A Busy Fortnight in the U.S. Cybersecurity World


It’s been a hectic couple of weeks in the privacy policy world. The Obama administration appears serious about taking on cybersecurity bad guys, while Congress moves to accommodate European Union data protection concerns about transferring data to the United States.

President Obama Feb. 9 proposed a Cybersecurity National Action Plan, including investing more than $19 billion in cybersecurity efforts. The action plan includes a $3.1 billion fund that government agencies could tap into to replace legacy information technology systems. To oversee such changes, Obama wants to hire a Federal Chief Information Security Officer.

Additionally, President Obama established the Commission on Enhancing National Cybersecurity within the U.S. Department of Commerce, as well as the Federal Privacy Council, through two separate Executive Orders.

For fiscal year 2017, Obama requested $40.6 billion in discretionary funding for the U.S. Department of Homeland Security—down approximately $600 million from his 2016 request. He also requested $471.1 million for the National Cybersecurity Protection System—commonly referred to as EINSTEIN—to maintain its current capabilities in combatting intrusions and investing in new analytics and information-sharing technologies.

On the same day that the cybersecurity action plan was proposed, the Senate passed an amended version of the Judicial Redress Act, authorizing the U.S. Department of Justice to designate certain “covered countries” whose citizens could sue the U.S. government for civil damages for unauthorized disclosures of personal information. The bill cleared the House the next day without objection and was presented to Obama Feb. 12.

In addition to providing limited access to U.S. courts for citizens of certain countries—court access would be conditioned on covered countries permitting the transfer of personal data—the Judicial Redress Act has other international implications, specifically in the context of U.S.-EU negotiations. The passage of the act is a prerequisite for an umbrella U.S.-EU law enforcement agreement, initialed by U.S. and EU officials Sept. 8, 2015.

And while the Judicial Redress Act wasn’t a prerequisite for replacing the invalidated U.S.-EU Safe Harbor framework, providing access to proper judicial redress in the U.S. for EU citizens—a hot topic since former National Security Agency contractor Edward Snowden’s revelations about U.S. surveillance practices—is an issue that needs addressing in the new framework.

The 15-year old U.S.-EU Safe Harbor program was invalidated by the European Court of Justice on Oct. 6, 2015, over concerns about U.S. government access to data transferred to the U.S. by U.S.-based companies and the failure to offer redress safeguards to EU citizens over allegations of misuse of their data. On Feb. 2, negotiators announced a replacement deal: the EU-U.S. Privacy Shield. However, there’s no written agreement yet, and the EU’s Article 29 Working Party of member state data protection commissioners said they’ll need all relevant documents by the end of February to proceed.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.