[BreachExchange] New Cybersecurity Bills Promote CISOs and Privacy

Destry Winant destry at riskbasedsecurity.com
Fri Oct 25 10:04:19 EDT 2019


https://www.securityweek.com/new-cybersecurity-bills-promote-cisos-and-privacy

Two bills, currently in the Senate, have the potential to change the
U.S. cybersecurity landscape if passed into law. The first is the
'Cybersecurity Disclosure Act of 2019', introduced by Senator Jack
Reed (D-RI) on 28 February 2019. The second is the 'Mind Your Own
Business Act of 2019', introduced by Senator Ron Wyden (D-OR) last
week on 17 October 2019.

The Cybersecurity Disclosure Act of 2019 is a relatively small change
of wording to the Cybersecurity Disclosure Act of 2017, but with
potentially far-reaching effects. There are three relevant paragraphs
in the new act. The first, which is unchanged from the 2017 version,
requires the disclosure of whether anybody at board level has
cybersecurity expertise, and the nature of that expertise, in the
organization's annual report or annual proxy statement to the
Securities and Exchange Commission (SEC).

The second paragraph is amended. Wording changes from "what other
cybersecurity steps taken by the reporting company were taken into
account" to "what other aspects of the reporting company's
cybersecurity were taken into account by any person..." There is now
more focus on the existing cybersecurity posture and a 'person' to be
involved.

The third paragraph in both versions of the act says the FTC should
consult with NIST, with reference to the NIST SP 800-181 Cybersecurity
Workforce Framework, to "define what constitutes expertise or
experience in cybersecurity... using commonly defined roles..."

The NIST document does not define a chief information security officer
role or tasks (the title is mentioned just three times). Nevertheless,
it is difficult to see how the position of the 'person' as required by
the new act, could be fulfilled by any single person other than an
organizational CISO or CSO. The effect of the new act will therefor
increase pressure on organizations to have a named CISO with a voice
on the board as the most efficient way of fulfilling the legal
requirement.

It should be noted that this is not the stated purpose of the act. In
describing his act, Jack Reed said, "This legislation advances that
goal [bolstering our nation's cybersecurity] by encouraging publicly
traded companies to be more transparent about whether and how their
Boards of Directors and senior management are prioritizing
cybersecurity."

Noticeably, the New York Department of Financial Services' 23 NYCRR
500 regulation, which served a similar purpose but for financial
entities in the state of New York, did not hesitate to demand that a
CISO should be designated as a "qualified individual responsible for
overseeing and implementing the Covered Entity's cybersecurity program
and enforcing its cybersecurity policy."

The second bill is Ron Wyden's new Mind Your Own Business Act (MYOB),
which focuses on protecting user privacy, and is far more explicit in
its demands. If passed into law, it will effectively become a federal
privacy law, and -- under the Constitution's Supremacy clause -- could
supersede existing state laws covering the same areas. But this is not
the tame federal law
https://www.securityweek.com/senate-panel-hear-internet-execs-privacy-po...
that many fear will come from big tech lobbying for a federal law.

The bill will effectively turn the FTC into a European-style data
protection regulator. Wyden's statement describes it as "the authority
to be an effective cop on the beat." It also empowers the FTC to hire
"175 more staff to police the largely unregulated market for private
data."

The most important state-level privacy law is the California Consumer
Protection Act (CCPA), due to come into effect in January 2020. A
comparison of the two acts could throw light on the potential future
progress of the MYOB bill. Both aim to give consumers greater control
over the way in which personal data is used by corporations. However,
the MYOB bill is 'stronger' in some areas and 'weaker' in others.

One area in which it is much stronger than the CCPA is in the
introduction of prison time for executives that misuse Americans' data
and lie about those practices to the government. Wyden is very clear
about this. "Mark Zuckerberg won't take Americans' privacy seriously
unless he feels personal consequences. A slap on the wrist from the
FTC won't do the job, so under my bill he'd face jail time for lying
to the government," he explained.

Prison sentences for privacy infringements is not a new idea outside
of the U.S.  The UK's ICO has been calling for this since at least
2011. In November 2017, Mike Shaw, enforcement group manager and head
of the ICO's criminal investigations team, said, "In the future, we
would like to see custodial sentences introduced as a sentencing
option for the courts in the most serious cases."

While it is stronger than CCPA against executives, MYOB is weaker in
financial sanctions against the corporation. It uses the same 4% of
global revenue introduced by GDPR.

In 2018, Facebook's global revenue was $55.8 billion. If the Cambridge
Analytica incident occurred under the jurisdiction of the MYOB bill,
the maximum potential fine would be $2.232 billion (4% of revenue). If
it occurred under CCPA, the maximum potential fine would be $50.25
billion ($7,500 times the number of affected California residents).
The MYOB bill will consequently give the California DA less
flexibility in sanctioning major transgressors, and is unlikely to be
welcomed by states with their own privacy bills.

Vested interests -- privacy activists and privacy vendors -- will most
likely welcome MYOB. Lecio de Paula, data privacy director at
awareness training firm KnowBe4, comments, "As long as privacy
advocates continue to make their voices heard, this bill has a lot of
potential to be able to help solve some of the privacy and security
challenges we have in the United States today."

He sees benefits in the MYOB approach. "Many organizations are simply
just 'ok' with receiving a fine and a slap on the wrist -- which we
have seen with the past few FTC fines of the large tech players," he
said. "When an executive is held personally accountable, that's when
things start to change. Secondly, for the most part, the resources at
the FTC's disposal have been scarce, but they have been making do with
what they have. If the FTC is able to obtain more authority and
resources to start cracking down on organizations that are violating
basic privacy and security principles, we will start to see a new
standard set for businesses, which would allow them to begin taking a
privacy-first approach to tackling new challenges and creating new
products."

But there remain many doubts whether this could ever become law. Bill
Ender, CISO Advisor and Investor at RightBrainCISO, told SecurityWeek,
"There are a couple of inclusions there that would give some corporate
executives a coronary: 10 - 20-year criminal penalties, corporate
taxes tied to executive salaries."

He continued, "The clarification 'that the bill does not preempt any
state law' is curious. So, if a state doesn't have its own CCPA-like
law -- which might not include the abovementioned executive-related
penalties, privacy breaches in that state would be subject to this
federal legislation which could apply those penalties? I'm guessing
the majority of states would take issue with that."

His conclusion is simple: "I doubt it would pass in its current form."


More information about the BreachExchange mailing list