<div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.scmagazine.com/home/security-news/top-cybersecurity-legislation-of-2019/">https://www.scmagazine.com/home/security-news/top-cybersecurity-legislation-of-2019/</a></div><div dir="ltr"><br></div><div dir="ltr"><p><strong>It’s the law…almost</strong></p>
<p>2018 may go down as the year the EU’s GDPR went into effect but
legislators domestically kept busy introducing and passing legislation
meant to bolster the U.S.’s cybersecurity and privacy postures.</p>
<p><strong>California Privacy Act</strong></p>
<p>After a rush to get legislation done so a ballot measure slated for
the November election could be pulled by the withdrawal deadline, the
California State Assembly passed the California Consumer Privacy Act of
2018, which many privacy pros peg as the foundation of an eventual U.S.
GDPR-type law. The act, set to take effect in 2020, is the most
stringent of its kind in the U.S. “With the breaking news of the
dramatic passage of California’s new privacy law, AB 375, the strictest
privacy measure in the nation, along with the coming into force of the
European GDPR and SCOTUS decision in Carpenter – it’s clear privacy has
risen to the top of policymakers’ agenda worldwide,” said Omer Tene,
Chief Knowledge Officer of the International Association of Privacy
Professionals (IAPP). “Now, industry will need to adapt.” Support for a
national law that addresses privacy issues has grown. Apple CEO Tim Cook
recently said that his company is “in full support of a comprehensive
federal privacy law in the United States.”</p>
<p>Cook called the argument made by some tech companies that they could
“never achieve technology’s true potential” if they are “constrained by
privacy regulation” as not only “just wrong,” but also destructive. “We
will never achieve technology’s true potential without the full faith
and confidence of the people who use it,” he said, noting that
legislation should be based on users having the right to access to the
data companies collect and to security. “Security is foundational to
trust and all other privacy rights.”</p>
<p><strong>National breach notification law</strong></p>
<p>A bill introduced by the House Financial Services Committee would
amend the Gramm-Leach-Bliley Act (GLBA) to include a national breach
notification law for the financial industry that would supersede the
multitude of state laws.</p>
<p>“It is going to take better cooperation from all my colleagues and
the industries that handle consumer data in order to advance additional
meaningful changes,” the author of the bill, Rep. Blaine Luetkemeyer,
R-Mo., said in a statement. “At some point, there will be another major
breach, and without a comprehensive solution our constituents will pay
the price for our inaction.”</p>
<p><strong>State of California’s SB: 327 –</strong><a href="https://techbeacon.com/secure-iot-not-just-good-idea-its-law-california"><strong> Information privacy: connected devices</strong></a><strong> act</strong></p>
<p>California’s IoT law applies to manufacturers of devices or those who
have a device manufactured on its behalf for sale in California. It
does not, however, apply to devices purchased for resale, even if they
are privately labeled, and some<a href="http://www.mondaq.com/unitedstates/x/743698/IT+internet/Californias+IoT+Security+Law+Will+This+Law+Really+Improve+Security"> legal experts</a>
feel “the law is ambiguous in many respects, and will likely create
significant challenges in its implementation and effectiveness,”
according to Sudhakar Ramakrishna, CEO, Pulse Secure.</p>
<p><strong> </strong><a href="https://www.congress.gov/bill/115th-congress/house-bill/6663?q=%7B%22search%22%3A%5B%22Secure+Elections+Act%22%5D%7D&r=1"><strong>Secure Elections Act</strong></a></p>
<p>Introduced in December 2017 by Sen. James Lankford, R-Okla., the
proposed legislation in many ways resembles the Protecting American
Votes and Elections Act of 2018 bill. It would eliminate paperless
voting machines, replacing them with paper ballots. It also encourages
states to perform post-election audits. In June 2018, the bill, which
was <a href="https://www.scmagazine.com/home/security-news/government-and-defense/white-house-pans-election-security-act/">panned</a>
by a White House that said DHS has the needed statuatory authority to
assist states, was submitted to the Congressional Committee on Rules and
Administration, and hearings were held. But the legislation has not
progressed since then.</p>
<p><strong>Cybersecurity and Infrastructure Security Agency Act </strong><br></p>
<p>In November, the president signed <a href="https://www.congress.gov/115/bills/hr3359/BILLS-115hr3359rh.pdf">H.R. 3359</a>, legislation that redesignates the <a href="https://www.scmagazine.com/search/DHS/">Department of Homeland Security’s</a> National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA).<a href="https://www.scmagazine.com/$shortname/$version/scmag/US/journal/article/631162.json"> Introduced by Rep. Michael McCaul (R-Tex.)</a>,
the bill, known as the Cybersecurity and Infrastructure Security Agency
Act of 2017, amends the Homeland Security Act of 2002. According to a
Congressional <a href="https://www.congress.gov/bill/115th-congress/house-bill/3359?q=%7B%22search%22%3A%5B%22h.r.+3359%22%5D%7D&r=1">bill summary</a>,
the legislation states that CISA would be “headed by a Director of
National Cybersecurity and Infrastructure Security to lead national
efforts to protect and enhance the security and resilience of U.S.
cybersecurity, emergency communications, and critical infrastructure.”
