If you have any interest in cybersecurity, recent data breaches, or data protection, you were probably anxious to hear what President Obama would cover in his State of the Union address last week. I recently wrote a brief summary of the recent events leading up to the flurry of legislative talk about cybersecurity – from the Sony hack in November to the FISMA updates in December – so now it’s time to look at what the President set the stage for in the new year.
“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and the economy.”
That’s what the President had to say about the growing threat from cyber-attacks to both our personal data and national infrastructure. He announced that he signed an executive order that would strengthen and standardize our defenses against cyberattacks. The order includes the following:
- Improved cybersecurity information-sharing between the government and private sector, specifically asking private companies to share cyber threat information with the Department of Homeland Security
- Enhanced personal information security by calling on the private sector not to retain unnecessary personal information and to comply with other privacy restrictions
- Modernization of law enforcement in order to better combat cyber crimes, such as allowing the courts to shut down and prosecute anyone caught selling botnets, criminalizing overseas sales of stolen data, and taking measures to deter the sale of spyware
- Standardization of data breach reporting laws, most notably requiring that companies notify consumers within thirty days of the discovery of a data breach
The order also calls for a summit on cybersecurity and consumer protection, which is scheduled for February 13th at Stanford University. The summit’s goal will be to bring together a wide range of cybersecurity experts and interested parties to promote better cyber defense policies and private-public cyber threat information sharing.
How are people taking it?
The speech and recent push for cybersecurity legislation have generally been well-received, but the frequent emphasis on “information sharing” has some worried that all we’ll see as a result is an increase in surveillance. The concern is that citing “cyber threat indicators” is nothing more than a vague reason to transmit personal information and communications to the government. Privacy advocates are watching closely for an infringement on their civil liberties, but most agree that there needs to be a better standard for the public and private sectors to alert each other to threats.
The biggest crowd-pleaser seems to be the push for a standard data breach notification rule – even though the President didn’t directly address it in the speech. PCWorld.com reports that the Information Systems Audit and Control Association (ISACA), which focuses on cybersecurity training and benchmarking, surveyed its members and more than three-quarters agreed or strongly agreed with the data breach notification proposal. However, it’s likely going to be a struggle to pass a federal law, with the majority of the pushback likely to come from companies that will want to limit the requirements of the law to only notify authorities and consumer when a certain number of records are compromised.
As key stakeholders (and often victims) in the cybersecurity game, credit unions have already spoken up in support of the President for calling on Congress to pass stronger cybersecurity laws. Dan Berger, President and CEO of the National Association of Federal Credit Unions said, “Our efforts to establish national data security standards for retailers will help address the president’s call for action to protect our nation from continued vulnerability.” However, there are fears that the increased interest in data protection will mire credit unions in unnecessary regulations, which is exactly what happened when big banking was under scrutiny after the financial crisis.
The best offense is a good defense.
The old saying holds true even when we’re talking about cyber defense. If your records are being stored and shared securely, there’s a lower chance you’ll need to worry about what to do after a data breach because it’s less likely to happen. Focus on implementing a secure file-sharing and collaboration solution and policies now and you’ll be a step ahead of the cybersecurity game.