[Congressional Record Volume 154, Number 94 (Monday, June 9, 2008)]
[Senate]
[Pages S5391-S5392]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Ms. SNOWE (for herself and Mr. Kerry):
  S. 3102. A bill to establish the Small Business Information Security 
Task Force, and for other purposes; to the Committee on Small Business 
and Entrepreneurship.
  Ms. SNOWE. Mr. President, I rise today, with Senator John Kerry, to 
introduce the Small Business Information Security Act of 2008. Not only 
is this a bipartisan bill in the United States Senate, but it is also a 
bicameral bill. Congressmen Manzullo and Michaud are also introducing 
companion legislation in the U.S. House of Representatives. This bill 
would establish within the Small Business Administration, SBA, a Small 
Business Information Security Task Force to advise the SBA and help 
small businesses both understand the unique information security 
challenges they face, and identify resources to help meet those 
challenges.
  As ranking member of the Senate Committee on Small Business and 
Entrepreneurship, one of my goals is to ensure small businesses are 
protected from the mounting information security threats they face 
every day. This legislation will create a clearinghouse of information, 
resources, and tools--compiled by a task force consisting of public and 
private sector experts in the field--that will ease the complexity, 
confusion, and cost often associated with enhancing information 
security measures within a small business. The task force will 
continually update information and resources as new technologies and 
threats arise.
  Currently, small business owners turn to the SBA for resources 
regarding a number of aspects, but information security resources 
remain largely unavailable within the agency. This legislation will 
present an opportunity for the SBA to develop and create a repository 
of data to help small business owners meet their information security 
needs. This legislation will enable industry experts to come together 
and immediately provide meaningful strategies to enable small 
businesses to safeguard their customer's personal information.
  Computer networks are increasingly susceptible to hackers, intruders, 
and other cyber criminals. In fact, in my home state of Maine, the 
retail supermarket chain, Hannaford Bros., was recently affected by an 
intrusion into their computer system which led to the exposure of 4.2 
million credit and debit card numbers. What many people do not realize 
is that a breach like Hannaford's impacts not only the millions of 
customers whose personal data was compromised, but it also has serious 
downstream impact on our Nation's small businesses. For example, 
throughout Maine there are many small banks; these banks are 
responsible for protecting and alerting their depositors upon 
fraudulent activity. Following the Hannaford breach, many small banks 
had to replace their customers' credit and debit cards, clearly a 
costly enterprise that diverts resources from more productive 
activities, such as small business lending. The bill we are introducing 
today will help ameliorate this problem.
  Unfortunately, these attacks are becoming more frequent and more 
severe, and the perpetrators are becoming harder to identify and bring 
to justice. According to a survey by the Small Business Technology 
Institute, more than half of all small businesses in the U.S. 
experienced a security breach in the last year. Furthermore, the study 
concludes that nearly one-fifth of small businesses do not use virus-
scanning for e-mail, over 60 percent do not protect their wireless 
networks with encryption, and two-thirds of small businesses do not 
have an information security plan.
  As these statistics illustrate, small businesses are increasingly at 
risk of data breaches and other forms of malicious attacks on their 
information technology infrastructure. Cyber attacks launched by a 
small group of people can devastate America financially, it is 
conceivable that a few individuals working together could disable 
millions of computers at a cost of hundreds of millions to the U.S. 
economy. Cyber-criminals can hold hostage not just a few individuals, 
but millions of small businesses. This legislation provides best 
practices to help small business owners decrease the risk cyber attacks 
pose to their customers.
  The information security threat posed to our Nation's small 
businesses is serious, and our efforts to prevent and reduce this risk 
carry a tremendous sense of urgency. We must continue to focus on ways 
we can protect small businesses, and their customers, from the serious 
consequences of cyber crimes. In order to take an important first step, 
I encourage all of my colleagues to support this critical legislation, 
and I hope we can see this commonsense legislation enacted into law as 
expeditiously as possible.
  Mr. President. I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 3102

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Small Business Information 
     Security Act of 2008''.

     SEC. 2. DEFINITIONS.

