Last Tuesday, two new bipartisan senate bills was proposed to increase notification and create/enhance information sharing by Senators Mark Kirk (R) and Kirsten Gillibrand (D) where introduced to congress.
The following is what was transcribed.
By Mr. KIRK (for himself and Mrs. Gillibrand): A bill to require notification of information security breaches and to enhance penalties for cyber criminals, and for other purposes.
Mrs. GILLIBRAND: Mr. President, I rise to speak about two bipartisan bills that would help to modernize the way this country approaches cyber security.
Congress needs to get with the times and realize that the Internet is no longer a new concept. Swiping a credit card, conducting online banking, storing prescription records online–these are not new activities. The cloud is no longer new. Hackers are no longer new. So why are we still so taken aback, in shock, every time we suffer another major cyber attack? Why are we still not requiring that consumers be notified when their information has been stolen? Why aren’t we unleashing law enforcement to go after cyber criminals?
If we want to defend against 21st-century threats, then we have to bring our laws into the 21st century. We have to get out of the mindset that the only way we can be hurt is from an actual physical attack. Hackers don’t operate on battlefields; they operate in basements and in cubicles.
Our approach to cyber security so far has been certifiably wrong. We have the largest defense budget in the world by far, but that hasn’t stopped our hospitals and banks from falling victim to a near constant barrage of attacks. Last year, data breaches in this country hit a record high; they were up more than 27 percent from the year before. In New York State, between 2006 and 2013, we had nearly 5,000 individual data breaches that were reported by businesses, not-for-profits, and government entities. In the same period, 23 million personal records of New Yorkers were exposed to criminals. And that is just my home State.
Imagine how big that number actually is nationwide.
We are long overdue for a new national approach to cyber security, and I am introducing two bills that would finally make this happen. The first is the Data Breach Notification and Punishing CyberCriminals Act. It would set, for the first time, a national standard for how and when victims of cyber attacks will be informed. When an attack takes place on a business, for example, one that has your financial data or medical information, this law would require that you be informed quickly, with information about what was targeted, what was taken, and whether you were personally affected. This bill would seriously increase the penalties on people found guilty of hacking and cyber crime. It would raise the allowable fines and imprisonment sentences for many of the most common cyber crimes, including identity theft and theft of personal information.
The second bill is the Cybersecurity Information Sharing Credit Act–a bill that would incentivize America’s businesses to share cyber security information critical to preventing attacks, without having to involve their competitors. Instead, businesses would be encouraged, with significant tax credits, to adopt the preferred, most efficient method for information sharing; that is, membership in private, sector-specific cyber security networks designed to protect an industry, such as health care and hospitals, from attack. At the individual level, companies, hospitals, and banks can only do so much to protect us. Any good cyber defense has to involve information sharing so that patterns can be recognized, industries can bolster their defenses, and the same hacks aren’t just repeated over and over again.
To modernize America’s approach to cyber security, we as individuals have to take action, companies have to take action, law enforcement has to take action, and local governments must take action. Most importantly and most urgently, Congress has to take action. We desperately need to modernize our cyber security laws. I urge my colleagues to support these two bills.