In an election year, the number of significant bills enacted by Congress declines dramatically. With three of the leading presidential candidates currently serving terms in the U.S. Senate, and 34 Senate seats and all House seats up for election, it seems unlikely that the legislature will address any controversial legislation in 2016.
Generally, the percentage of bills passed versus those introduced during any congressional session is low. The Pew Research Center, which tracks the productivity of Congress by session, deemed the 113th Congress, which ran from 2013-2015, one of the least productive in recent history, enacting into law only 3% of the more than 9,000 bills introduced. As of this January, the current Congress has only enacted 1% of over 7,000 bills introduced. These grim statistics make it all the more likely that new bills, such as those introduced involving cybersecurity, will not soon become law.
There was progress last December, however, when the Cybersecurity Act of 2015 (CSA) was passed as a part of the federal spending bill. CSA intends to help prevent breaches of consumer data by creating a framework for the voluntary sharing of cyberthreat information between private companies and the federal government. By providing companies with legal immunity for disclosing when they are hacked, the federal government hopes to be better able to warn other companies of a potential breach.
In February, President Obama rolled out his Cybersecurity National Action Plan (CNAP), a culmination of seven years of efforts to improve cybersecurity. This comprehensive plan will invest roughly $19 billion to ensure that companies can protect and defend against hackers, U.S. citizens are educated on how to protect their identities, and the government protects the private information in its possession.
Lawmakers and the administration agree that CSA and CNAP are a strong first step in the cybersecurity battle. With the continued prevalence of large-scale data breaches, however, they may not be strong enough. Delaying the various cyber bills currently stuck in congressional committees due to election-related interests could prove costly for companies, and impact risk managers across the board.
For risk professionals, a major concern regarding cybersecurity is the lack of uniformity of the laws governing notifications following a data breach. According to the National Conference of State Legislators (NCSL), 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have notification requirements for breaches of personal information. In 2016, at least 20 states have introduced or are considering security breach notification bills or resolutions.
Further complicating the issue, some states provide a private right of action, which permits individuals to file civil suits against companies that violate these notification requirements. Without a universal federal law on notification, companies that do business in multiple jurisdictions are at risk of failing to comply with state statutes in the event of a breach. These legal proceedings would further inflate breach costs.
There are a number of pending bills that seek to relieve companies of this burden by allowing for a federal reporting standard for breach notification. For example, Rep. Marsha Blackburn (R-Tenn.) sponsored the Data Security and Breach Notification Act of 2015, which would create the first uniform national policy for notification and replace inconsistent state laws. The proposed legislation would require companies to contact customers not only if their information was stolen by cybercriminals, but also if those criminals merely accessed the information. The bill also gives the Federal Trade Commission the power to issue penalties to companies that go against the rules it outlines.
Opponents argue that consolidating notification requirements into a single law would hurt consumers by replacing state laws, some of which are stronger and more comprehensive. But the bill’s co-sponsor, Rep. Peter Welch (D-Vt.), has stated that the bill’s intent is to protect consumers and that it may be strengthened before it goes to a full vote.
As congressional debates continue, the passage of this and similar bills seems like a longshot. But if a significant cybersecurity or privacy breach were to occur, the push to pass standalone cybersecurity or privacy reforms could be renewed, making cybersecurity one area where Congress might make an exception in this election year.