[Congressional Record Volume 161, Number 58 (Tuesday, April 21, 2015)]
[Senate]
[Page S2304]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. KIRK (for himself and Mrs. Gillibrand):
  S. 1027. A bill to require notification of information security 
breaches and to enhance penalties for cyber criminals, and for other 
purposes; to the Committee on Commerce, Science, and Transportation.
  Mrs. GILLIBRAND. Mr. President, I rise to speak about two bipartisan 
bills that would help to modernize the way this country approaches 
cyber security.
  Congress needs to get with the times and realize that the Internet is 
no longer a new concept. Swiping a credit card, conducting online 
banking, storing prescription records online--these are not new 
activities. The cloud is no longer new. Hackers are no longer new. So 
why are we still so taken aback, in shock, every time we suffer another 
major cyber attack? Why are we still not requiring that consumers be 
notified when their information has been stolen? Why aren't we 
unleashing law enforcement to go after cyber criminals?
  If we want to defend against 21st-century threats, then we have to 
bring our laws into the 21st century. We have to get out of the mindset 
that the only way we can be hurt is from an actual physical attack. 
Hackers don't operate on battlefields; they operate in basements and in 
cubicles.
  Our approach to cyber security so far has been certifiably wrong. We 
have the largest defense budget in the world by far, but that hasn't 
stopped our hospitals and banks from falling victim to a near constant 
barrage of attacks. Last year, data breaches in this country hit a 
record high; they were up more than 27 percent from the year before. In 
New York State, between 2006 and 2013, we had nearly 5,000 individual 
data breaches that were reported by businesses, not-for-profits, and 
government entities. In the same period, 23 million personal records of 
New Yorkers were exposed to criminals. And that is just my home State. 
Imagine how big that number actually is nationwide.
  We are long overdue for a new national approach to cyber security, 
and I am introducing two bills that would finally make this happen. The 
first is the Data Breach Notification and Punishing Cyber Criminals 
Act. It would set, for the first time, a national standard for how and 
when victims of cyber attacks will be informed. When an attack takes 
place on a business, for example, one that has your financial data or 
medical information, this law would require that you be informed 
quickly, with information about what was targeted, what was taken, and 
whether you were personally affected. This bill would seriously 
increase the penalties on people found guilty of hacking and cyber 
crime. It would raise the allowable fines and imprisonment sentences 
for many of the most common cyber crimes, including identity theft and 
theft of personal information.
  The second bill is the Cybersecurity Information Sharing Credit Act--
a bill that would incentivize America's businesses to share cyber 
security information critical to preventing attacks, without having to 
involve their competitors. Instead, businesses would be encouraged, 
with significant tax credits, to adopt the preferred, most efficient 
method for information sharing; that is, membership in private, sector-
specific cyber security networks designed to protect an industry, such 
as health care and hospitals, from attack. At the individual level, 
companies, hospitals, and banks can only do so much to protect us. Any 
good cyber defense has to involve information sharing so that patterns 
can be recognized, industries can bolster their defenses, and the same 
hacks aren't just repeated over and over again.
  To modernize America's approach to cyber security, we as individuals 
have to take action, companies have to take action, law enforcement has 
to take action, and local governments must take action. Most 
importantly and most urgently, Congress has to take action. We 
desperately need to modernize our cyber security laws. I urge my 
colleagues to support these two bills.
                                 ______