While no one is optimistic about seeing progress from Congress on immigration reform, deficit reduction and most other big-ticket policy issues, the smart money may be on Congress actually passing some cybersecurity legislation within the next year, perhaps even before the November election.
Major network intrusions resulting in the loss of intellectual property and consumer confidence have become commonplace. Under these circumstances, wouldn't any cybersecurity legislation be an improvement over the current state of affairs? And if there are competing versions of legislation out there, aren't they just different versions of good?
The answer from the private sector has been a resounding “no.” While the House of Representatives recently passed an industry-friendly cybersecurity bill, the Senate and the White House strongly prefer legislation with more limited information sharing than that which is provided in the House bill. They also favor cybersecurity mandates for the private sector, which are not included in the House legislation.
There actually are several Senate proposals, though one, referred to as “Lieberman/Collins,” leads the pack. Senate leadership says its members will not support the House’s vision, and the President has said he will veto the House bill if it does not undergo significant change. However, there is a strong sense that a compromise will be reached that ultimately includes information sharing provisions similar to those in the House bill.
So what does all of this mean to in-house lawyers? Not only do they need to be prepared for cyber attacks, but they will soon also need to prepare for the changed environment that is sure to come from cybersecurity legislation, whatever its final form. We'll start with a summary of key provisions and then provide a bit of advice on reducing your company's risk once Congress does pass cybersecurity legislation.
The House bill is known as “The Cyber Intelligence Sharing and Protection Act” (CISPA). As its name implies, it would give businesses and the federal government enhanced abilities and protections for sharing cybersecurity information, but without requiring anything from the private sector, i.e., no mandatory sharing or reporting and no cybersecurity obligations.
CISPA amends the National Security Act of 1947 by permitting and encouraging the U.S. Intelligence Community to share cyber threat intelligence, including classified information, with private sector entities. CISPA also permits and encourages private sector entities to share cyber threat information with the Department of Homeland Security (DHS).
The privacy community, however, is up in arms over provisions that permit DHS to share that threat information with other departments or agencies of the federal government (there are protections against sharing the information outside the government). The bill also provides that “cyber threat information shared with the Federal Government” may further be used:
- “For cybersecurity purposes”
- “For the investigation and prosecution of cybersecurity crimes”
- “For the protection of individuals from the danger of death or serious bodily harm and [related investigations and prosecutions]”
- “For the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor”
- “To protect the national security of the United States.”
Finally, CISPA provides broad immunity from civil suits for sharing information or the consequences thereof and removes any liability for declining to share cyber threat information where such voluntary sharing was permitted under CISPA.
If CISPA (or something close to it) were to become law, we would recommend that companies institute two important controls.
- The limitation on liability for sharing pertains to providers of cybersecurity services and those that use such services, as well as any self-protected entity that “provides goods or services for cybersecurity purposes to itself.” Most companies will—or will want to—fall into that last category, but what are the aspects of corporate network protection that will actually qualify your company as a “self-protected entity?” Nailing down your company’s qualification for this statutory immunity should be your first task.
- It is important to prepare for potential increased information sharing with the government. You need clarity as to who is authorized to share threat information, with whom they can share it, under what circumstances and with what internal approval(s). If you do not already have rules-of-the-road for government sharing, we recommend developing them now.
Some may wonder why greater controls are needed if the legislation confers immunity from suits. Keep in mind that not all sharing qualifies for immunity, so companies need to make sure that they share in a manner that does qualify. For instance, to qualify for immunity a company must share information “in good faith.”
In this sense, the legislation confers immunity from liability, not immunity from litigation. Therefore, companies may still find themselves embroiled in costly litigation trying to prove that they acted in good faith.
Similarly, it is not clear that the legislation confers immunity against potential causes of action for violation of contract. For example, if information shared by Company X with Company Y is protected by confidentiality agreement between the two companies, and such information is exfiltrated from Company Y’s network, can Company Y really share information pertaining to those exfiltrated files with the FBI, even though the confidentiality agreement prohibits such sharing? Instituting effective internal controls can greatly increase the likelihood that your company’s actions will be protected by statutory immunity and greatly reduce the risk of liability or costly litigation.
Stay tuned as the Senate takes up the sausage making. Among other critical issues, many of the current Senate proposals include cybersecurity mandates for the private sector. If Congress passed legislation that included such mandates, it would up the ante and increase a company’s burden and risk from complying with such legislation.