The Cybersecurity Act of 2012 (CSA) as amended is significantly more complex than cybersecurity legislation passed in April by the House of Representatives. In its most recent version, the CSA would mobilize the federal government to, among other things:
- Form a multi-agency Council to inventory and conduct “cyber risk assessments” of industry sectors considered vulnerable to cyber-based attack.
- Categorize certain types of industries as “critical cyber infrastructure” based on such assessments and a list of enumerated criteria.
- Require reporting of all significant “cyber incidents” by the owners of such critical cyber infrastructure; such requirements would go beyond the requirements of existing data breach notification laws.
- Develop new security standards and use significant incentives to promote adoption by industry—incentives that some have described as inevitably leading to mandates.
Other parts of the Senate legislation would have amended FISMA (the framework law that guides information security efforts of the federal civilian agencies); promote and protect information sharing between government and industry; and support enhanced R&D and education efforts on cybersecurity.
Congressional efforts to address cybersecurity risk are certain to continue, so these and other proposals bear watching. Perhaps even more significant in the near term is the Administration’s reported intention to use its existing authority to enhance industry and government practices in this area.
This blog entry was contributed by Harriet Pearson, a Partner in the Privacy and Information Management group in Hogan Lovells’ Washington, DC office.