HR 4187 Introduced – Breach Notification

Last Tuesday Rep. Schakowsky (D,IL) introduced HR 4187, the Secure and Protect Americans’ Data Act. This is a very comprehensive personal data protection and breach reporting act that give the FTC regulatory authority over these matters.

New Regulations

The FTC is required to promulgate regulations pertaining to the requirements for securing ‘personal information’ {§2} and reporting breaches that result in “personal information [that] was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose” {§3(a)(1)}.

The definition of personal information {§5(6)} is quite extensive and includes a wide variety of identification information. Items of particular interest to readers of this blog include:

• Unique biometric or genetic data such as a faceprint, fingerprint, voice print, a retina or iris image, or any other unique physical representations {§5(6)(v)};

• Information that could be used to access an individual’s account, such as user name and password or email address and password {§5(6)(vi)};

• An individual’s first and last name or first initial and last name and any security code, access code, or password, or source code that could be used to generate such codes or passwords {§5(6)(vii)};

• Digitized or other electronic signature {§5(6)(xi)};

• Nonpublic communications or other user-created content such as emails, photographs, or videos {§5(6)(xi)}; and

• Any additional element the Commission defines as personal information {§5(6)(xiv)};

Moving Forward

Ms. Schakowsky is the Ranking Member of the Commerce, Manufacturing and Trade Subcommittee of the House Energy and Commerce Committee, the Committee to which this bill was referred for consideration. While none of the seven co-sponsors are Republicans they do include other influential members of the Committee, including Rep. Pallone (D,NJ) the Ranking Member. There is a chance that this bill could be considered in Committee. If it does get recommended out of Committee then it could move to the floor for consideration, probably under a rule.

Commentary

With all of the big name data breaches that we have seen in the public sector over the last couple of years there have been a number of data breach bills that have been introduced in the 114^th Congress and this probably will not be the last. This bill is, however, one of the most comprehensive and wide reaching that I have seen. It does not, for example, contain a minimum information breach size or data base size to be considered by the regulator.

Most breach legislation to date has been more specifically targeted at IT processes and financial information in particular. Looking at the list above of covered personal information that I abstracted from the bill it is quite clear that the staff writing this bill was expanding greatly the types of information included and thus the business that would be potentially covered by the resulting regulations.

Because there is no minimum size for a covered breach, even the loss of a single user name/password combination would technically be covered. This could directly affect attacks on control systems where that information was (or could have been) taken by the attacker. We have seen a large number of vulnerabilities over the last couple of years that specifically put this information at risk.

I don’t currently see Congress taking on this bill due to its extremely comprehensive coverage. That could easily change if we have a series of very public credit card breaches over the holidays or some unusual type of large breach in a previously unaffected sector.

Bills Introduced – 12-08-15

With both the House and Senate in session yesterday there were 27 bills introduced. Of those, three may be of specific interest to readers of this blog:

HR 4187 To require certain entities who collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security involving such information, and for other purposes. Rep. Schakowsky, Janice D. [D-IL-9]

HR 4188 Coast Guard Authorization Act of 2015. Rep. Hunter, Duncan D. [R-CA-50]

S 2372 A bill to require reporting of terrorist activities and the unlawful distribution of information relating to explosives, and for other purposes. Sen. Feinstein, Dianne [D-CA] 

HR 4187 is yet another breach notification bill. I’ll check it for any ICS references (unlikely) otherwise it probably will not get mentioned again.

The CG Authorization Act has already been published by the GAO (an indication that the House leadership intends to move forward with consideration sooner rather than later). A quick check of the section listings shows no specific mention of chemical safety, chemical security or MTSA so I will not be doing my normal analysis of the bill. I will, however, keep an eye on it as it meanders through the legislative process for any interesting amendments.

The Feinstein bill is not one that I would typically cover in this blog, but it does strike a personal cord as it looks like it is one of those knee jerk reactions to terrorist attacks that cause so many unforeseen problems down the line. The fact that Feinstein is the Ranking Member of the Senate Intelligence Committee and her co-sponsor is the Chair means that this bill is likely to be going places.

HR2977 Introduced – Breach Notification

Last week Rep. Cicilline (D,RI) introduced HR 2977, the Consumer Privacy Protection Act of 2015. While the bulk of this bill is yet another personally identifiable information breach notification bill, it does (as I suspected) it does include criminal statute provisions that are not directly related to breach notification. Two of those provisions may have effects on control system security issues.

Those two provisions are:

Section 103. Authority to shut down botnets.   

Section 104. Deterring the development and sale of computer and cell phone spying devices.

Botnets

Section 103 only actually refers to ‘botnets’ in the title of the section. What it actually does is amend 18 USC 1345 to specifically allow the use of injunctive relief to stop activities “violating section 1030(a)(5) [18 USC 1030] where such conduct would damage (as defined in section 1030), 100 or more protected computers (as defined in section 1030) during any 1-year period, including by denying access to or operation of the computers, installing unwanted software on the computers, using the computers without authorization, or obtaining information from the computers without authorization” {new §1345(a)(1)}.

