2017 Legislative Priorities
Passing the Cybersecurity Information Sharing Act of 2015 was ASIS’s top cyber policy priority last year. The new law establishes a voluntary information-sharing program to help strengthen businesses’ resilience against cyberattacks.
CISA gives businesses legal certainty that they have safe harbor when sharing and receiving cyber threat data to mitigate cyber incidents with other businesses or government agencies. The law offers protections related to public disclosure, regulatory, and antitrust matters in order to increase the timely exchange of information among public and private entities. CISA also safeguards individuals’ privacy and civil liberties and establishes appropriate roles for government agencies.
ASIS will continue to press lawmakers and the next administration to be an ally to security practitioners as they implement the CISA program. For example, the government could make it easier for companies to create a regulatory safe zone where they can more effectively share information about cyber threats. ASIS also calls on businesses to join an information-sharing body and take advantage of the CISA system as appropriate. The network of voluntary and protected information-sharing bodies needs to grow. ASIS will continue to promote CISA implementation among our membership and peers.
Data Breach Notification
ASIS supports federal data breach legislation that would preempt state notification laws. Despite continual congressional interest spurred by highly publicized data breaches, and despite the overarching desire to have a federal data breach notification law to replace the current patchwork of 47 state laws, Congress has yet to pass a bill.
The 114th Congress has seen some progress in the form of new bills and Committee action, but action now remains stalled by disagreements among members. In the House, the Energy and Commerce Committee approved H.R. 1770, the Data Security and Breach Notification Act, in April 2015. The measure would create standards for the way companies protect against and respond to data breaches, and would enable the Federal Trade Commission and state attorneys general to enforce those standards.
In the Senate, a half dozen different data breach bills are in play, but none have gained substantial momentum. The bills all preempt state law to varying degrees. ASIS will continue following these bills and working to support a federal law to streamline the nearly 50 different state laws on data breach notification.
Trade secret theft costs U.S. businesses hundreds of billions of dollars each year. The Economic Espionage Act (EEA) of 1996 makes trade secret theft a crime, but the Department of Justice lacked the resources to prosecute many such cases. State courts are not well suited to working across state and national boundaries to facilitate discovery, serve defendants or witnesses, or to prevent a party from leaving the country. Federal legislation was needed to address these problems, and to empower companies to protect their intellectual property in federal court.
For years, ASIS has been advocating for federal legislation to curtail the theft of trade secrets and intellectual property by making long overdue updates to the EEA. The Defend Trade Secrets Act of 2016 was introduced to address this issue. ASIS worked with Congress and industry groups to push for passage, and on May 11, 2016, the bill was signed into law. This landmark law represents the most significant trade secret reform legislation in several decades.
The new law creates a uniform standard of federal criminal penalties for foreign economic espionage and trade secret theft and allows federal courts to grant injunctions and damages. Under the measure, state laws continue to apply and state courts continue to have jurisdiction over state law claims. The new law has been embraced by companies and associations, and represents a major victory for the protection of intellectual property.