Senate Committee Passes Cyber Reporting Bill, Eyes NDAA
The Senate Homeland Security and Governmental Affairs Committee passed cyber incident reporting legislation Wednesday. It plans to attach the bill to the National Defense Authorization Act, mirroring efforts in the House (see 2110010045).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Senate Intelligence Committee Chair Mark Warner, D-Va., told us he and other committee members want to continue negotiating (see 2109230065) with Senate Homeland Security Committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, to increase the chances of passing the bill with the NDAA.
The Senate Commerce Committee tackled privacy and data security in a separate hearing Wednesday. Chair Maria Cantwell, D-Wash., said she wants to address privacy and data security in the same legislative effort if possible, citing the growth in data breaches over the past year. The committee was also planning to have discussed subpoena options Wednesday with its general counsel to determine how to access documents that Facebook refuses to share, she told us: “We’ll find out what we have access to, and then we’ll make a decision.”
The HSGAC passed the Cyber Incident Reporting Act during the markup. The bill would require critical infrastructure to report incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours. Three days is the right balance, said Portman. He told us he and Peters shifted their time frame to better align with legislation from Warner, Senate Intelligence Committee ranking member Marco Rubio, R-Fla., and Susan Collins, R-Maine. The HSGAC bill would also require entities to give notice of ransomware payments within 24 hours.
“It is our intent to get it into NDAA,” said Peters during the hearing. He called the NDAA a collaborative process and said discussions will continue over the next few weeks. “I hope we can agree this is not something we can wait on,” he said: “Cybercriminals are not waiting. They’re actively engaged today.” The bill passed by voice vote with Sens. Rick Scott, R-Fla.; Ron Johnson, R-Wis.; and Rand Paul, R-Ky.; voting no. S.2875 is “substantially similar” to the bill introduced by the Senate Intelligence Committee, said Portman.
Warner said he’s having active discussions with Peters and Portman about merging efforts. The chances of getting it into NDAA go up “dramatically if we combine these efforts,” he said: “These conversations have been great.” He noted the White House was involved in legislative discussions before his committee.
During the Senate Commerce Committee hearing, ranking member Roger Wicker, R-Miss., asked if data security requirements should be included in a privacy law, as suggested by Cantwell.
All witnesses -- ex-FTC Consumer Protection Bureau Director Jessica Rich, now at Kelley Drye; ex-FTC Chief Technologist Ed Felten, professor emeritus at Princeton University; Engine Executive Director Kate Tummarello; and Identity Theft Resource Center Chief Operating Officer James Lee -- said yes. Rich qualified her response, saying she wouldn’t want cyber negotiations to hold the difficult process of negotiating a privacy law. Enacting a data security law on its own would substantially improve data protection, she said.
After the hearing, Cantwell noted that then-Chairman John Thune, R-S.D., tabled cyber discussions to focus on privacy. They’re both complex, but there has been a lot of commonality from members, said Cantwell. She also noted a lot of agreement from witnesses.
Wicker asked witnesses if they agreed a preemptive privacy law isn’t necessarily weaker than existing state laws. The witnesses agreed, with Rich saying the federal standard needs to be strong. Wicker asked which state has the strongest data breach law. Lee said Maine, which provides the strongest data on breaches. California was the genesis, and New York has a strong data breach law, said Lee.
Sen. Tammy Baldwin, D-Wis., noted Equifax’s failure to properly patch its network in its 2017 breach, and Colonial Pipeline didn’t use multifactor authentication when it was hacked earlier this year. Both failures required basic tools to avoid, she said. She asked the witnesses how to get companies to deploy common-sense practices. Baseline practices ought to be followed, and an FTC rulemaking could establish those basic practices, said Felten. Tummarello agreed but said the FTC needs to account for the size and scale of companies. Startups can follow basic requirements, but more complicated requirements require flexibility based on each individual company, she said: The FTC should provide a menu of options.
Data security laws should cover biometric data, said Rich. Aside from the FTC Act and partly the Health Insurance Portability and Accountability Act, there’s no federal law mandating security for biometric data, she said. Felten agreed biometric data is an issue requiring special attention. Tummarello agreed biometric requirements could be tightened, but she warned Congress against limiting opportunities to use the technology in innocuous and innovative ways.