Comprehensive and costly cyber security breaches at high profile institutions such as Sony, Target and Home Depot have brought the issue of cyber security into the public eye and into the national security conversation. Indeed, President Obama will be addressing this novel threat in his State of the Union Address on Tuesday, January 20th, 2015. In an effort to allay the growing public fear of continued cyber attacks, the President will likely highlight a number of proposals designed to ensure that "cybercriminals...feel the full force of American justice." While this recent remark from President Obama seems to indicate that the President's focus will be squarely on bolstering criminal sanctions for would-be cybercriminals, Representative John Conyers, Jr. (D-MI-13) has already introduced legislation that encourages private entities to take a more proactive and aggressive approach in safeguarding individual's data from these cybercriminals.
H.R. 104, better known as the Cyber Privacy Fortification Act of 2015, provides for criminal and civil penalties in the event a private entity intentionally fails to notify an individual of a cyber security breach involving the individual's "sensitive personally identifiable information." While Representative Conyers, Jr.'s 2013 iteration of this bill failed to escape committee, this security issue's turn in the public limelight has generated renewed optimism that the 2015 version of this piece of legislation will not meet the same fate as its predecessor. Indeed, H.R. 104, introduced on January 6th, 2015, has already garnered one co-sponsor in Representative Henry "Hank" C. Johnson, Jr. (D-GA-4) and has been referred to the House Committee on the Judiciary. Below is the Congressional Research Service's summary of H.R. 104:
- Amends the federal criminal code to provide criminal penalties for intentional failures to provide required notices of a security breach involving sensitive personally identifiable information. Defines "sensitive personally identifiable information" as specified electronic or digital information.
- Defines "security breach" as a compromise of the security, confidentiality, or integrity of computerized data that there is reason to believe has resulted in improper access to sensitive personally identifiable information.
- Requires a person who owns or possesses data in electronic form containing a means of identification and who has knowledge of a major security breach of the system containing such data maintained by such person to provide prompt notice to the U.S. Secret Service or the Federal Bureau of Investigation.
- Defines "major security breach" as any security breach that involves: (1) a means of identification pertaining to at least 10,000 individuals that is reasonably believed to have been acquired, (2) databases owned by the federal government, or (3) a means of identification of federal employees or contractors involved in national security matters or law enforcement.
- Authorizes the Attorney General and any state attorney general to bring civil actions and obtain injunctive relief for violations of federal laws relating to data security.
- Requires federal agencies as part of their rulemaking process to prepare and make available to the public privacy impact assessments that describe the impact of certain proposed and final agency rules on the privacy of individuals.
- Sets forth authority for agencies to waive or delay certain privacy impact assessment requirements for emergencies and national security reasons.
- Directs federal agencies to periodically review promulgated rules that have a significant privacy impact on individuals or a privacy impact on a substantial number of individuals. Requires agencies to consider whether each such rule can be amended or rescinded in a manner that minimizes any such impact while remaining in accordance with applicable statutes.
- Provides access to judicial review to individuals adversely affected or aggrieved by final agency action on any such rule.