The §1030(a)(5) violation really targeted for shutting down botnets would be found in sub-paragraph (A); “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”. This would also apply to other types of remote attacks, including drive-by download attacks via 3^rd party web sites.

It is clear from the new paragraph (c) that is also added to §1345 that in regards to botnets the bill intends the AG to use this power to seek injunctions against third party service providers that are not culpable in the operation of the botnet. That paragraph allows the AG to include in the petition for injunction provisions that {new §1345(c)(2)}:

∙ Specify that no cause of action shall lie in any court against a person for complying with the restraining order, prohibition, or other action; and

∙ Provide that the United States shall pay to such person a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in complying with the restraining order, prohibition, or other action.

Sale of Computer and Cell Phone Spying Devices

Section 104 does not attempt to make it illegal to sell computer or cell phone spying devices; that is apparently already covered under 18 USC 2512. What it does do is amend 18 USC 1956 by adding a violation of §2512 to the list of ‘specified unlawful activity’ covered by the money laundering prohibition of §1956. This would allow the government to go after the money trail of those that do sell computer and cell phone spying devices.

Moving Forward

Cicilline is a relatively low ranking Democrat on the House Judiciary Committee, one of three committees assigned to consider this bill. The two provisions described above would be under the purview of Judiciary Committee. It is unlikely that he would have the pull to get this bill considered in that committee and certainly not in the Energy and Commerce Committee or the Financial Services Committee. With a number of other breach notification bills wondering thru the House, it is extremely unlikely that this bill will be considered by anyone.

Bills Introduced – 07-08-15

Yesterday there were 44 bills introduced in the House and Senate. Only one of those may be of specific interest to readers of this blog:

HR 2977 To ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information, and to... Rep. Cicilline, David N. [D-RI-1]

This is yet another breach notification bill. The current bill title/description includes some interesting phrases that go beyond breach notification: “to enhance law enforcement assistance and other protections against security breaches, fraudulent access”. It will be interesting to see what the bill actually says about these topics.

Bills Introduced – 05-01-15

Forty-five bills were introduced in the House yesterday (the Senate was not in session). Three of those bills may be of specific interest to readers of this blog:

HR 2200 To amend the Homeland Security Act of 2002 to establish chemical, biological, radiological, and nuclear intelligence and information sharing functions of the Office of Intelligence and Analysis of... Rep. McSally, Martha [R-AZ-2]

HR 2204 To clarify the authority of States and political subdivisions thereof to regulate liquefied petroleum gas rail transload facilities that are owned or operated by or on behalf of a rail carrier. Rep. McGovern, James P. [D-MA-2]

HR 2205 To protect financial information relating to consumers, to require notice of security breaches, and for other purposes. Rep. Neugebauer, Randy [R-TX-19]

HR 2200 will probably see action because McSally is chair of the subcommittee to which this bill will probably be assigned for consideration. As a military veteran she has expressed a personal interest in CBRN issues.

As pressures rise to require the reduction of crude oil volatility the handling of liquefied petroleum gas will become more of an issue. McGovern is not on the House Transportation Committee, however, so HR 2204 will probably not go anywhere.

HR 2205 is yet another breach notification bill. Neugebauer is a senior member of the House Financial Services Committee (one of two committees assigned to consider the bill) so there may be enough political will to get this bill to consideration.

Bills Introduced – 04-30-15 Senate

There were 51 bills introduced in the Senate yesterday. Because of the late adjournment of the House this morning (1:48 am EDT) the bills introduced yesterday in the House are not yet available on www.Congress.gov. Of the bills introduced in the Senate two may be of specific interest to readers of this blog:

S 1158 A bill to ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information... Sen. Leahy, Patrick J. [D-VT]

S 1175 A bill to improve the safety of hazardous materials rail transportation, and for other purposes. Sen. Wyden, Ron [D-OR]

S 1158 is another breach notification bill and likely does not contain language pertinent to industrial control systems. If that is the case there will be no further mention of the bill in this blog.

S 1175 is probably another bill dealing with the crude oil train situation with low likelihood of being considered in the Senate.

NOTE: There is a US-Canadian DOT press conference scheduled for 9:30 am EDT concerning the design of new flammable liquid railcars and potentially some other crude oil train changes. It has not been billed as a release of the HHFT final rule, though some portions of the HHFT are expected to be discussed.

HR 1770 Introduced – Breach Notification

Rep. Blackburn (R,TN) introduced HR 1770, the Data Security and Breach Notification Act of 2015. This is a bill addressing requirements for the breach of personally identifiable information stored in electronic systems.

