Rep. Blackburn (R,TN) introduced HR 1770,
the Data Security and Breach Notification Act of 2015. This is a bill
addressing requirements for the breach of personally identifiable information stored
in electronic systems.
As such I normally would not cover the bill in this blog.
But, the bill was marked up in the House Energy and Commerce Committee the day
after it was introduced and there was an amendment made to the bill that might
get interpreted as applying to industrial control system breaches.
Notification
Requirements
The bill requires that a covered entity notify an individual
of any breach that results in a release of personally identifiable information “not
later than 30 days after completing” {§3(c)(1)}after
completing the necessary investigations outlined in the bill.
Originally the bill used a fairly standard definition of
personally identifiable information used in the trigger of the notification
requirements. An amendment offered by Rep. Kinzinger (R,IL), however, added to
that definition:
“A user name or email address, in combination
with a password or security question and answer that would permit access to an
online account.” {§5(10)(B)(vi)}
Control Systems
Covered?
Since the term ‘online account’ is not defined in the bill,
it could be argued (nobody could how successfully until a judge would rule on
the argument) that a control system could be considered an ‘on-line account’.
There are other requirements in the bill that might mitigate that requirement,
but they could also be argued around.
As a general rule, I don’t think that it would occur to most
cyber security officers to specifically notify an operator if there were a
breach in the control system that would result in the operators log-on
information being compromised and I certainly don’t think that it was Blackburn’s
intent that this specific situation would be included in the actions required
by her bill.
Off the top of my head, I can only think of one circumstance
where this might make to a judge for a decision on the merits of the argument.
That would be in a wrongful termination law suit where a control system
operator was dismissed for doing something wrong based upon something that was
done on the control system. If during discovery the lawyer found out that there
had been a security breach where log-on information may have been compromised
he might be able to use the failure to make the notifications required under
this act as a bargaining tool to get the company to agree to a deal on the
wrongful termination suit.
I would certainly agree that that would be a circumstance
not considered by the crafters of this bill, but it is an example (and probably
not the only possible one) of how the use of loosely defined or undefined terms
in legislation can have unintended consequences.
Moving Forward
The fact that this bill was considered, amended and ordered
reported favorably the day after it was introduced indicates that there is some
political pull (Blackburn in Vice Chair of the Committee after all) that may be
able to move this bill to the floor of the House. I don’t see anything that
would argue against its passage. The 29 to 20 vote in committee indicates that
there isn’t a lot of bipartisan support for the bill. This would mean that the
bill would have to be considered under regular order to pass.
Without at least some measure of bipartisan support
(probably due to floor amendments) this bill will not get considered in the
Senate.
Unless something more substantially control system security
related is added to this bill, I doubt that it will be mentioned again in this
blog.
Posts
No comments:
Post a Comment