Washington, D.C. – U.S. Senator Kirsten Gillibrand today introduced two bipartisan bills to better prepare businesses and protect consumers against cyber security attacks and dangerous data breaches. In New York State alone, the number of data security breaches reported to the Attorney General tripled between 2006 and 2013, exposing a total of 22.8 million personal records. The Cybersecurity Information Sharing Credit Act introduced with Senator Jim Moran (R-KA) and the Data Breach Notification and Punishing Cyber Criminals Act introduced with Senator Mark Kirk (R-IL) would establish a comprehensive, national approach to defending against 21st century data threats.
“Hackers have put consumers and businesses in their crosshairs, and have shown they can easily access confidential information we trust can and should remain private. It’s time to improve our security and establish standards that better protect consumers in New York and across the country,” said Senator Gillibrand. “This legislation is an important first step toward a national solution and opportunity to address our vulnerabilities, strengthening defenses against emerging data breaches, taking necessary safeguards to help victims and prosecuting perpetrators of these attacks.”
“Consumers and businesses face constant and evolving threats from cyber criminals who seeks to do us harm. When it comes to detecting and preempting these threats and protecting American consumers from identity theft and financial fraud, information sharing within trusted industry networks has proven to be a valuable tool across numerous sectors of our economy,” said Senator Moran. “The Cyber Information Sharing Tax Credit Act will make participation in these vital ISACs more accessible for all companies, especially those who may not fully understand their risk of cyber-attack or who would not otherwise have the resources to participate in an information sharing organization. As more industries and businesses participate, these networks will help businesses understand and improve their cyber posture and ensure the timely dissemination of information on emerging and increasingly sophisticated cyber threats.”
“Last year there were more than 780 data breach incidents that exposed millions of Americans’ credit card numbers and personal information like medical history and Social Security numbers,” Senator Kirk said. “By creating a low-cost, easy to implement standard for companies to notify consumers when personal information is stolen and increasing penalties on cyber criminals, we can stay ahead of the hackers and better protect Americans from cyber crimes.”
“Consumers are at a greater risk of hackers stealing their personal information than ever before,” said New York Attorney General Eric Schneiderman. “A national, comprehensive strategy to protect corporations, families and businesses from data breaches is long overdue. I applaud Senator Gillibrand for backing an important tool in stopping future attacks
The Cybersecurity Information Sharing Credit Act would give businesses a tax credit for sharing information about cyber threats with other related businesses. The bill would establish a network of industry-specific groups called Information Sharing and Analysis Centers (ISAC), which would monitor and disrupt cyber-attacks for businesses. ISACs addresses security vulnerabilities through a singular point of response to cyber threats to one business or an entire industry. The refundable credit allows businesses the opportunity to upgrade their online defenses and participate in an information sharing network without high upfront costs. The credit covers expenses including payment to participate in an ISAC.
The Data Breach Notification and Punishing Cyber Criminals Act sets a stronger standard for companies to notify in their data has been breached, and increases penalties for cybercrimes. The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud. It requires consumers to receive notification within 30 days of discovery of data breaches with a description of information potentially accessed, how to inquire about what personal information was breached, and how the information was unlawfully acquired. There will be a new directive for diplomats at the State Department for apprehending and prosecuting cyber criminals as a top priority in ongoing negotiations in countries that do not have an extradition with United States.
The number of data security breaches reported annually to the New York Attorney General more than tripled between 2006 and 2013. Approximately 5,000 separate data breaches were reported in that period by businesses, nonprofits, and government entities, exposing a combined 22.8 million personal records of New Yorkers. An unprecedented 7.3 million records exposed in 2013 alone, costing organizations doing business in New York more than $1.37 billion. Since 2006, 241 institutions reported at least three security breaches and five of the ten largest breaches occurred since 2011. At the end of 2014 leading into 2015, there were several high profile data breaches, surpassing normal financial data such as credit cards and pin numbers. Last December, corporate emails, films and personal data were leaked from Sony Pictures. This past February, Anthem Inc. lost millions of customer data including: social security numbers, birthdays, medical IDs and personal addresses.