       In this Act--
       (1) the terms ``Administration'' and ``Administrator'' mean 
     the Small Business Administration and the Administrator 
     thereof, respectively;
       (2) the term ``small business concern'' has the same 
     meaning as in section 3 of the Small Business Act (15 U.S.C. 
     632); and
       (3) the term ``task force'' means the task force 
     established under section 3(a).

     SEC. 3. INFORMATION SECURITY TASK FORCE.

       (a) Establishment.--The Administrator shall establish a 
     task force, to be known as the Small Business Information 
     Security Task Force, to address the information technology 
     security needs of small business concerns.
       (b) Duties.--The task force shall--
       (1) identify--
       (A) the information technology security needs of small 
     business concerns; and
       (B) the programs and services provided by the Federal 
     Government, State Governments, and nongovernment 
     organizations that serve those needs;
       (2) assess the extent to which the programs and services 
     identified under paragraph (1)(B) serve the needs identified 
     under paragraph (1)(A);
       (3) make recommendations to the Administrator on how to 
     more effectively serve the needs identified under paragraph 
     (1)(A) through--

[[Page S5392]]

       (A) programs and services identified under paragraph 
     (1)(B); and
       (B) new programs and services promoted by the task force;
       (4) make recommendations on how the Administrator may 
     promote--
       (A) new programs and services that the task force 
     recommends under paragraph (3)(B); and
       (B) programs and services identified under paragraph 
     (1)(B);
       (5) make recommendations on how the Administrator may 
     inform and educate with respect to--
       (A) the needs identified under paragraph (1)(A);
       (B) new programs and services that the task force 
     recommends under paragraph (3)(B); and
       (C) programs and services identified under paragraph 
     (1)(B);
       (6) make recommendations on how the Administrator may more 
     effectively work with public and private interests to address 
     the information technology security needs of small business 
     concerns; and
       (7) make recommendations on the creation of a permanent 
     advisory board that would make recommendations to the 
     Administrator on how to address the information technology 
     security needs of small business concerns.
       (c) Internet Website Recommendations.--The task force shall 
     make recommendations to the Administrator relating to the 
     establishment of an Internet website to be used by the 
     Administration to receive and dispense information and 
     resources with respect to the needs identified under 
     subsection (b)(1)(A) and the programs and services identified 
     under subsection (b)(1)(B). As part of the recommendations, 
     the task force shall identify the Internet sites of 
     appropriate programs, services, and organizations, both 
     public and private, to which the Internet website should 
     link.
       (d) Education Programs.--The task force shall make 
     recommendations to the Administrator relating to developing 
     additional education materials and programs with respect to 
     the needs identified under subsection (b)(1)(A).
       (e) Existing Materials.--The task force shall organize and 
     distribute existing materials that inform and educate with 
     respect to the needs identified under subsection (b)(1)(A) 
     and the programs and services identified under subsection 
     (b)(1)(B).
       (f) Coordination With Public and Private Sector.--In 
     carrying out its responsibilities under this section, the 
     task force shall coordinate with, and may accept materials 
     and assistance as it determines appropriate from--
       (1) any subordinate officer of the Administrator;
       (2) any organization authorized by the Small Business Act 
     to provide assistance and advice to small business concerns;
       (3) other Federal agencies, their officers, or employees; 
     and
       (4) any other organization, entity, or person not described 
     in paragraph (1), (2), or (3).
       (g) Chair and Vice-Chair.--The task force shall have--
       (1) a Chair, appointed by the Administrator; and
       (2) a Vice-Chair, appointed by the Administrator, in 
     consultation with appropriate nongovernmental organizations, 
     entities, or persons.
       (h) Members.--
       (1) Chair and vice-chair.--The Chair and the Vice-Chair 
     shall serve as members of the task force.
       (2) Additional members.--
       (A) In general.--The task force shall have additional 
     members, each of whom shall be appointed by the Chair, with 
     the approval of the Administrator.
       (B) Number of members.--The number of additional members 
     shall be determined by the Chair, in consultation with the 
     Administrator, except that--
