President Obama’s cybersecurity executiveorder, released February 12, had legal technology experts split in their opinions.
The order (full text) calls for specific actions: civil liberty and privacy protection; collaborative development of tiered security standards based on the context of an organization’s data; creation of federal cybersecurity technical guidelines; identification of critical infrastructure; periodic policy review; and periodic unclassified security reports.
Law firm computer security, and by association the security in electronic discovery products, is increasingly considered important because the firms and technology company networks hold valuable client data. "We have hundreds of law firms that we see increasingly being targeted by hackers," Federal Bureau of Investigation cybersecurity expert Mary Galligan said at LegalTech New York this month.
FBI officials have long acknowledged that they regularly share cybersecurity information with private companies, often through a project called InfraGard, which has 56 chapters nationwide. The group’s membership is not disclosed, although Hogan Lovells partner Jeffrey Lolley co-chairs InfraGard’s cybersecurity committee. Hogan partner Harriet Pearson blogged about the executive order. "President Obama noted that this executive order is meant to fill a gap while Congress continues to pursue legislation," she observed.
The National Institute of Standards and Technology announced its own security information sharing plan in 2012. Now, NIST is calling for public comments on the executive order, the agency announced. Law firms have their own entity, the LegalSEC committee of the International Legal Technology Association, which formed in 2012 and is hosting its first conference this summer.
Adam Carlson, of security consultancy Carlson & Wolf, focuses on law firms. He saw reasons for optimism and skepticism. "I think the cybersecurity program could have a major positive impact on the cybersecurity readiness of American business, but the program must be well-designed and well-executed, something always easier said than done," he noted, in Oakland, Calif. "However, the order is vague in describing what types of organizations will be impacted. … It appears to leave open the possibility that at least some law firms would be included due to their management of various types of highly sensitive client data," he said. "Similarly, there is a lack of clarity about what types of information will be shared and how the shared information can be used to prevent successful cyberattacks."
KPMG observers agreed with that assessment. E-discovery specialist Katey Wood said cybersecurity is atop the mind of her clients. "I can tell you that we’ve had a number of inquiries from clients for services around breaches, both direct and indirect," she said, in New York. Edward Goings, principal, added a larger context: "With the increased activity around state-sponsored attacks and increased activity around cyberterrorism, companies know this issue has to be addressed now instead of later. I think the executive order by the administration is a step in the right direction to get companies sharing information rather than keeping it quiet."
Attorney Craig Ball, in Austin, Texas, also saw the positives and negatives. "Every exercise of political will in support of hardening critical infrastructure against hacking is a positive step, and it’s laudable that the president has so prominently elevated the issue in the national consciousness," Ball said. "But, we should not conflate his commissioning what is basically a big study of how to proceed toward the goal with making genuine progress. Furnishing more information about cyberthreats is of limited value if those who receive more information aren’t acting on the threat data they already receive."
Ball added that many cyberattacks happen after "zero-day" events — security vulnerabilities that are newly discovered and for which patches don’t yet exist — or after companies ignore well-known system weaknesses.
"Not only is the executive order more aspirational than executive, I worry that its legacy will be to prompt Congress to extend broad immunities from liability to the companies who have proven so lax in their stewardship of critical infrastructure. Without the specter of liability — without sharp teeth — there’s little to motivate private concerns to upgrade information infrastructure in support of cybersecurity," Ball continued. "We should be vigilant to prevent labeling anyone from Google to Amazon to your local power company as a provider of ‘critical infrastructure’ if that label only serves as the cybersecurity equivalent of ‘too big to fail’ and operates to limit accountability to those injured by sloth, ignorance and greed."
OrcaTec Chief Technology Officer Herb Roitblat said he hopes for more government action, but that officials should be cautious of doing more harm than good. "If cybersecurity is improved in this country, I think that the largest impact will be on encryption of business communications. Depending on how the encryption is managed, it could make it very difficult to do basic e-discovery. Documents would have to be decrypted before they could be ingested. Passwords may be lost. Documents may be designed to self-destruct after a time, which would mean that there is less to discover," he said. "The current executive order is largely directed at sharing information about threats and … giving NIST a mandate for recommended standards for security of critical U.S. infrastructure. If Congress passes some legislation, that could mean a lot more."
"Basically this executive order is the administration’s way of highlighting the importance of getting legislation passed that establishes basic cybersecurity standards in the U.S., which we don’t have right now," Tunstall said, in Washington, D.C. There are many pieces in the wild, but, "We don’t have kind of a general law that says, ‘You should take steps to protect against data security problems,’" she noted.
"While it will be kind of a baseline, everybody needs to get their act together," Tunstall said. "I do think there is a very high likelihood … that law firms will have to have a highter standard. Believe me, I have worked with clients that have had other law firms that have had data security breaches."
Cowperthwait, in Hartford, Conn., heads the Connecticut chapter of InfraGard and stressed that law firms should be prepared for change. "Law firms and private legal vendors have access to trade secrets, critical technologies, and other proprietary and sensitive business information of their clients," he said. "As a result, I can easily envision a scenario whereby an owner or operator of critical infrastructure passes on comprehensive cybersecurity requirements to law firms with access to its data or information."
The U.S. Department of Commerce scheduled a press conference about the executive order for Wednesday afternoon.
Evan Koblentz is a reporter for Law Technology News, a Legal affiliate based in New York.