The Small Business Cyber Training Act of 2017
Senator James Risch (R-ID) introduced “The Small Business Cyber Training Act of 2017” at the end of June when it was referred to the Senate Committee on Small Business and Entrepreneurship.[i] The bill would amend a section of the Small Business Act to “require cyber certification for small business development center counselors.” If passed, the Small Business Administration would be required to establish a program to assist small businesses by developing a cyber counseling program. Small businesses tend to be easy targets for hackers because they serve as vendors for larger companies, which provide entry into those companies systems. For example, the Target breach that occurred a few years ago involved hackers accessing systems via an HVAC vendor, whose customer was a local Target store. When hackers got inside the vendor’s system, they were able to gain access to the vendor’s network and subsequently had access to Target’s network. Once they entered Target’s network, the rest was history.[ii]
The challenge facing legislation tailored to small businesses is the common perception that cybersecurity is a very expensive proposition. Because of this perception, many small businesses are faced with deciding between investing in a potentially costly proactive plan or waiting for a data breach to occur and cleaning up the mess after the fact. In most cases, it appears that small businesses prefer to do nothing, because why invest in something that may or may not happen? Unfortunately, businesses that believe proactive cybersecurity planning is too expensive are the ones typically targeted and ultimately lose not only data, but also customers, and their reputation.
The International Communications Privacy Act
“The International Communications Privacy Act,”[iii] originally introduced by Senator Orrin Hatch (R-UT) in 2016, and reintroduced July 2017, would amend the Electronic Communications Privacy Act (18 U.S.C. 2510-22)[iv] to include measures to safeguard data stored abroad. The proposal calls for the U.S. Department of Justice to obtain a warrant in order to access any information that is stored on servers outside the United States. The legislation requires that the Department of Justice follow the normal protocol of notifying a foreign government of its intent to file a warrant only if the foreign government has no objection to the warrant. If the foreign government objects, the matter will be taken before a judge and the judge will get to decide if the US’ interest in the data that is the subject of the warrant, outweighs the foreign government’s refusal.
This legislation is relevant because of a pending matter involving the US Department of Justice and Microsoft over the use of a warrant in order to retrieve data that is stored in Ireland.[v] As the legislation begins the review process through designated committees, we will be keeping an eye on potential changes to the text as the international policy implications behind such a bill could very well change. Additionally, there has been a common trend amongst International Trade communities that treat customers’ information as a commodity. Several nations have begun passing laws requiring the storage of their nationals’ data to be located within their country and not abroad, unless the foreign company or country meets their data privacy standards.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2017
The third and final bill involves the inter-networking of electronic devices and products connected to the Internet that are capable of collecting and exchanging data (such as “Wearables” like Apple Watches or Fitbits, “Smart Home” products like Nest or Amazon’s Echo, and even connected cars)[vi] otherwise known as the Internet of Things (“IoT”).[vii] Introduced by Senator Mark Warner (D-VA) on August 1, and referred to the Committee on Homeland Security & Governmental Affairs, “The Internet of Things (IoT) Cybersecurity Improvement Act of 2017” calls for the Federal government to develop cybersecurity standards that vendors would agree to comply with if they wish to sell their products to the Federal government.[viii] (The official text of the proposed bill should be updated by the Government Publishing Office after the August recess.)[ix] As more products are becoming dependent on the Internet, and allow for more extensive collection and exchange of personal data, they create more opportunities for hackers to gain access to private information. Requiring vendors to either comply with the Government’s cybersecurity standard or the industry’s standard will benefit us all because that standard will be used when these same products are introduced to the commercial market. This requirement for cybersecurity compliance for vendors is especially important following the massive data breach experienced by the Office of Personnel Management in June 2015. The Office of Personnel Management experienced a loss of millions of active and retired government employees’ personnel file. The breach was an embarrassment to the agency because the files that were hacked included spies and the breach exposed how badly protected the agency’s network was against hacking.[x]
In closing, these three bills are examples of the attempts by the Congress to become proactive in addressing cybersecurity issues. With constantly evolving technology comes new and improved ways to utilize these tools. Each one of the proposed bills discussed above address three different aspects of cybersecurity and the impact it has on the global community; The importance of enabling small businesses to assess their data privacy needs; The global impact and aspects involved in cybersecurity; and the potential uses and abuses provided by new technology.
As these bills progress through the Senate, it is important to diligently assess the parameters of current technology while at the same time ensuring that regulations do not hinder innovation. Following the August Recess, the Senate will begin reviewing these bills during which we will continue to provide updates and insight into the potential changes to come.
[i] The Small Business Cyber Training Act of 2017, S. 1428, 115th Cong. (2017).
[ii] For more information on the Target data breach see “Learning from the Target Data Breach”
[iii] The International Communications Privacy Act, S. 1671, 115th Cong. (2017).
[iv] (18 U.S.C. 2510-22) Full Text
[v] For more information on the case between the DOJ and Microsoft, see “Microsoft vs. DOJ Round 2”
[vi] For examples of products capable of connecting to the IoT, see “Internet of Things Devices, Applications & Examples”
[vii] More information on the Internet of Things see “Simple Explanation of the Internet of Things That Anyone Can Understand”
[viii] The Internet of Things (IoT) Cybersecurity Improvement Act of 2017, S. 1691, 115th Cong. (2017).
[ix]The text of S. 1691, as introduced by Sen. Warner can be viewed here.
[x] To learn more about the OPM breach see “Congressional Report Slams OPM on Data Breach“