OPM Breach Increases Attention on Cybersecurity Information Sharing Act, but Influence on Bill's Prospects Called Unclear
The Office of Personnel Management (OPM) data breach announced Thursday, in combination with Congress’ recent passage of the USA Freedom Act (see 1506020052">1506020052), temporarily increases attention on Senate consideration of the Cybersecurity Information Sharing Act (S-754), but it's unclear whether that will improve the bill's chances of passage, industry lawyers and lobbyists told us in interviews. The White House cited the data breach, which OPM said may have compromised the personally identifiable information (PII) of about 4 million current and former federal employees, as a reason for Congress to pass cybersecurity legislation (see 1506050042). The House overwhelmingly passed two cybersecurity information sharing bills in April -- the National Cybersecurity Protection Advancement Act (HR-1731) and the Protecting Cyber Networks Act (HR-1560) -- and sent the language from both bills to the Senate as a revised version of HR-1560 (see 1504230062 and 1504220066).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
President Barack Obama again registered concerns about the OPM data breach Monday during a news conference at the G-7 summit in Schloss Elmau, Germany. “This problem is not going to go away -- it’s going to accelerate," he said. “That means that we have to be nimble, as aggressive and as well-resourced as those who are trying to break into these systems.” Obama said the federal government is “going agency by agency and figuring out what can we fix with better practices and better computer hygiene by personnel, and where do we need new systems and new infrastructure in order to protect information.”
The juxtaposition of the OPM data breach and Obama’s comments at the G-7 summit are likely to “underline the importance of moving” S-754 among the bill’s supporters, said Norma Krayem, co-leader of Squire Patton’s cybersecurity practice. “The OPM breach “does focus the nation on what Congress could be doing and should be doing, which should provide some additional impetus to adopt [S-754],” said former FCC Public Safety Bureau Chief Jamie Barnett, a cybersecurity and telecom lawyer at Venable. Any data breach is likely to “put additional pressure on Congress and the administration to do something,” but since the White House has been active in issuing executive orders on cybersecurity and issuing related legislative recommendations, “people are looking more to Congress” to pass legislation, Barnett said.
Lawmakers may “be a little bit leery about moving” S-754 if it appears the bill “puts more information in the hands of federal agencies” given the questions the OPM data breach raises about the security of federal networks, said Monument Policy Group lobbyist Andrew Howell. “I think that this may have shaken the trust of federal legislators such that they might want to take a much longer look at this whole issue of how agencies manage themselves and Americans’ data before they ask companies to hand over more,” Howell said. “I think it’s also fair to say this might cause folks to look at the whole federal IT management more thoroughly than they might have otherwise.” Additional scrutiny of federal IT practices could be beneficial “for everybody in the cybersecurity space,” but “until the government makes that [information] available to companies, I don’t think that learning is going to be taking place,” Howell said.
It’s not clear whether earlier consideration of S-754 would have allowed the federal government to prevent the OPM data breach, Barnett said, but he said earlier passage of the Federal Information Security Modernization Act during the last Congress might have allowed the Department of Homeland Security to implement that bill’s provisions earlier. The bill, one of four cybersecurity measures that Congress passed in December, revised the existing Federal Information Security Management Act and created rules for federal agencies’ response to government data leaks (see 1412110073). The revised FISMA allows DHS to “move with a lot of agility” to respond to federal data breaches and generally moves the federal government toward the concept of continuous monitoring and detection, Barnett said. If Congress had passed the revised FISMA earlier, “I suspect that could have had an effect” on the OPM data breach, he said. “This would’ve been caught early, it would’ve been minimized. The real problem now is that DHS needs time to implement the bill and you need the resources” to implement it.
Senate critics of S-754 pushed back against calls from S-754 co-author and Senate Intelligence Committee Vice Chairwoman Dianne Feinstein, D-Calif., and other supporters to consider the bill after the OPM breach. Judiciary Committee ranking member Patrick Leahy, D-Vt., a critic of S-754 on privacy grounds, said on C-SPAN’s Newsmakers program Friday that Congress should examine the data breach, but “I worry that it’s always ‘pass this law immediately’” or something will happen. Leahy previously has asked Senate Judiciary Chairman Chuck Grassley, R-Iowa, to seek secondary oversight of S-754. Sen. Ron Wyden, D-Ore., the only member of Senate Intelligence who voted against S-754 when the committee cleared it in March (see 1504170061), said in a statement that “this is a bad excuse to try and pass a bad bill.” The U.S. should continue to “pull out all the stops to go after foreign hackers and foreign threats, but there’s a way to do that without threatening the privacy of millions of law-abiding Americans,” Wyden said.
The concerns Leahy and Wyden raised are an indication that privacy advocates are generally still concerned about S-754’s impact on PII, though the current version of S-754 contains additional privacy and civil liberties protections over previous drafts, Barnett said. Those privacy concerns “are still important to address and that can be done through the amendment process,” Krayem said.