This restructured agency would consist of a cybersecurity division, an
infrastructure security division and an emergency communications
division.</p>
<p><strong>NIST Small Business Cybersecurity Act</strong></p>
<p>A year and nearly four months after the measure was introduced, the <a href="https://www.gpo.gov/fdsys/pkg/BILLS-115s770enr/pdf/BILLS-115s770enr.pdf">NIST Small Business Cybersecurity Act</a>
was officially signed into law. Originally proposed as H.R. 2105 in
April 2017, the act was later absorbed into U.S. federal law S.770, and
requires the director of the National Institute of Standards and
Technology, within within one year of the law’s passing, to issue
guidance and a consistent set of resources to help SMBs identify, assess
and reduce their cybersecurity risks. S.770 also tasks NIST, a division
of the U.S. Commerce Department, with considering the needs of small
businesses when developing these recommendations, which among other key
qualities should be widely applicable and technology-neutral and
“include elements that promote awareness of simple, basic controls, a
workplace cybersecurity culture, and third-party stakeholder
relationships.”</p>
<p><strong>ENCRYPT Act</strong><br></p>
<p>A bipartisan group of representatives has put forth a bill to create a
national standard encryption that would supersede any similar standards
created on the state or local levels. Representatives Ted W. Lieu
D-Calif., Mike Bishop R-Mich., Suzan DelBene D-Wash. and Jim Jordan
R-Ohio reintroduced the Ensuring National Constitutional Rights for Your
Private Telecommunications (ENCRYPT) Act. If enacted the bill would
ensure a uniform, national policy for the interstate issue of encryption
technology. “As a computer science major, I can tell you that having 50
different mandatory state-level encryption standards is bad for
security, consumers, innovation, and ultimately law enforcement,” Lieu
said.Bishop agreed saying the concept of having a central repository is
key to defending the nation against cyberattacks.</p>
<p><strong>CLOUD Act</strong></p>
<p>Rights groups sounded the alarm over the Clarifying Lawful Overseas
Use of Data (CLOUD) Act, ostensibly meant to streamline the process
through which law enforcement accesses data across borders, saying that
it instead would circumvent Fourth Amendment protections and put human
rights activists at risk. The act would essentially provide a “backdoor”
for law enforcement at home and abroad to access emails, chat logs,
videos and photos, “without following the privacy rules where the data
is stored,” according to an Electronic Frontier Foundation (EFF) blog <a href="https://www.eff.org/deeplinks/2018/03/new-backdoor-around-fourth-amendment-cloud-act">post</a>.
The CLOUD Act backdoor “operates much in the same way” as provisions
under Section 702 of the FISA Amendments Act that let police “search,
read and share” private communications without obtaining a warrant, the
post states. Essentially, “U.S. police could obtain Americans’ data, and
use it against them, without complying with the Fourth Amendment.”</p>
<p><strong>Russian sanctions legislation</strong></p>
<p>Determined to show Russia the full wrath of the U.S. government for
its interference in the 2016 presidential election, a bevy of Democratic
and Republican senators pushed a bill that would, according to Sen.
Lindsey Graham, R-S.C., “impose crushing sanctions and other measures”
on the nation-state until Russian President Vladimir Putin puts a halt
to meddling in U.S. elections and cyberattacks on critical
infrastructure. The legislation <a href="https://www.lgraham.senate.gov/public/index.cfm/press-releases?ID=E4AC5E4C-EFD0-4F25-9808-745E1737EF65">reiterates</a>
the U.S.’s support for NATO and would require a two-thirds vote to exit
the organization. Interference in elections would be grounds for
refusing to allow immigration to the U.S. The bill includes an <em>International Cybercrime Prevention Act</em>
that would let prosecutors “shut down botnets and other digital
infrastructure that can be used for a wide range of illegal activity”
while the <em>Defending the Integrity of Voting Systems Act </em>would the Justice Department “pursue federal charges for the hacking of any voting system that is used in a federal election.”</p>
<p><strong>FISA Amendments Authorization Act</strong></p>
<p>A six-year extension to the much-debated Section 702 of the Foreign
Intelligence Surveillance Act (FISA) made its way to the White House for
the president to sign in January after the Senate gave it a nod by a
vote of 65 to 34.</p>
<p>But not without some confusion and controversy. Prior to an earlier
House vote, President Trump posted a pair of contradictory tweets over
his take on the proposed legislation that momentarily <a href="https://www.scmagazine.com/$shortname/$version/scmag/US/journal/article/736429.json">threw</a>
lawmakers into confusion over his position. “We’re disappointed with
the passage of the FISA Amendments Reauthorization Act and the
misleading statements supporters of the bill made about the collection
of communications, the process by which these records are obtained by
the FBI, and the alternatives offered by privacy-minded members of the
House and Senate like Justin Amash, Mike Lee, Rand Paul, and others,”
FreedomWorks Vice President of Legislative Affairs Jason Pye said in a
statement. </p>
<p><strong>Cyber Diplomacy Act</strong></p>
<p>A bipartisan group of lawmakers cheered the passage of the Cyber
Diplomacy Act (H.R. 3776) by the House of Representatives. The bill was
introduced by Rep. Edward Royce, R-Calif., and Elliot Engel, D-N.Y., in
September 2017 and will now move on to the Senate. If signed into law
the Cyber Diplomacy Act would require the government to secure and
implement commitments from other countries on proper cyberspace
behavior. This would include generating agreements between nations to
not support cybercriminal activity such as theft of intellectual
property, cooperate in developing measures to keep their territories
clear of intentionally wrongful acts using information and
communications technology (ICT) in violation of international
commitments and promote securely-designed ICT products.</p><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>