Cyber-Security Bill Seen as Good First Step Despite Privacy Concerns
Second, the bill has added some restrictions and privacy protections that weren't in the earlier bills. In addition, the companion bill now being considered would place coordination in the hands of the Department of Homeland Security rather than one of the intelligence agencies. Graham said that he expects to see some modifications to the bill that's presented to the Senate that would cover some of the remaining concerns. One facet of the bill that needs to be changed, he said, is that companies shouldn't be able to protect against poor practices. "One of things that could be added is some sort of standard of practice," he said. "After the breaches of 2014, we should not see reports that stolen information was unencrypted and in the clear." He said that he doesn't think the bill should give negligent companies a free pass. "If they don't do due diligence, they should not be free from repercussions," Graham said. "Companies need to do the right thing to protect the information.""Cyber-attacks are not just a threat to our national security," Belcher said in a prepared statement, "but to Americans' economic security as well. The cyber-security legislation passed by the House today provides greater legal protections to those who share critical information about cyber threats and vulnerabilities, encouraging the voluntary sharing of data that will provide networks and users with stronger defenses against hackers." But as Graham said, this is only a first step. While the new law will allow companies to avoid liability for sharing data and will also prevent some lawsuits resulting from breaches, it does not remove the need for companies to act responsibly. When a massive breach occurs, there is simply no excuse for being told that none of the information was encrypted, as was the case with the Anthem health care breach. While it's true that no law required Anthem to protect those records with encryption, the company still put its members and others at great risk through what can only be described as negligence. Fortunately, as the former CEO of Target found out, the market can be a powerful force. After Target's breach, the company lost 30 percent of its valuation and its CEO lost his job. Nothing in this new law prevents those repercussions, nor should it. Unfortunately, it may be time to include some penalties for such negligence, regardless of any limitations of liability. This bill doesn't do that, but it's still important and needed to be done. As Graham said, "It's time."
Advocates for passage of a cyber-security bill have been broadly supportive. Scott Belcher, CEO of the Telecommunications Industry Association, said that this first cyber-security bill is an important step in security.