Sunday, July 12, 2015

HR2977 Introduced – Breach Notification

Last week Rep. Cicilline (D,RI) introduced HR 2977, the Consumer Privacy Protection Act of 2015. While the bulk of this bill is yet another personally identifiable information breach notification bill, it does (as I suspected) it does include criminal statute provisions that are not directly related to breach notification. Two of those provisions may have effects on control system security issues.

Those two provisions are:

Section 103. Authority to shut down botnets.   
Section 104. Deterring the development and sale of computer and cell phone spying devices.


Section 103 only actually refers to ‘botnets’ in the title of the section. What it actually does is amend 18 USC 1345 to specifically allow the use of injunctive relief to stop activities “violating section 1030(a)(5) [18 USC 1030] where such conduct would damage (as defined in section 1030), 100 or more protected computers (as defined in section 1030) during any 1-year period, including by denying access to or operation of the computers, installing unwanted software on the computers, using the computers without authorization, or obtaining information from the computers without authorization” {new §1345(a)(1)}.

The §1030(a)(5) violation really targeted for shutting down botnets would be found in sub-paragraph (A); “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”. This would also apply to other types of remote attacks, including drive-by download attacks via 3rd party web sites.

It is clear from the new paragraph (c) that is also added to §1345 that in regards to botnets the bill intends the AG to use this power to seek injunctions against third party service providers that are not culpable in the operation of the botnet. That paragraph allows the AG to include in the petition for injunction provisions that {new §1345(c)(2)}:

Specify that no cause of action shall lie in any court against a person for complying with the restraining order, prohibition, or other action; and
Provide that the United States shall pay to such person a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in complying with the restraining order, prohibition, or other action.

Sale of Computer and Cell Phone Spying Devices

Section 104 does not attempt to make it illegal to sell computer or cell phone spying devices; that is apparently already covered under 18 USC 2512. What it does do is amend 18 USC 1956 by adding a violation of §2512 to the list of ‘specified unlawful activity’ covered by the money laundering prohibition of §1956. This would allow the government to go after the money trail of those that do sell computer and cell phone spying devices.

Moving Forward

Cicilline is a relatively low ranking Democrat on the House Judiciary Committee, one of three committees assigned to consider this bill. The two provisions described above would be under the purview of Judiciary Committee. It is unlikely that he would have the pull to get this bill considered in that committee and certainly not in the Energy and Commerce Committee or the Financial Services Committee. With a number of other breach notification bills wondering thru the House, it is extremely unlikely that this bill will be considered by anyone.

No comments:

/* Use this with templates/template-twocol.html */