An Analysis of Proposed Federal Cybersecurity Legislation
Michael Chertoff, the former head of the U.S. Department of Homeland Security (DHS), recently remarked that cyber threats represent one of the most seriously disruptive challenges to national security since the onset of the nuclear age 60 years ago. Mr. Chertoff may be on to something. In its April 2012 monthly monitoring report, DHS announced that various companies in the national gas pipeline industry were apparently being targeted by cyber attacks. Between October 2011 and February 2012, DHS claimed that there were 86 reported attacks on U.S. computer systems controlling U.S. critical infrastructure.
To address these threats, several competing bills were recently introduced in Congresshowever, it is unlikely that the current bills will be enacted into law in the near future.
The Pending Legislation
The Cyber Intelligence Sharing and Protection Act (CISPA)
On April 26, 2012, CISPA (a Republican-sponsored measure) passed the U.S. House of Representatives. CISPA takes the approach of facilitating greater sharing of cyber threat information among government and industry. CISPA does not mandate any minimum cybersecurity standards for private enterprise. Pursuant to CISPA:
- Private companies may share cyber threat information with other entities, including the federal government.
- Private entities may use cybersecurity systems to identify and obtain cyber threat information.
- Private entities, acting in good faith, would be immune from lawsuits in federal or state courts in connection with certain actions taken pursuant to CISPA.
- Cyber threat information shared with the federal government could be used for purposes other than countering cyber threats.
Civil libertarians and left-leaning groups have criticized CISPA for, among other things, potentially overriding federal and state privacy laws.
The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (the SECURE IT Act)
The SECURE IT Act, sponsored by Senator John McCain (R-Arizona), was originally introduced into the Senate on March 1, 2012. Like CISPA, the SECURE IT Act simply provides for an information-sharing mechanism related to cyber threats.
Under the SECURE IT Act:
- Private entities would be allowed to monitor and employ countermeasures on their own systems (and on the systems of consenting third parties) for the purpose of obtaining and possessing cyber threat data.
- Private entities could disclose cyber threat information to certain existing cybersecurity centers or to other entities.
- Existing cybersecurity centers could disclose, in certain cases, cyber threat information to other governmental agencies and government suppliers.
- No causes of action could be brought against a private entity in connection with certain of their actions taken (or not taken) in accordance with the act.
- The Director of National Intelligence and the Secretary of Defense are charged with establishing procedures for sharing cyber threat information possessed by the government.
Like CISPA, the SECURE IT Act has been criticized for not sufficiently protecting existing privacy rights provided for under federal and state law.
The Cybersecurity Act of 2012 (CSA)
The CSA was originally introduced into the Senate on February 14, 2012 by Senator Joe Lieberman (I-Connecticut). The CSA addresses many aspects of cybersecurity, but the most relevant portions for private enterprise are contained in Titles I and VII of the bill.
Unlike CISPA and the SECURE IT Act, the original version of the CSA set forth fairly stringent regulatory provisions. For instance, Title I of the original bill granted DHS the authority to develop minimum risk-based cybersecurity performance requirements for companies operating critical infrastructure.
Business groups vociferously criticized the Title I regulatory provisions of the original bill, charging that they would lead to the imposition of costly compliance burdens on a number of companies in key industries. In response to such criticism, a revised version of the CSA was introduced on July 19, 2012. Under the revised bill, a group of governmental and industry actors would develop a set of voluntary cybersecurity practices for protecting critical national infrastructure. However, existing governmental regulators with supervisory authority over any critical national infrastructure could still require companies in the regulated industry to comply with the voluntary cybersecurity practices.
Title VII of the CSA, like the other proposed bills, sets forth certain information monitoring and sharing provisions. Under Title VII:
- Private entities can monitor and defend their own systems (and the systems of consenting third parties) against cyber risks.
- Private entities can share cyber threat information with each other, though they must take reasonable steps to protect personally identifiable data.
- DHS has the authority to create cybersecurity exchanges in which cyber threat information could be shared among federal agencies and private entities.
- Under the revised version of the CSA, such cybersecurity exchanges must be civilian in nature (i.e., they cannot be managed by the Defense Department).
- The revised version of the CSA clarified that cybersecurity exchanges could only share data with law enforcement where the information pertains to: (a) a cybercrime, (b) an imminent threat of bodily harm or serious injury, or (c) a serious threat to minors.
- DHS would develop privacy-related policies relating to the receipt, use, and disclosure of cyber threat information by federal agencies.
- Subject to certain exceptions, private entities would be immune from federal or state criminal or civil actions in connection with certain actions permitted under Title VII of the CSA.
- The revised version of the CSA indicates that a private entity loses immunity protection if such entity knowingly, or with gross negligence, fails to comply with Title VII of the CSA.
Status of the Cybersecurity Bills and Possible Executive Action
In late 2011, Senate Majority Leader Harry Reid (D-Nevada) promised to have a Senate vote on cybersecurity legislation in 2012. True to his word, Senator Reid brought the revised CSA bill to the Senate floor in late July 2012. However, on August 2, 2012, the bill failed to muster a sufficient number of votes to invoke cloture and move to a final vote. Given that failure, and the likely dominance of election year politics during the remainder of 2012, it looks doubtful that any of the currently pending cybersecurity bills will be enacted into law anytime soon.
Despite this legislative failure, Senator Jay Rockefeller (D-West Virginia) has publicly called for President Obama to implement portions of the CSA through executive order. At least one White House aide (John Brennan, the White House's chief counterterrorism adviser) has indicated President Obama is considering just such an action.
Implications for Private Enterprise
While there is little chance of cybersecurity legislation passing this year, cyber risks are not going away and elected officials (and federal agencies) have not lost their desire to develop a governmental response to real and perceived cyber threats. Companies will need to remain proactive in addressing cyber risks.
Even in the absence of new legislation, companies should be aware that they may have existing legal obligations to guard against cyber threats. For instance, many financial-services firms are already subject to the Interagency Guidelines Establishing Information Security Standards promulgated by federal financial regulators pursuant to the Gramm-Leach-Bliley Act. These guidelines set forth a number of information-security rules for financial-services firms.
Publicly traded companies are on notice that cyber threats can impact their legally required disclosure obligations. Last year, the Securities and Exchange Commission issued a guidance document that described how cybersecurity issues could impact disclosure items in public filings required to be made under federal securities laws.
There is also potential state law liability for failure to protect against cyber threats. For example, the Delaware Supreme Court noted in the 2006 Stone v. Ritter case that corporate directors may be liable for breach of their fiduciary duties where they failed to implement or monitor any information system or controls.
Given this ever-changing legal background, what should private companies do? As an initial matter, to the extent that a company has not already done so, it should consider adopting a formal, written information security program, with the guidance and input from technical experts who are familiar with both information security issues in general and the cyber threats that specifically impact that company. Companies should also consider charging a senior corporate officer with responsibility for overseeing cybersecurity issues. Given the emphasis on both sharing of cyber threat data and protection of individual privacy that is likely to come out of any new federal cybersecurity legislation, companies should consider analyzing how they can share cyber threat information with other companies (and the government) while remaining mindful of their antitrust and data privacy obligations.
Cybersecurity is a dynamic field. Companies must be flexible as they manage both cyber threats and new laws and regulations that are likely to be enacted in response to cyber threats.
Todd Taylor is a senior counsel in Moore & Van Allens intellectual property practice group and its commercial and technology transactions practice group. Todds practice is focused on e-commerce, technology, data privacy and security, outsourcing, and supply chain matters.