CSIA Expects ‘Jurisdictional’ Fights to Decline in 110th
Data security legislation may succeed under Democratic control -- not because the party is better than the Republicans on the issue, but because “jurisdictional” fights between committees are expected to decline, incoming Cyber Security Industry Alliance Exec. Dir. Liz Gasster told us. Her confidence was in marked contrast to House Financial Services Committee member Bean’s (D-Ill.) prediction of another year of “turf war” between her committee and House Commerce on data security (WID Dec 7 p3). Gasster, CSIA gen. counsel, takes over Jan. 1 for Paul Kurtz, formerly President Clinton’s cyber chief on the Homeland Security Council.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
House Financial Services Committee Chmn.-designate Frank (D-Mass.) has promised to bring together committees with a stake in data security and has a “pragmatic understanding” of the issue, Gasster said. CSIA is encouraged by “early signs” in the 110th Congress. “Substantive” differences over legislation long ceased to be the barrier to passage, and “our positions do not seem to divide up on either partisan lines or jurisdictional lines,” she added.
“All the signs” are that data breaches are “going to continue,” Gasster said. Because of state notification laws, led by Cal.’s, “we're learning so much more about how serious the problem is” but haven’t settled on how to handle breaches. State laws are mainly “reactive,” requiring notification but not standards for protection of data. About 6 states have more forceful laws but their strength is enforcement of penalties for breached firms, she said. The FTC is “engaging in real activism” on breach enforcement under the unfair trade practices doctrine, but the agency’s energy “definitely doesn’t negate the need for strong federal… legislation.”
Perhaps the greater immediate worry is broad definitions getting into data security bills other than the approved VA legislation (S-3421), Gasster said. CSIA has criticized the VA bill’s language as encompassing even a name without an identification number, or encrypted personal information (WID Dec 14 p6). The VA bill “could set a precedent,” but given its last-minute passage this Congress, it’s “hard to attribute motive” to the broad definition as opposed to rushed drafting, she added. CSIA may challenge VA on carrying out S-3421, Gasster said, but didn’t specify how. It’s unlikely sector-specific laws like the financial industry’s Gramm-Leach-Bliley will fall to broad legislation, she said. But voluntary standards, like the payment card industry’s PCI and IT security’s ISO 17799, may be “useful models” for legislators to consider in broadening security legislation, she said.
The Dept. of Homeland Security must “not try to boil the ocean” by covering all aspects of cybersecurity, Gasster said. The agency, which filled its assistant secretary for cybersecurity & telecom post after more than a year of searching (WID Oct 12 p1), should stick to 3 priorities: (1) An effective system of “situational awareness” with “acute real-time information” for all participants. (2) Command & control leadership and cooperation with industry groups like the Information Sharing & Analysis Centers for the IT and telecom sectors. (3) Emergency communications, with “resilient infrastructure” and communications protocols, “so you're not flipping through your Rolodex,” Gasster said. She called consumer awareness a “2nd tier” priority.
The Federal Information Security Management Act (FISMA) has “done an enormously good job” of raising “visibility” around agency data security policy, Gasster said, but conceded that complaints from agency CIOs have merit (WID Dec 11 p2). CIOs need “more authority and accountability,” which “varies tremendously” across agencies, under a reformed FISMA, she said. Some data security programs are stuck because resources are “excessively tied up with the paperwork and compliance requirements,” Gasster added. FISMA reform, along with data security legislation and DHS cybersecurity planning, is a top CSIA priority in the 110th.
Gasster is “not at all” concerned that CSIA has missed the boat on European data security policy. The group opened its European office in Brussels recently (WID Oct 4 p6). Though the European Union data protection directive is going through implementation in each country already, Europeans are “taking a very careful, very systematic approach to reviewing these issues” -- “holistic” as opposed to the “ad hoc” U.S. approach, she said. As multinational companies find themselves squeezed between differing and sometimes contradictory data privacy and security rules around the world, the time is “ripe” for CSIA to add its voice to international discussions, she said: IT CEOs must “feel like they have a voice globally.”