Sec. 302. Establish the Bureau of Cybersecurity Statistics
1,731 words·~8 min read·
/bill/117/s/2491/is/section-302A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section: The term Bureau means the Bureau of Cybersecurity Statistics established under subsection (b). The term covered entity means any nongovernmental organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture (without regard to whether it is established for profit) that is engaged in or affecting interstate commerce and that provides cybersecurity incident response services or cybersecurity insurance products. The term cyber incident includes each of the following:
Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of that information system or network. Disruption of business operations due to a distributed denial of service attack against an information system or network. Unauthorized access or disruption of business operations due to loss of service facilitated through, or caused by a cloud service provider, managed service provider, or other data hosting provider.
Fraudulent or malicious use of a cloud service account, data hosting account, internet service account, or any other digital service. The term Director means the Director of the Bureau. The term statistical purpose — means the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups; and includes the development, implementation, or maintenance of methods, technical or administrative procedures, or information resources that support the purposes described in subsection (e).
There is established within the Department of Homeland Security a Bureau of Cybersecurity Statistics. The Bureau shall be headed by a Director, who shall— report to the Secretary of Homeland Security; and be appointed by the President. The Director shall— have final authority for all cooperative agreements and contracts awarded by the Bureau; be responsible for the integrity of data and statistics collected or issued by the Bureau; and protect against improper or illegal use or disclosure of information furnished for exclusively statistical purposes under this section, consistent with the requirements of subsection (f).
The Director— shall have experience in statistical programs; and shall not— engage in any other employment; or hold any office in, or act in any capacity for, any organization, agency, or institution with which the Bureau makes any contract or other arrangement under this section. The Director shall— collect and analyze information concerning cybersecurity, including data related to cyber incidents, cyber crime, and any other area the Director determines appropriate; collect and analyze data that will serve as a continuous and comparable national indication of the prevalence, incidents, rates, extent, distribution, and attributes of all relevant cyber incidents, as determined by the Director, in support of national policy and decision making; compile, collate, analyze, publish, and disseminate uniform national cyber statistics concerning any area that the Director determines appropriate; in coordination with the National Institute of Standards and Technology, recommend national standards, metrics, and measurement criteria for cyber statistics and for ensuring the reliability and validity of statistics collected pursuant to this subsection; conduct or support research relating to methods of gathering or analyzing cyber statistics; enter into cooperative agreements or contracts with public agencies, institutions of higher education, or private organizations for purposes related to this subsection; provide appropriate information to the President, the Congress, Federal agencies, the private sector, and the general public on cyber statistics; maintain liaison with State and local governments concerning cyber statistics; confer and cooperate with Federal statistical agencies as needed to carry out the purposes of this section, including by entering into cooperative data sharing agreements in conformity with all laws and regulations applicable to the disclosure and use of data; and request from any person or entity information, data, and reports as may be required to carry out the purposes of this subsection.
Federal departments and agencies requested by the Director to furnish information, data, or reports pursuant to subsection (c)(4)(J) shall provide to the Bureau such information as the Director determines necessary to carry out the purposes of this section. Not later than 180 days after the date of enactment of this Act, and every 180 days thereafter , each covered entity shall submit to the Bureau a report containing such data and information as the Director determines necessary to carry out the purposes of this section.
Not later than 90 days after the date of enactment of this Act, and annually thereafter, the Director shall publish a list of data and information determined necessary to carry out the purposes of this section, including individual descriptions of cyber incidents, which shall include— identification of the affected databases, information systems, or devices that were, or are reasonably believed to have been accessed by an unauthorized person; where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used; where applicable, any identifying information related to the malicious actors who perpetrated the incident; where applicable any cybersecurity controls implemented by the victim organization; and the industrial sectors, regions, and size of affected entities (as determined by number of employees) without providing any information that can reasonably be expected to identify such entities.
Not later than 180 days after the date of enactment of this Act, the Director shall, in consultation with covered entities, develop standardized procedures for the submission of data and information the Director determines necessary to carry out the purposes of this section. Not later than 90 days after the date on which the Director develops the standards required under paragraph (3), the Director shall— publish the processes for submission of information, data, and reports by covered entities; and begin accepting reporting required under paragraph (1).
Information disclosed to the Bureau under this section that is not otherwise available, shall not be used by the Federal Government or any State, local, tribal, or territorial government to sanction or otherwise punish the entity disclosing the information, or the entity in which the cyber incident initially occurred. Disclosure of information pursuant to this section or by a covered entity to the Bureau shall not waive any otherwise applicable privilege, immunity, or protection provided by law.
Nothing in this section shall modify, prevent, or abrogate any notice or notification obligations under Federal contracts, enforceable agreements with the government, or other Federal law. Compliance with the requirements imposed under this subsection by covered entities shall be enforced by the Federal Trade Commission under the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ). For the purpose of the exercise by the Federal Trade Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this subsection shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act ( 15 U.S.C. 57a(a)(1)(B) ) regarding unfair or deceptive acts or practices.
Subject to subparagraph (C), the Federal Trade Commission shall enforce this subsection in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ) were incorporated into and made a part of this subsection. Notwithstanding sections 4, 5(a)(2), or 6 of the Federal Trade Commission Act ( 15 U.S.C. 44 , 45(a)(2), 46) or any jurisdictional limitation of the Federal Trade Commission, the Federal Trade Commission shall also enforce this subsection, in the same manner provided in subparagraph
(A)of this paragraph, with respect to— organizations not organized to carry on business for their own profit or that of their members; and common carriers subject to the Communications Act of 1934 ( 47 U.S.C. 151 et seq. ). The Federal Trade Commission shall— coordinate with the Federal Communications Commission regarding enforcement of this subsection with respect to common carriers subject to the Communications Act of 1934 ( 47 U.S.C. 151 et seq. ); notify the Bureau of Consumer Financial Protection regarding enforcement of this subsection with respect to information associated with the provision of financial products or services by an entity that provides a consumer financial product or service (as defined in section 1002 of the Consumer Financial Protection Act of 2010 ( 12 U.S.C. 5481 )); and for enforcement of this subsection with respect to matters implicating the jurisdiction or authorities of another Federal agency, notify that agency as appropriate. Any covered entity that violates the requirements imposed under this subsection shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ). Nothing in this paragraph shall be construed to limit the authority of the Federal Trade Commission under any other provision of law. No officer or employee of the Federal Government or agent of the Federal Government may, without the consent of the individual, entity, agency, or other person who is the subject of the submission or provides the submission— use any submission that is furnished for exclusively statistical purposes under this section for any purpose other than the statistical purposes for which the submission is furnished; make any publication or media transmittal of the data contained in a submission described in subparagraph
(A)that permits information concerning individual entities or individual incidents to be reasonably inferred by either direct or indirect means; or permit anyone other than a sworn officer, employee, agent, or contractor of the Bureau to examine an individual submission described in subsection (e). Any submission (including any data derived from the submission) that is collected and retained by the Bureau, or an officer, employee, agent, or contractor of the Bureau, for exclusively statistical purposes under this section shall be immune from the legal process and shall not, without the consent of the individual, entity, agency, or other person who is the subject of the submission or provides the submission, be admitted as evidence or used for any purpose in any action, suit, or other judicial or administrative proceeding. Nothing in this subsection shall be construed to provide immunity from the legal process for a submission (including any data derived from the submission) if the submission is in the possession of any person, agency, or entity other than the Bureau or an officers, employee, agent, or contractor of the Bureau, or if the submission is independently collected, retained, or produced for purposes other than the purposes of this section. There are authorized to be appropriated such sums as may be necessary to carry out this section. Such funds shall remain available until expended.
Connectionstraces to 5
Citation graph
cites case law
Sec. 302
Establish the Bureau of Cybersecurity Statistics
Cites 5Cited by 0 across 0 sources