All I Want for Christmas Are Amendments to the Cybersecurity Act

Christmas comes but once a year and, for the last two years, Congress has delivered a bag of goodies in cybersecurity legislation. While most corporate counsels are still trying to figure out what the Cybersecurity Act of 2015 (CSA) does for them, I’ll take a cue from my five-year-old and start composing my wish list for next year now.

To be clear, there are a lot of things I like about the CSA. Even with the last minute changes, the drafters avoided a parade of horribles. The law explicitly excludes violations of terms of service agreements from the definition of a cybersecurity threat (win). It defines a defensive measure to exclude anything that should rightly be labeled offensive (win). It has provisions that require the minimization of personal data (win). And it maintains the traditional division between civilian and military roles (huge win).

Still, there is room for improvement even at this early stage and the drafters seem to know it. The law requires the executive branch provide no fewer than twenty-four reports to Congress on various aspects of the act (with unclassified versions to be made public). It even goes so far as to require a report to Congress that requests the administration’s views on whether further changes to the law are necessary. So, in that spirit, here are five things Congress should contemplate over the coming year: