May 21, 2017

May 19, 2017

Subscribe to Latest Legal News and Analysis

May 18, 2017

Subscribe to Latest Legal News and Analysis

Cybersecurity Bill Aims to Patch Holes in Main Street

The US Senate Commerce Committee recently advanced a bill, titled the MAIN STREET Cybersecurity Act of 2017 (the Bill), under which the National Institute of Standards and Technology (NIST) would disseminate “clear and concise resources for small business concerns to help reduce their cybersecurity risks.” Given that small businesses constitute a substantial portion of the economy, cyberattacks can ruin small businesses and spill over into related parties and critical infrastructure, and small businesses often have limited cybersecurity budgets and expertise, NIST would be charged with bringing Silicon Valley to Main Street.

Under the Cybersecurity Enhancement Act of 2014 (the Act), NIST’s expanded responsibilities include facilitating and supporting a voluntary public-private partnership to strengthen cybersecurity research, development, education, readiness, and implementation. In furtherance of its mission, NIST has developed and published numerous resources, including risk-based cybersecurity and privacy frameworks, as we discussed in a prior post. Although NIST has produced abundant research regarding cybersecurity issues, the Bill recognizes that needs and capabilities vary.

The Bill would amend the Act to specifically require NIST to consider the circumstances of small businesses and to circulate simple, apt guidance—like basic controls—to help small businesses defend against common cybersecurity risks. For added flexibility, the recommended measures would be technology neutral and commercially accessible. The Bill calls on NIST to coordinate its efforts with other federal agencies to ensure that the message, regardless of form or source, is “consistent, clear, and concise” and reaches this vital target audience.

At bottom, this new directive would fulfill the typical small business request: “Tell me what I need to know.” Although the Bill is an important step toward filling cybersecurity cracks in and around Main Street, the voluntary nature of the NIST guidance begs the question of whether small businesses will widely and effectively adopt cybersecurity measures. One possibility is that counterparties and insurers will leverage certain NIST recommendations as minimum standards for small businesses to meet. The driving force, though, could be consumers demanding adequate protection of their payment and other sensitive information—even the “buy local” movement has its limits. Luckily for local shopkeepers, cloud services are rapidly alleviating cybersecurity concerns and leveling the playing field—maybe small businesses aren’t that different after all.

Copyright © 2017 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Partner

Barbara Melby is a partner in the Global Outsourcing, Technology, and Commercial Transactions Practice at Morgan Lewis. Ms. Melby's practice focuses on information technology and business process outsourcing transactions, as well as commercial and other technology-related transactions, including system implementation, licensing, technology services, strategic alliances, and other agreements in support of sourcing and supply chain operations. 

215-963-5053
A. Benjamin Klaber, Morgan Lewis Law Firm, Finance Attorney
Associate

A. Benjamin Klaber is an associate in Morgan Lewis’s Business and Finance Practice. The lawyers in our Business and Finance Practice focus on mergers and acquisitions (including joint ventures, spin-offs, and strategic alliances), finance and restructuring, securities (including public and private equity and debt offerings), and tax. Clients range from Fortune 500 companies to investment banks to emerging market companies.

412-560-7422