Federal Cyber Security Reform Stalled


It began with Target, then Sony and, most recently, Anthem.  Today’s corporations face a new threat by a faceless enemy. Not only do data breaches invade the privacy of millions of Americans, but a breach is incredibly costly, both for the company that is hacked as well as financial institutions. The 2014 Sony breach cost the company an estimated $15 million dollars1, and the Target security breach is estimated to have cost banks and credit unions more than $200 million2. The costs of the Anthem hack remain to be seen3.

Cyber attacks have, unfortunately, become commonplace. Companies that fall victim to such attacks, however, must not only weather the financial losses and public relations challenges that accompany a breach, but those companies must simultaneously navigate a complicated regulatory landscape in order to avoid further liability.

At time of publication, 47 states and the District of Columbia have enacted cyber breach notification laws, but no comprehensive federal law exists which regulates a company’s responsibilities or duties with respect to cyber security. To address this emerging threat to corporate and national security, President Obama commissioned a review of the nation’s private and public sector cyber threats. The President sent a number of legislative proposals to Congress in an effort to create a single federal breach notification standard (and preempt the notification laws in place in the 47 states and the District of Columbia). 

Recently, the US House of Representatives passed, by a 307-116 vote, the Protecting Cyber Networks Act. The bill encourages US companies to share security breach information with the federal government in exchange for extending federal law enforcement’s ability to investigate and prosecute cybercrimes against private companies. Although the bill was expected to pass the Senate and become law (after a similar bill passed by a 14-to-1 vote in the Senate Intelligence Committee), it fell eight votes shy of the 60 votes needed to move past a Republican filibuster. The bill’s defeat — just days before the Senate recess — means that federal security legislation will not be addressed until next year.


1. Sony FY 2014 Q3 Financial Statements, www.sony.net/SonyInfo/IR/library/er.html (Released March 17, 2015); Sony Pictures hack has cost the company only $15 million so far, Steven Musil (Feb. 4, 2015), www.cnet.com/news/sony-pictures-hack-to-cost-the-company-only-15-million/.

2. See “Target hack cost banks and credit unions more than $200 million,” The Verge, Rich McCormick (Feb. 18, 2014); www.theverge.com/2014/2/18/5424062/target-hack-cost-200-million-dollars-for-banks-and-credit-unions.

3. “Security firm finds link between China and Anthem hack,” The Washington Post, Ellen Nakashima (Feb. 27, 2015), www.washingtonpost.com/blogs/the-switch/wp/2015/02/27/security-firm-finds-link-between-china-and-anthem-hack.

Get Updates By Email

Blog Contributors