to demand that a CISO should be designated as a “qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.”
The second bill is Ron Wyden’s new Mind Your Own Business Act (MYOB), which focuses on protecting user privacy, and is far more explicit in its demands. If passed into law, it will effectively become a federal privacy law, and — under the Constitution’s Supremacy clause — could supersede existing state laws covering the same areas. But this is not the tame federal law https://www.securityweek.com/senate-panel-hear-internet-execs-privacy-policies that many fear will come from big tech lobbying for a federal law.
The bill will effectively turn the FTC into a European-style data protection regulator. Wyden’s statement describes it as “the authority to be an effective cop on the beat.” It also empowers the FTC to hire “175 more staff to police the largely unregulated market for private data.”
The most important state-level privacy law is the California Consumer Protection Act (CCPA), due to come into effect in January 2020. A comparison of the two acts could throw light on the potential future progress of the MYOB bill. Both aim to give consumers greater control over the way in which personal data is used by corporations. However, the MYOB bill is ‘stronger’ in some areas and ‘weaker’ in others.
One area in which it is much stronger than the CCPA is in the introduction of prison time for executives that misuse Americans’ data and lie about those practices to the government. Wyden is very clear about this. “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” he explained.
Prison sentences for privacy infringements is not a new idea outside of the U.S. The UK’s ICO has been calling for this since at least 2011. In November 2017, Mike Shaw, enforcement group manager and head of the ICO’s criminal investigations team, said, “In the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases.”
While it is stronger than CCPA against executives, MYOB is weaker in financial sanctions against the corporation. It uses the same 4% of global revenue introduced by GDPR.
In 2018, Facebook’s global revenue was $55.8 billion. If the Cambridge Analytica incident occurred under the jurisdiction of the MYOB bill, the maximum potential fine would be $2.232 billion (4% of revenue). If it occurred under CCPA, the maximum potential fine would be $50.25 billion ($7,500 times the number of affected California residents). The MYOB bill will consequently give the California DA less flexibility in sanctioning major transgressors, and is unlikely to be welcomed by states with their own privacy bills.
Vested interests — privacy activists and privacy vendors — will most likely welcome MYOB. Lecio de Paula, data privacy director at awareness training firm KnowBe4, comments, “As long as privacy advocates continue to make their voices heard, this bill has a lot of potential to be able to help solve some of the privacy and security challenges we have in the United States today.”
He sees benefits in the MYOB approach. “Many organizations are simply just ‘ok’ with receiving a fine and a slap on the wrist — which we have seen with the past few FTC fines of the large tech players,” he said. “When an executive is held personally accountable, that’s when things start to change. Secondly, for the most part, the resources at the FTC’s disposal have been scarce, but they have been making do with what they have. If the FTC is able to obtain more authority and resources to start cracking down on organizations that are violating basic privacy and security principles, we will start to see a new standard set for businesses, which would allow them to begin taking a privacy-first approach to tackling new challenges and creating new products.”
But there remain many doubts whether this could ever become law. Bill Ender, CISO Advisor and Investor at RightBrainCISO, told SecurityWeek, “There are a couple of inclusions there that would give some corporate executives a coronary: 10 – 20-year criminal penalties, corporate taxes tied to executive salaries.”
He continued, “The clarification ‘that the bill does not preempt any state law’ is curious. So, if a state doesn’t have its own CCPA-like law — which might not include the abovementioned executive-related penalties, privacy breaches in that state would be subject to this federal legislation which could apply those penalties? I’m guessing the majority of states would take issue with that.”
His conclusion is simple: “I doubt it would pass in its current form.”