The federal government’s new push to bolster cybersecurity will create an array of legal questions and potential pitfalls for companies in the coming months.
On February 12, President Barack Obama signed an executive order that directs federal agencies to work with companies to better protect the nation’s critical infrastructure from computer attacks. For in-house counsel and their outside lawyers, the order means they’ll need to move fast to review compliance with current regulations and determine whether their clients should share information about cyberthreats with the government.
Starting now, federal agencies will be checking their legal authority to create new rules or regulations on cybersecurity. The National Security Agency and Depart­ment of Justice will be setting up a program for sharing classified information with private companies. And the Department of Commerce will be working with critical infrastructure companies like utilities and banks to develop national standards to best deter attacks.
Companies in those regulated industries will want to be involved in the government’s discussion about those national standards, called the "cybersecurity framework," which will be hashed out in a process that may take months, said Jamie Barnett, co-chairman of Venable’s telecommunications group and a partner in the firm’s cybersecurity practice. The framework may prove very broad or very specific. "They’re going to want their legal counsel on this because they don’t want to be on the wrong side or have the wrong standards adopted, and they’re going to want to at least have their concerns heard," Barnett said.
Patrick Gallagher, the director of the National Institute of Standards and Technology, announced on February 13 that the institute will issue a "Request for Information" from critical infrastructure owners and operators and hold workshops. "By working together…we’re going to make this successful," Gallagher said. "The U.S. has always turned to industry to be the main driver of these types of standards."
General Keith Alexander, director of the National Security Agency, said at the same announcement that high-profile cyberattacks like those against Wall Street show how the government and industry need "to be working together as a team" to keep America safe.
HARD TO SAY NO ?
While companies will be glad to receive government information on cyberthreats, the executive order’s information-sharing program raises a number of legal issues, said Ted Kobus and Jerry Ferguson, co-chairmen of Baker & Hostetler’s privacy and data-protection practice.
Under the order, businesses could enter a voluntary information-sharing program, providing information about cyberthreats to the government; in return, the government could provide classified technical information.
But the order also tells agencies to come up with incentives to lure companies into the sharing program, possibly including preferences for government contracts, Ferguson said. "If you’ve got your regulator creating incentives, it may be very difficult to say no," he said.
Attorneys for these companies will "have to step back and think" about what might happen to the information they share, Kobus said. Is this information going to be shared with competitors? Will it be subject to Freedom of Information Act requests? Could it open the company to liability?
White & Case partner Daren Orzech­owski said individual privacy rights are also a consideration. "Companies should re-evaluate their existing privacy policies and check if, under the policy they have with their customers, do they have the right to voluntarily share information," he said. "There might be issues with participation [in the program] that they need to understand now."
Law firms are not likely to be included among businesses considered to represent critical infrastructure, such as utilities and financial services companies. But they might be affected by the executive order because they represent companies that house intellectual property and government secrets. "Because our clients are going to be involved in that litigation, lawyers are going to be dragged into these disclosures as well," Kobus said.
The order will also raise the visibility of the cybersecurity standards in place at regulated companies. "Look at those procedures to see if you’re in compliance under current law, because they are going to be under scrutiny no matter what new regime the executive order brings," Kobus said.
The scrutiny will go beyond in-house systems — companies will also need to "make sure their supply chain has all the controls in place as well," said Mercedes Tunstall, of counsel to Ballard Spahr. "It’s an area of concern. You spend so much time and effort getting your own house in order, and then you need to turn around and look at your suppliers."
Lawyers familiar with cybersecurity have been anticipating the executive order for months — ever since Congress failed to pass legislation to address cyberthreats last session. Many of the provisions will take agencies months or a year to study and then implement.
The executive order does not grant some of the things law firms and other businesses need most to help prevent cyberattacks — mainly, liability protections for sharing information about cyber­attacks with the government and with each other. The White House has said that legislation is still needed to protect the nation’s key infrastructure.
It is too early to tell how much change this executive order could bring when it offers no funding for the effort, said Ferguson. "You look at the actual language of this, and it’s pretty vague stuff. You can see an order like this being announced and then just disappearing," Ferguson said. "It is also possible this is going to be a watershed event in that it will be a first step toward a coordinated cybersecurity strategy."
The federal government twice before has adopted cybersecurity standards. The first effort was part of the Gramm-Leach-Bliley Act, and required financial institutions to have a written, comprehensive plan to safeguard customer information, without really specifying what the plan should look like, said Hunton & Williams partner Lisa Sotto.
The second time was in 2005, as part of the Health Insurance Portability and Accountability Act. Those standards were very specific, and "now look really antiquated," she said. What’s unknown is whether the new standards will be "highly prescribed or more ambiguous," she said. In either case, the key is flexibility. "Cyber criminals are constantly changing their tactics. We have to fight tomorrow’s battle, not yesterday’s."
Legislation stalled last year, in part, because Republicans were worried the bill would create new government regulations for companies, while Democrats worried about privacy concerns. Several legislators have already filed bills and pledged to make a comprehensive cybersecurity bill a top priority, including the new chairman of the Senate Homeland Security and Governmental Affairs Committee, Senator Tom Carper (D-Del.).
Todd Ruger is a reporter for The National Law Journal, a Legal affiliate based in New York.
Senior reporter Jenna Greene contributed to this report. •