H I G H L I G H T S

National Standard for Breach Notification

Cybersecurity Information Sharing

Digital Privacy for Students

Combatting Cybercrime

Smart Grid Customer Data Privacy

Consumer Privacy Bill of Rights

Cybersecurity Summit

©2015 ISACA. ALL RIGHTS RESERVED

ISACA is pleased to bring you this special report detailing the various cybersecurity and identity theft proposals outlined by the Obama Administration over the last week and highlighted in the State of the Union address. ISACA will periodically provide updates on cybersecurity legislation as well as on other important cybersecurity issues on www.isaca.org/cyber/pages/cybersecuritylegislation.aspx.

In the wake of numerous high profile breaches over the last year, U.S. President Obama this week used his State of the Union address to urge Congress to pass legislation focused on cybersecurity. In public appearances leading up to his annual address to Congress, the President outlined a series of proposals to help reduce the impact of future cyberattacks, culminating in his call to action during the State of the Union. The Administration also sent suggested legislative language to Congressional leadership, much of which has roots in an earlier cybersecurity proposal that the White House put forward in 2011.

As President Obama noted in his address, “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

According to ISACA’s 2015 Global Cybersecurity Status Report survey, 46 percent of respondents expect a cyberattack to strike their organizations in 2015. In addition, due to recent cyberattacks and occurrences of identity theft, the White House estimates that more than 100 million Americans have had their personal data compromised. As a result, the Administration is proposing a multi-pronged approach to address various facets within the cybersecurity realm.

The Administration’s proposed Personal Data Notification and Protection Act would create a national standard for data breach notification. Under this proposal, companies would generally be required to notify customers of a security breach within 30 days of its discovery. Companies covered under this requirement are those that use, access, transmit, store, dispose of, or collect sensitive personally identifiable information (PII) regarding 10,000 or more individuals during any 12-month period.

Comment: Currently there is no national standard, and most states have differing laws that make compliance cumbersome for businesses. The proposed national standard would supersede more than 45 existing state laws, streamlining and simplifying the process for both businesses and consumers.

Under the proposal, companies may provide notice by telephone, in writing to the last known home mailing address, or via email, if the individual has consented to receive such notice. If the PII of more than 5,000 residents of a state is part of

the same breach, notice must be provided to local media in that state. Regardless of method, any notice must include a description of the type of information breached, a toll free number that individuals may use to contact the company to learn about the information it maintains, and the contact information for major credit reporting agencies and the Federal Trade Commission.

In certain cases, companies would also be required to notify the Department of Homeland Security of the breach.

Business impact: Companies must provide notification within 30 days of the discovery of a breach, unless they are able to demonstrate to the Federal Trade Commission that extra time is necessary to determine the scope of the breach, prevent further disclosures, conduct a risk assessment, restore the integrity of the data system, or provide notice to the appropriate federal entity. Notification may also be delayed if the Federal Bureau of Investigation or U.S. Secret Service determines that sensitive information would be compromised.

Companies would be exempt from notice requirements if a risk assessment conducted by or on behalf of the business entity determines that the security breach did not and will not in the future result in harm to the individuals whose information was breached. For example, if the breached data were rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the information security industry, there will be a presumption that no reasonable risk exists.

Such a risk assessment must be conducted according to standards generally accepted by experts in the field of information security, and must involve logging data for at least six months prior to submitting the assessment. In addition, a company invoking the risk assessment exemption must notify the Federal Trade Commission of its exemption along with the results of the risk assessment performed.

Under the proposal, a security breach is defined as a compromise of security, confidentiality, or integrity

(CONTINUED ON PAGE 3)

©2015 ISACA. ALL RIGHTS RESERVED | CSX SPECIAL REPORT: PAGE 2

NATIONAL STANDARD FOR BREACH NOTIFICATION

Another prong of the Administration’s proposal seeks to better enable cybersecurity information sharing between the private sector and government, thereby better protecting information systems and more effectively responding to cybersecurity incidents. The proposed legislation authorizes private entities to share cyber threat indicators, such as information describing or identifying malicious reconnaissance, technical vulnerabilities, or malicious cyber command and control, with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and private sector information sharing and analysis organizations. The NCCIC will then share this information with relevant federal agencies in as close to real time as practicable.

Companies may only use and retain cyber threat indicators for the purpose of protecting, identifying, and mitigating an information system or for reporting a crime. Companies are also required to remove unnecessary personally identifiable information and take measures to protect any personal information that must be shared.

Participation in this program is entirely voluntary. To foster participation, targeted liability protection will be provided for companies that share information with these entities. The proposed legislation provides that no civil or criminal action may be taken in federal or state court for the voluntary disclosure of lawfully obtained cyber threat information that the company was not otherwise required to disclose. The information shared will also be protected under the Freedom of Information Act and may not be used as evidence in any regulatory enforcement action.

Business impact: In order to receive indemnity, companies would need support from their executive teams and Boards of Directors to establish a repeatable process to anonymize and share data. As such, companies will need to determine whether it is more cost effective to purchase their own cyber insurance or to establish a process and assign necessary resources to receive the insurance provided through participation.

The proposal further requires the Department of Homeland Security and the Office of the Attorney General, in consultation with other federal agencies, to develop guidelines for the receipt, retention, use, and disclosure of cyber threat indicators by federal entities. These guidelines will include requirements that the government limit the acquisition, use, and retention of PII and destruct or anonymize information unrelated to a cyber threat; limit law enforcement action to computer crime, threat of death or serious harm, or serious threat to a minor; and preserve confidentiality of proprietary information.

