May 2011

The United States government released its "International Strategy for Cyberspace" yesterday.

It is an interesting read from the standpoint of the government acknowledging that cyber-security and cyber-warfare are issues that are at the forefront of the administration’s current mindset.

As stated in the report, the U.S. government will take an aggressive and proactive role in cyber-defense and network security. In fact, the report states that “[T]he United States will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits.”

For businesses, the report underscores that cyber-security and cyber-espionage will increasingly be topics that should be addressed not only from an operational standpoint but from a governance and risk management standpoint.

In addition to being read by company CTOs, CISOs, and CSOs, the report should be read by all C-suite executives and board committee members as it does a good job of outlining future cyber threats and what the government’s role will be in addressing those threats.

Link: http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf

read more

The Wall Street Journal recently reported that a group of U.S. lawmakers, including Senator Jay Rockefeller, Senate Commerce Committee Chair, are urging the Securities and Exchange Commission to issue guidance for companies for reporting when they have been the victim of a major cyber attack.

According to the article, the lawmakers want companies to report on trade secrets and intellectual property that may have been compromised in the attack.

The article further reported that a 2009 study by insurance underwriter Hiscox found that 38 percent of Fortune 500 companies made an oversight when they failed to report in public filings on the risks of data security breaches.

This report is not surprising in light of many recent high-profile cyber attacks and data breaches, including of the Sony Playstation network. Prudent public company executives will want to review their internal requirements on security breaches. Ideally, this should include a review of security measures in place to thwart attacks, as well as disaster recovery procedures in the event of an attack. The WSJ article also highlights that companies should carefully review their SEC reporting requirements.

As readers of this blog know, I am not an expert in implementing information security and disaster recovery procedures. Readers needing guidance in this area should contact Roy Hadley or the other legal professionals in the firm. I am also not a securities regulatory lawyer.

My area of focus is in litigation, including litigation that involves technology issues. I have observed trends and developments in business litigation for over 25 years. There are very few sure things in litigation, but one thing business can count on are plaintiffs’ lawyers following risks identified by lawmakers or regulators.

Companies should act to minimize their cyber risks before the regulator comes calling or the class action complaint is served. read more

Last Thursday the White House announced that the Obama Administration has transmitted a cybersecurity legislative proposal to the Congress. Citing the approximately 50 cyber-related bills introduced in the last session of Congress, the Fact Sheet for the proposed legislation describes it as “focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers.” The proposal contains the following items:

• National Data Breach Reporting – The legislation would simply and standardize state law requirements regarding notification to customers when a breach has occurred.
• Penalties for Computer Criminals – The legislation would clarify penalties for computer crimes and set mandatory minimums for cyber intrusions into critical infrastructure.
• Voluntary Government Assistance and Information Sharing with Industry, States and Local Government – Clarifies the authority of the Department of Homeland Security (DHS) to assist organizations that suffer a cyber intrusion and provides immunity to businesses, states and local governments that provide cybersecurity information to DHS.
• Critical Infrastructure Cybersecurity Plans – The proposed legislation would require DHS to work with operators of critical infrastructure (i.e. those assets whose disruption “would have a debilitating impact on national security, national economic security, national public health or safety”) to develop frameworks for addressing core cyber-threats.
• Federal Cybersecurity – The legislation contains a number of measures designed to strengthen the cybersecurity of federal government computers, including measures related to the increased use of cloud computing by the federal government.
• Privacy and Civil Liberty – The proposed legislation requires DHS and all other federal agencies to follow privacy and civil liberties procedures in implementing the proposed cybersecurity measures.

Initial reactions to the White House’s proposal appear mixed--see, for example, here and here. Companies should pay close attention to the proposed data breach reporting rules to determine what impact the rules could have on their operations. Operators of critical infrastructure, in particular public utilities, internet service providers and telecommunications providers, should examine the proposed framework for addressing cyber-threats to their assets.

The complete text of the legislative proposal is available here.

read more