Underscoring the seriousness of recent cyber-attacks, the Obama Administration is seeking to establish cybersecurity standards and enact new federal laws to cover cybercrimes. The common thread throughout these recent announcements has been the importance of collaboration among business and government sectors to stop cyber-attacks and strengthen national security. However, it remains to be seen which of these proposals, if any, will be enacted into law. It is equally uncertain whether the protections afforded to the business community will satisfy businesses, or take into account the practical issues that they face every day.
In his State of the Union Address on Jan. 20, President Obama announced the need for federal cybersecurity legislation, urging Congress to “finally pass the legislation we need to better meet the evolving threat of cyber-attacks.” The President’s proposal would require companies to notify affected consumers within 30 days after a data breach is discovered. The proposed legislation would likely preempt state data breach laws, and not be an additional regulation with which businesses must comply, although some states have objected. The President also proposed legislation which would amend the Racketeering Influenced and Corrupt Organizations Act (RICO) to allow cybercrimes to be a basis for RICO prosecutions, while the Computer Fraud and Abuse Act would be updated to cover corporate who misuse confidential information.
Less than a month later on Feb. 13, President Obama hosted a Cybersecurity Summit at Stanford University (“Summit”) for the government, public and private sectors to discuss the importance of cybersecurity collaboration. At the Summit, the President announced his own executive order appointing Homeland Security, rather than the NSA, to spearhead the Administration’s cybersecurity efforts, likely in an effort to repair the strained relations between the private sector and the government since the exposure of the NSA’s data surveillance techniques.
The President’s executive order further emphasized the need for the private sector to share cyber threat information with federal agencies through private sector networks called Information Sharing and Analysis Organizations (ISAO). However, although “targeted liability protection” has been enacted.
Additionally, on Feb. 25 the White House announced the creation of the Cyber Threat Intelligence Integration Center (CTIIC). The agency’s mission again emphasized the need for collaboration. However, the purpose of the CTIIC is to encourage cross-dissemination and analysis of cyber threats between three existing federal cybersecurity agencies—the National Cyber Investigative Joint Task Force (NCIJTF), National Cybersecurity and Communications Integration Center (NCCIC), and U.S. Cyber Command.
Days later on Feb. 27, the Obama Administration released its Consumer Privacy Bill of Rights Act of 2015. The new Bill of Rights is a revival of 2012 legislation that sought to balance consumer privacy concerns with governmental objectives to control cybercrimes. The proposed bill would require business to comply with a code of conduct established by the Federal Trade Commission (FTC). However, the proposed legislation does provide a safe harbor provision from federal enforcement so long as a business adheres to the FTC’s own established code of conduct.
Congress, the President, businesses, and lawyers alike agree that new cybersecurity and data privacy laws are needed. This is not an issue to be solved by technology alone. This collaboration is vital and inevitable. However, even with these collaborative efforts the government must clearly delineate which federal agencies will be developing these standards, and enforcing the standards, and for what industries.
These boundaries are needed in order to minimize any confusion, ambiguity, or legal actions that would impede achieving these goals of greater privacy and cybersecurity protection.
Jonathan Feld is a member in Dykema’s Chicago and Washington, D.C. offices. He focuses his practice on business litigation, advising corporations, boards of directors and board committees regarding internal investigations, corporate compliance programs, corporate governance issues and data privacy. He can be reached at JFeld@dykema.com or 312-627-5680.
Suzanne Alton is an associate in the Chicago office of Dykema. She focuses her practice on financial services litigation and can be reached at SAlton@dykema.com or 312-627-2110.