Friday, April 24, 2015

HR 1770 Introduced – Breach Notification

Rep. Blackburn (R,TN) introduced HR 1770, the Data Security and Breach Notification Act of 2015. This is a bill addressing requirements for the breach of personally identifiable information stored in electronic systems.

As such I normally would not cover the bill in this blog. But, the bill was marked up in the House Energy and Commerce Committee the day after it was introduced and there was an amendment made to the bill that might get interpreted as applying to industrial control system breaches.

Notification Requirements

The bill requires that a covered entity notify an individual of any breach that results in a release of personally identifiable information “not later than 30 days after completing” {§3(c)(1)}after completing the necessary investigations outlined in the bill.

Originally the bill used a fairly standard definition of personally identifiable information used in the trigger of the notification requirements. An amendment offered by Rep. Kinzinger (R,IL), however, added to that definition:

“A user name or email address, in combination with a password or security question and answer that would permit access to an online account.” {§5(10)(B)(vi)}

Control Systems Covered?

Since the term ‘online account’ is not defined in the bill, it could be argued (nobody could how successfully until a judge would rule on the argument) that a control system could be considered an ‘on-line account’. There are other requirements in the bill that might mitigate that requirement, but they could also be argued around.

As a general rule, I don’t think that it would occur to most cyber security officers to specifically notify an operator if there were a breach in the control system that would result in the operators log-on information being compromised and I certainly don’t think that it was Blackburn’s intent that this specific situation would be included in the actions required by her bill.

Off the top of my head, I can only think of one circumstance where this might make to a judge for a decision on the merits of the argument. That would be in a wrongful termination law suit where a control system operator was dismissed for doing something wrong based upon something that was done on the control system. If during discovery the lawyer found out that there had been a security breach where log-on information may have been compromised he might be able to use the failure to make the notifications required under this act as a bargaining tool to get the company to agree to a deal on the wrongful termination suit.

I would certainly agree that that would be a circumstance not considered by the crafters of this bill, but it is an example (and probably not the only possible one) of how the use of loosely defined or undefined terms in legislation can have unintended consequences.

Moving Forward

The fact that this bill was considered, amended and ordered reported favorably the day after it was introduced indicates that there is some political pull (Blackburn in Vice Chair of the Committee after all) that may be able to move this bill to the floor of the House. I don’t see anything that would argue against its passage. The 29 to 20 vote in committee indicates that there isn’t a lot of bipartisan support for the bill. This would mean that the bill would have to be considered under regular order to pass.

Without at least some measure of bipartisan support (probably due to floor amendments) this bill will not get considered in the Senate.

Unless something more substantially control system security related is added to this bill, I doubt that it will be mentioned again in this blog.

No comments:

/* Use this with templates/template-twocol.html */