CYBERSECURITY INFORMATION SHARING

of, or the loss of, computerized datathat results in an unauthorized acquisition of sensitive PII or access to sensitive PII that is for an unauthorized purpose.

Comment: Security compromised in the course of a law enforcement agency investigation or an intelligence activity is excluded. Similarly, if the U.S. Secret Service or Federal Bureau of Investigation determines that notification of a breach would impede the ability of law enforcement to conduct an investigation, breach notification is not required.

The proposal would also allow criminal prosecution for the theft and sale of U.S.-issued credit card numbers, even when those attacks come from outside the United States.

Comment: According to ISACA’s 2015 Global Cybersecurity Status Report survey, 76 percent of respondents agree or strongly agree with President Obama’s proposal to notify consumers of a data breach within 30 days of its discovery, but 55 percent believe that “concern over corporate reputation” is the greatest challenge companies would face with this requirement.

CONTINUED FROM PAGE 2: NATIONAL STANDARD FOR BREACH NOTIFICATION

©2015 ISACA. ALL RIGHTS RESERVED | CSX SPECIAL REPORT: PAGE 3

76%

©2015 ISACA. ALL RIGHTS RESERVED | CSX SPECIAL REPORT: PAGE 4

DIGITAL PRIVACY FOR STUDENTS

COMBATTING CYBERCRIME

In the lead up to his State of the Union address, President Obama also proposed the introduction of the Student Digital Privacy Act, modeled on a similar California statute, which would ensure that data collected on students in the classroom only be used for educational purposes. Companies would be prohibited from selling student data to third parties for marketing or advertising purposes. Under the proposal, companies would still be allowed to use data collected in an educational setting for research initiatives to improve student learning outcomes, as well as to improve the effectiveness of learning technology products.

Business Impact: If this proposal is enacted, colleges and universities will need to take extra care to ensure they are not exposing student PII. Under current law, such institutions cannot give out sensitive PII that is not considered “directory” information. The Student Digital Privacy Act, however, appears to extend into what is traditionally directory information, the protection of which would require extra security controls. These controls would need to be applied to student systems and anywhere student records are stored or transmitted to ensure they are not being sold or exposed.

In addition, the Department of Education plans to issue new tools to help schools and teachers work with tech companies to protect the privacy of students. The Department of Education will issue a model terms of service and provide teacher training assistance concerning the appropriate use of data collected about students.

Comment: Currently, 75 companies have already signed on to a Student Privacy Pledge, committing them to not sell student information or use educational technologies to engage in targeted advertising to students. This pledge was led by the Future of Privacy Forum and the Software & Information Industry Association.

The White House also proposed legislation that would bolster law enforcement efforts and aid in the investigation and prosecution of cybercrimes. Specifically, the proposal would:

nmodernize the Computer Fraud and Abuse Act to enhance its effectiveness against attacks on computers and networks, including by insiders,

n provide for the prosecution of sales of botnets,

n expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and

n give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. In addition, the proposed legislation would amend the Racketeering Influenced and Corrupt Organizations Act (RICO) to apply to cybercrimes, thereby clarifying the penalties for computer crimes and ensuring that the penalties are in sync with other similar non-cybercrimes.

On January 12, 2015, the Department of Energy and the Federal Smart Grid Task Force released a new Voluntary Code of Conduct (VCC) for utilities and third parties aimed at protecting electricity customer data, including energy usage information. As companies begin to sign on, the VCC will help improve consumer awareness, choice and consent, and controls on access.

SMART GRID CUSTOMER DATA

PRIVACY

Protect and Defend Your Organization.Cybersecurity Nexus™ (CSX) is designed to provide you with the knowledge, tools, guidance and training you need, no matter where you are in your career.Created by the leading minds in the field, Cybersecurity Nexus (CSX) brings you a single source for all things cybersecurity. From certification, education and training — to webinars, workshops, industry events, career management and community — you’ll find everything you need to take your career to the next level. And, we’ve designed CSX to help you every step of the way, no matter what your level of experience. Connect with the resources, people and answers you need.

Visit us today at isaca.org/cyber and sign up to receive important updates on our CSX program and to be first to learn about our upcoming certifications!

©2015 ISACA. ALL RIGHTS RESERVED | CSX SPECIAL REPORT: PAGE 5

CYBERSECURITY SUMMIT

CONSUMER PRIVACY BILL OF RIGHTSWorking with representatives from the privacy sector and advocacy groups, the White House has identified basic principles to protect personal privacy in online interactions, while simultaneously ensuring industry’s continued ability to innovate. This Consumer Privacy Bill of Rights will ensure basic protections across industries. Specifically, the Administration aims to protect consumers’ rights to:

n decide what personal data companies collect from them and how companies use that data,

n know that their personal information collected for one purpose cannot then be misused by a company for a different purpose, and

n have their information stored securely by companies that are accountable for its use.

To continue the discussion on cybersecurity in the wake of the State of the Union, the White House will host a Summit on Cybersecurity and Consumer Protection at Stanford University on February 12. By bringing together major stakeholders, including tech companies, consumer and privacy advocates, and law enforcement, the Administration aims to shape cybersecurity efforts in the public and private sectors. The Summit will include discussions on information sharing and public-private partnerships, improved cybersecurity practices and technologies, and secure payment technologies.