House Small Business Committee Announces Cybersecurity Bill

Representatives Derek Kilmer (D-WA) and Richard Hanna (R-NY), backed by the leaders of the House Small Business Committee, introduced a bill ( H.R. 5064) to help small businesses improve their cyber defenses. Under the bill, Small Business Development Centers (SBDC)—which are hosted by universities and state agencies and receive funding from the SBA—would implement a strategy, to be developed jointly by the SBA and DHS, to help small business develop their cyber programs.

House Passes Federal Trade Secret Bill

On Wednesday, the House passed the Defend Trade Secrets Act of 2016 ( S. 1890), a bill that authorizes trade secret owners to file a civil action in federal court seeking relief for trade secret misappropriation. The bill, which many see as an important tool for businesses to go after so-called “insider threats” and other cyber thieves, easily cleared the House, with a vote of 410-2. The bill, which was previously approved by the Senate by a vote of 87-0, now heads to the President’s desk for signature.

House Committee Marks Up Bill to Help with State and Local Cybersecurity

On Thursday, the House Homeland Security Committee approved the National Cybersecurity Preparedness Consortium Act ( H.R. 4743). The bill, introduced by Representative Joaquin Castro (D-TX), is intended to help state and local officials combat cyber attacks. Specifically, the bill would authorize DHS to work with the National Cybersecurity Preparedness Consortium, a group of five universities, to train state and local first responders. The bill would also require DHS to conduct outreach to other universities in an effort to work together on state and local cyber response.

Senate Committee Approves IoT Bill

On Wednesday, the Senate Commerce Committee approved the Developing Innovation and Growing the Internet of Things (DIGIT) Act ( S. 2607). Among other things, the bipartisan bill would establish a group of federal and private sector officials charged with developing recommendations to Congress on privacy and security concerns regarding the Internet of Things.

Sector-Specific Updates 

• Automotive. According to a new GAO report released this week on automotive cybersecurity, the Department of Transportation needs to better define its role and clarify how it would work with other agencies and stakeholders following a cyber attack on cars, including developing a more detailed plan to help auto companies respond to the threat. The report also noted that it would not be until at least 2018 until the National Highway Traffic Safety Administration determines whether it needs to implement cybersecurity regulations for connected cars. On Thursday, four House members established a new bipartisan caucus, the House Smart Transportation Caucus, focused on connected and self-driving cars. Two of the members, Representatives Joe Wilson (R-SC) and Ted Lieu (D-CA), recently co-sponsored the Security and Privacy (SPY) Car Study Act, a bill that would launch a cross-sector investigation into vehicle cybersecurity.
• Financial Services. On Thursday, Deputy Treasury Secretary Sarah Bloom Raskin hosted a meeting on cybersecurity with leaders from a number of federal financial regulatory agencies. During the meeting, White House homeland security adviser Lisa Monaco briefed the group on threats, and the group discussed progress in addressing cybersecurity challenges for the financial sector, how to increase cybersecurity information-sharing, facilitating coordination on cybersecurity supervisory policies and approaches, and building additional response and recovery capabilities.
• Government Agencies. On Thursday, GAO released a report concluding that, while the SEC has improved its information security by addressing previously-identified weaknesses, there is still room for the agency to improve its security controls to better protect financial systems and data. The report particularly highlighted the need to consistently (1) protect access to its systems, (2) manage system configurations, (3) separate incompatible duties, and (4) update contingency and disaster recovery plans.
• Government Contractors. On Thursday, the DoD Chief Information Officer published a Federal Register notice reopening comments on its cyber incident reporting rule. Specifically, the agency is seeking comment on (1) whether the proposed collection of information is necessary for the proper performance of the agency’s function, including whether the information will have a practical utility; (2) the accuracy of the agency's estimate of the burden of compliance with the notice requirement; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of the information collection on respondents, including using automated collection techniques or other forms of information technology.
• Healthcare. HHS’s Office of Civil Rights (OCR) issued audit protocol guidelines for its recently-announced HIPAA audits. Key areas to be investigated by OCR include breach notification procedures, employee training, controls around employee access to personal health information, risk assessments, security officers, and compliance of business associates with HIPAA requirements.