As such I normally would not cover the bill in this blog. But, the bill was marked up in the House Energy and Commerce Committee the day after it was introduced and there was an amendment made to the bill that might get interpreted as applying to industrial control system breaches.

Notification Requirements

The bill requires that a covered entity notify an individual of any breach that results in a release of personally identifiable information “not later than 30 days after completing” {§3(c)(1)}after completing the necessary investigations outlined in the bill.

Originally the bill used a fairly standard definition of personally identifiable information used in the trigger of the notification requirements. An amendment offered by Rep. Kinzinger (R,IL), however, added to that definition:

“A user name or email address, in combination with a password or security question and answer that would permit access to an online account.” {§5(10)(B)(vi)}

Control Systems Covered?

Since the term ‘online account’ is not defined in the bill, it could be argued (nobody could how successfully until a judge would rule on the argument) that a control system could be considered an ‘on-line account’. There are other requirements in the bill that might mitigate that requirement, but they could also be argued around.

As a general rule, I don’t think that it would occur to most cyber security officers to specifically notify an operator if there were a breach in the control system that would result in the operators log-on information being compromised and I certainly don’t think that it was Blackburn’s intent that this specific situation would be included in the actions required by her bill.

Off the top of my head, I can only think of one circumstance where this might make to a judge for a decision on the merits of the argument. That would be in a wrongful termination law suit where a control system operator was dismissed for doing something wrong based upon something that was done on the control system. If during discovery the lawyer found out that there had been a security breach where log-on information may have been compromised he might be able to use the failure to make the notifications required under this act as a bargaining tool to get the company to agree to a deal on the wrongful termination suit.

I would certainly agree that that would be a circumstance not considered by the crafters of this bill, but it is an example (and probably not the only possible one) of how the use of loosely defined or undefined terms in legislation can have unintended consequences.

Moving Forward

The fact that this bill was considered, amended and ordered reported favorably the day after it was introduced indicates that there is some political pull (Blackburn in Vice Chair of the Committee after all) that may be able to move this bill to the floor of the House. I don’t see anything that would argue against its passage. The 29 to 20 vote in committee indicates that there isn’t a lot of bipartisan support for the bill. This would mean that the bill would have to be considered under regular order to pass.

Without at least some measure of bipartisan support (probably due to floor amendments) this bill will not get considered in the Senate.

Unless something more substantially control system security related is added to this bill, I doubt that it will be mentioned again in this blog.

Bills Introduced – 04-21-15

Yesterday there were 59 bills introduced in the House and Senate. It was a big day for cybersecurity legislation with four bills introduced:

HR 1918 To amend title 18, United States Code, to provide for clarification as to the meaning of access without authorization, and for other purposes. Rep. Lofgren, Zoe [D-CA-19]

S 1023 A bill to amend the Internal Revenue Code to provide a refundable credit for costs associated with Information Sharing and Analysis Organizations. Sen. Moran, Jerry [R-KS]

S 1027 A bill to require notification of information security breaches and to enhance penalties for cyber criminals, and for other purposes. Sen. Kirk, Mark Steven [R-IL]

S 1030 A bill to amend title 18, United States Code, to provide for clarification as to the meaning of access without authorization, and for other purposes. Sen. Wyden, Ron [D-OR]

HR 1918 and S 1030 are the latest iterations of Aaron’s Law in memory of Aaron Schwartz. They would decriminalize some grey area hacking.

S 1023 would probably have some fairly limited application, but it should encourage cybersecurity information sharing every bit as much as current legislation specifically targeting that sharing. This is likely the last mention of this bill in this blog.

S 1027 is another breach notification bill that probably only affects IT system breaches. Unless there is specific mention of control systems in this bill this is the last time that I will mention this bill.

Bills Introduced – 04-15-15

Yesterday there were 69 bills introduced in the House and Senate. Of those only two may be of specific interest to readers of this blog:

HR 1804 To protect the public, communities across America, and the environment by increasing the safety of crude oil transportation by railroad, and for other purposes. Rep. McDermott, Jim [D-WA-7]

S 961 A bill to protect information relating to consumers, to require notice of security breaches, and for other purposes. Sen. Carper, Thomas R. [D-DE]

We see a continuing interest in crude oil train regulations by some members of Congress; HR 1804 being just the latest. I don’t think that we will see any real movement on this issue until bills start being drafted by Repubicans. As always, a serious derailment in an urban area or one that otherwise results is significant loss of life or really gross destruction will completely change the legislative picture.

S 961 appears to be just  a breach notification bill. If there are no specific mentions of industrial control system related issues, this will be the last time that this bill is mentioned.

Bills Introduced – 1-28-15

Yesterday there were 87 bills introduced in the House and Senate. Only one may be of specific interest to readers of this blog:

HR 580 - To protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach. Rep. Rush, Bobby L. [D-IL-1]

If this is just an IT breach notification law as it appears to be then this will be the last mention of the bill in this blog.