Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.
This statement was originally published on eff.org on 13 January 2015.
More needs to be done to protect cyberspace and enhance computer security. But President Obama’s cybersecurity legislative proposal recycles old ideas that should remain where they’ve been since May 2011: on the shelf. Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.
Information Sharing
The status quo of overweening national security and law enforcement secrecy means that expanded information sharing poses a serious risk of transferring more personal information to intelligence and law enforcement agencies. Given that the White House rightly criticized CISPA in 2013 for potentially facilitating the unnecessary transfer of personal information to the government or other private sector entities when sending cybersecurity threat data, we’re concerned that the Administration proposal will unintentionally legitimize the approach taken by these dangerous bills.
Instead of proposing unnecessary computer security information sharing bills, we should tackle the low-hanging fruit. This includes strengthening the current information sharing hubs and encouraging companies to use them immediately after discovering a threat. As we’ve previously noted, much information is being shared through Information Sharing and Analysis Centers (ISACs), public reports, private communications, and the DHS’s Enhanced Cybersecurity Services. All of these institutions represent robust information sharing hubs that are underutilized and underresourced. It also includes persistent education of end users since it’s well known that many security breaches are due to employees downloading malware. Yet another key solution is to follow basic security precautions. The New York Times reported the JP Morgan hack occurred due to an un-updated server.
Increased Criminalization
The administration’s proposals to increase penalties in the Computer Fraud and Abuse Act are equally troubling. We agree with the President: “Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime;” however, the past two years of surveillance disclosures has shown law enforcement certainly doesn’t need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, “today [is] a golden age for surveillance. And when it comes to increased criminalization, we’ve often noted the already excessive—and redundant—penalties for crimes performed with computers.
Federal Data Breach Law
The President’s legislative proposal also follows up on yesterday’s announcement to pursue a federal data breach law. Consumers have a right to know when their data is exposed, whether through corporate misconduct, malicious hackers, or under other circumstances. Over 38 states already have some form of breach notification law—so the vast majority of Americans already get some protection on this score. While the President has not yet released detailed legislative language, the Administration’s May 2011 Cybersecurity legislative proposal would preempt state notification laws, removing the strong California standard and replacing it with a weaker standard. Any such proposal should not become a backdoor for weakening transparency or state power, including the power of state attorneys general and other non-federal authorities to enforce breach notification laws.
Many of these proposals are old ideas from the administration’s May 2011 Cybersecurity legislative proposal and should be viewed skeptically. While the Administration information sharing proposal may have better privacy protections than dangerously drafted bills like CISPA, we think the initial case for expanding information sharing requires much less secrecy about how intelligence and law enforcement agencies collect and use data on our networks. And instead of increasing penalties under the Computer Fraud and Abuse Act, we’ve long advocated common sense reform to decrease them.
As with any legislation, the devil is in the details, and we’ll continue to monitor the situation.