January 2015: Top Six Issues in Cybersecurity
Co-authored by Ellen Cornelius and Markus Rauschecker – CHHS Senior Law and Policy Analysts as well as Adjunct Professors for Law and Policy of Cybersecurity at the University of Maryland School of Law
Not a day goes by where we don’t hear about yet another cyber incident. With more and more high profile cyber hacks occurring, government, the private sector, and individuals are looking for solutions, but also wondering what’s next.
Here are the top six cybersecurity issues we see for the coming year:
- Sony Hack – The fallout from one of the largest hacks ever will continue. Administration officials have repeatedly stated that North Korea is responsible for the hacks at Sony. President Obama signed an executive order initiating new sanctions against North Korea and stating that it perpetrated acts of cyber vandalism rather than acts of cyber war. The recent hack highlighted the need for information sharing between and among the private sector and government.
- CISPA – The Cyber Intelligence Sharing and Protection Act (CISPA) of 2014 was re-introduced to counter the cyber-attacks that have compromised personal information, trade secrets, and infrastructure. Civil liberties advocates have been working against the bill due to concerns that it does not defend citizens’ privacy. Some businesses have been proponents of CISPA because it provides liability protection if a company shares data regarding cyber threats. Individuals, companies, and the government could voluntarily share cyber threat information for cybersecurity; and, they would be required to guard against the distribution of personally identifiable information. Furthermore, the government’s use of the information would be limited to cyber-related purposes. President Obama is expected to meet with officials at the Department of Homeland Security (DHS) and create an entity that would develop best practices for existing public private information sharing centers.
- Cyber Standard of Care for Critical Infrastructure and Businesses – As businesses face an increase in the number of lawsuits resulting from data breaches, courts will be looking for a standard of care that businesses should have been upholding as they sought to protect their data. Absent any legislative standard, courts may well consider the National Institute of Standards and Technology (NIST) Cybersecurity Framework to determine liability for data breaches. Businesses have a vested interest in implementing the Framework’s best practices, if they are not doing so already.
- Net Neutrality – The Federal Communications Commission (FCC) supports an open internet meaning that it is free, publicly available, and largely responsive in the same way to all users. In 2010, the FCC issued a rule requiring transparency (network management practices, performance characteristics, and terms and conditions of broadband services) for broadband internet access service providers. In 2015, the FCC is looking to promulgate strong rules regarding an open internet; however, it is likely to face opposition from broadband internet service providers. It is unclear how these rules will apply to wireless carriers, but wireless carriers may be exempt if they can show that they handle mobile data separate from telephone service.
- Data Breach Notification – President Obama supports legislation that would require companies to report online data breaches. The Personal Data Notification and Protection Act (PDNPA) would set a national standard rather than rely on a mishmash of individual state laws to compel companies to notify their customers. PDNPA sets a 30 day timer on companies who have discovered that their customers’ data has been hacked. President Obama has already signed an executive order so that government payment cards utilize chip and PIN technology rather than signatures, which are easy to counterfeit.
- Personal Data Privacy – Consumers and customers are becoming more concerned about their online privacy. Many are demanding greater protections of their communications and personally identifiable information. They also want to know how their personal information is being collected and how it is used. In this regard, President Obama will propose the Student Data Privacy Act (SDPA) to protect data that is collected regarding students. As teacher use tablets, online services, and internet connected software, technology firms are collecting students’ information, even as students have not opted into this data collection. Without President Obama’s proposed law, there is the potential that, down the road, firms may use the data for advertising and marketing purposes without students’ consent.