Although bankers reacted positively to the Obama administration’s executive order last week concerning cyber security, legislation is still needed from Congress to develop a national cyber security standard, says Mercedes Tunstall, the head of the privacy and data security group at Ballard Spahr LLP, a national law firm. Such legislation failed to pass the last Congress, and a similar version of the bill was recently re-introduced to both the House and the Senate, Tunstall reports. “The executive order is a necessary step to help raise the national conversation on cyber security,” Tunstall explains. “But it doesn’t carry the force of legislation. It can only affect the way things operate under the existing laws and give a directional focus.”
The executive order called on government agencies and private institutions - including banks - to share more information pertaining to cyber security threats. But legislation can further help in this area by shielding banks from liability to encourage them to share information about cyber attacks and data breaches targeted at them, Tunstall says. Banks are understandably concerned that information that they share with the government can later be subpoenaed and open them up to litigation, she explains. “We need to help banks with sharing that information,” she says, adding that anti-money laundering legislation can provide a blueprint for how banks can share that information without liability. Congress has already amended the Bank Secrecy Act to allow banks to voluntarily share information about money laundering without opening themselves up to possible litigation. Similar legislation would allay any hesitancy on the par of the banks in sharing cyber threat information with the government, Tunstall suggests.
On the other hand improvements can also be made through legislation to help the government share information with banks too, she points out. “Sometimes the government will have information about an impending cyber attack that banks might find useful but they can’t share it because of national security concerns,” Tunstall explains. Any cyber security legislation should include protocols that help the government share information with relevant institutions if it is known that a cyber attack is coming against them.
The executive order may help in passing the new version of cyber security legislation that has been put in to Congress as it raises the profile of the issue, Tunstall reasons. As government agencies explore new ways to work with the existing laws under the executive order it should help lead to a more informed discussion in Congress this time around, she adds. Given the high number of cyber attacks against banks in the last few months, it is certainly in the best interests of the industry to see the legislation passed this time around.