On the heels of the Obama administration’s veto threat, Senate staffers have disclosed that the Senate is unlikely to vote on the House-approved Cyber Intelligence Sharing and Protection Act, or CISPA. As written, CISPA would have enabled greater information-sharing between government and private companies regarding cybersecurity threats, and would have overridden parts of the Stored Communications Act, the Wiretap Act, and other legislation. The White House, which has already issued an Executive Order regarding cybersecurity, had earlier this month threatened to veto CISPA in the form passed by the House due to privacy concerns.
CISPA has generated significant controversy among commentators, non-profits, and private citizens, with privacy as the major point of contention. Technology companies supporting CISPA have stated that the bill provides important liability protections that would enable greater information sharing regarding potential cybersecurity threats.
A competing bill is said to be in the works in the Senate, but in all likelihood, immediate attention may shift to the implementation of President Obama’s Executive Order 13636, titled “Improving Critical Infrastructure Cybersecurity.” The Executive Order calls for the National Institute of Standards and Technology to work with industry leaders, standards bodies, government agencies, independent experts, and others to develop a set of best practices for protecting cybersecurity for “critical infrastructure” entities. The Order defines “critical infrastructure” to mean any system or asset whose destruction could have “a debilitating impact on security, national economic security or national public health or safety” — areas such as energy, water, health care, financial services, information technology, telecommunications, transportation, and national defense. (Notably, it states that commercial information technology products and consumer information services fall outside this definition.) The stated goal of the Order is to develop a comprehensive Cybersecurity Framework to help protect critical infrastructure from cybersecurity threats, and to lay the foundation for possible agency regulation. The Order also requires the eventual dissemination of unclassified information to critical infrastructure entities, an analysis of the incentives that might be offered to encourage participation in the Cybersecurity Framework, and an assessment of whether it would be feasible to include tighter security standards in the government contracting process.
The Executive Order differs from CISPA in several material respects. First, because the Executive Order lacks the force of legislation, it does not override existing privacy statutes. Also, whereas CISPA authorizes the private sector to share information with the government, the Executive Order only requires information-sharing in the opposite direction, i.e., from the government to critical infrastructure entities. Privacy groups like the ACLU have argued that forcing government agencies to share information they already have and can already collect is not as problematic as allowing private companies to disseminate potentially sensitive information to outside entities.
The White House has also released a new Trade Secret Strategy that lays out approaches the government will take to mitigate trade secret theft. The approaches include diplomacy, the development of voluntary best practices, improved legislation and law enforcement, and public outreach. These developments may drive trends in private enforcement, and could lead to arguments that developments related to the strategy should affect the way criminal and civil trade secret laws are interpreted.
The increased focus on cybersecurity provides both uncertainty and opportunity. Companies should consider the potential impact of the cybersecurity and trade secret developments, including auditing network security and reviewing policies regarding trade secret protection. Companies should also consider and explore avenues to contribute to the development of national policies and best practices, and may want to take advantage of any participation incentives that become available. By participating in the discussion, companies can advocate for sensible policies and strengthen ties with regulators. Companies involved with government contracts may have an added incentive to participate in the development of the Cybersecurity Framework, as they may face increased scrutiny if specific security requirements become required. The National Institute for Standards and Technology has already begun the process for soliciting information regarding the proposed Framework and a preliminary version is set to be published in October 2013.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Rocca-BrianThis article was originally published by Bingham McCutchen LLP.