In 2015, the Office of Personnel Management’s (OPM) computer systems suffered a series of devastating cyber attacks that uncovered roughly 21.5 million federal employees’ personal information. The breaches—attributed to Chinese hackers—resulted in the exposure of federal employees’ extremely sensitive information, including Social Security numbers. Over the past decade, similar cyber attacks on consumers’ personal information have occurred within the private sector with alarming frequency. The OPM breaches highlight a disturbing trend concerning the federal government’s ill-preparedness in dealing with cybersecurity incidents in the public sector.
This Note will confront the question of whether the Cybersecurity Act of 2015 (Cybersecurity Act)—stemming from the proposed Cybersecurity Information Sharing Act (CISA) and Federal Cybersecurity Enhancement Act of 2015 (FCEA) (collectively referred to as S.754)—can adequately address the security and civil liability inadequacies that exist under the current legislative framework. Part II.A will explore the existing patchwork of statutes, executive orders, and administrative entities that currently control state protection of personal information and state responses to cyber attacks. Part II.B will examine civil liability issues in both the private and public sectors under the current legislative framework. Part II.C will detail the provisions of S.754 and the Cybersecurity Act. Following an analysis of the Cybersecurity Act’s strengths and weaknesses, Part III of this Note will provide proposed changes particularly in the areas of cyber attack protection and liability concerns. Ultimately this Note argues that the Cybersecurity Act is inadequate to address the issues of protection and redress that currently exist.