       (i) the additional members shall include, for each of the 
     groups specified in paragraph (3), at least 1 member 
     appointed from within that group; and
       (ii) the number of additional members shall not exceed 13.
       (3) Groups represented.--The groups specified in this 
     paragraph are--
       (A) subject matter experts;
       (B) users of information technologies within small business 
     concerns;
       (C) vendors of information technologies to small business 
     concerns;
       (D) academics with expertise in the use of information 
     technologies to support business;
       (E) small business trade associations;
       (F) Federal, State, or local agencies engaged in securing 
     cyberspace; and
       (G) information technology training providers with 
     expertise in the use of information technologies to support 
     business.
       (i) Meetings.--
       (1) Frequency.--The task force shall meet at least 2 times 
     per year, and more frequently if necessary to perform its 
     duties.
       (2) Quorum.--A majority of the members of the task force 
     shall constitute a quorum.
       (3) Location.--The Administrator shall designate, and make 
     available to the task force, a location at a facility under 
     the control of the Administrator for use by the task force 
     for its meetings.
       (4) Minutes.--
       (A) In general.--Not later than 90 days after each meeting, 
     the task force shall publish the minutes of the meeting and 
     shall submit to Administrator any findings or recommendations 
     approved at the meeting.
       (B) Submission to congress.--Not later than 60 days after 
     the date that the Administrator receives minutes under 
     subparagraph (A), the Administrator shall submit to the 
     Committee on Small Business and Entrepreneurship of the 
     Senate and the Committee on Small Business of the House of 
     Representatives such minutes, together with any comments the 
     Administrator considers appropriate.
       (5) Findings.--
       (A) In general.--Not later than the date that the task 
     force terminates under subsection (m), the task force shall 
     submit to the Administrator a final report on any findings 
     and recommendations of the task force approved at a meeting 
     of the task force.
       (B) Submission to congress.--Not later than 90 days after 
     the date that the Administrator receives the report under 
     subparagraph (A), the Administrator shall submit to the 
     Committee on Small Business and Entrepreneurship of the 
     Senate and the Committee on Small Business of the House of 
     Representatives the full text of the report submitted under 
     subparagraph (A), together with any comments the 
     Administrator considers appropriate.
       (j) Personnel Matters.--
       (1) Compensation of members.--Each member of the task force 
     shall serve without pay for their service on the task force.
       (2) Travel expenses.--Each member of the task force shall 
     receive travel expenses, including per diem in lieu of 
     subsistence, in accordance with applicable provisions under 
     subchapter I of chapter 57 of title 5, United States Code.
       (3) Detail of SBA employees.--The Administrator may detail, 
     without reimbursement, any of the personnel of the 
     Administration to the task force to assist it in carrying out 
     its duties. Such a detail shall be without interruption or 
     loss of civil status or privilege.
       (4) SBA support of the task force.--Upon the request of the 
     task force, the Administrator shall provide to the task force 
     the administrative support services that the Administrator 
     and the Chair jointly determine to be necessary for the task 
     force to carry out its duties.
       (k) Not Subject to Federal Advisory Committee Act.--The 
     Federal Advisory Committee Act (5 U.S.C. App.) shall not 
     apply to the task force.
       (l) Startup Deadlines.--The initial appointment of the 
     members of the task force shall be completed not later than 
     90 days after the date of enactment of this Act, and the 
     first meeting of the task force shall be not later than 180 
     days after the date of enactment of this Act.
       (m) Termination.--
       (1) In general.--Except as provided in paragraph (2), the 
     task force shall terminate at the end of fiscal year 2012.
       (2) Exception.--If, as of the termination date under 
     paragraph (1), the task force has not complied with 
     subsection (i)(4) with respect to 1 or more meetings, then 
     the task force shall continue after the termination date for 
     the sole purpose of achieving compliance with subsection 
     (i)(4) with respect to those meetings.
       (n) Authorization of Appropriations.--There are authorized 
     to be appropriated to carry out this section $200,000 for 
     each of fiscal years 2009 through 2012.
                                 ______