Advertisement

April 16, 2014

President Signs Cybersecurity Executive Order

“America must … face the rapidly growing threat from cyber-attacks. Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.  We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

President Barack Obama, State of the Union Address, Tuesday, February 12, 2013

Just before delivering his State of the Union address, President Obama signed an Executive Order aimed at increasing information sharing between the government and private-sector businesses in order to move the issue of cybersecurity protection. The goal of the order is to achieve a “partnership with owners and operators of critical infrastructure to improve cybersecurity information sharing…” by developing and promoting a new cybersecurity framework.  The framework will partner critical infrastructure with sector-specific agencies to increase the flow of cybersecurity information between the government and private industry.   See the White House blog posts at http://www.whitehouse.gov/blog/2013/02/13/improving-security-nation-s-critical-infrastructure?utm_source=related

How will the Executive Order Potentially Affect You? 

(1)  The “Enhanced Cybersecurity Services” program is a voluntary program among federal agencies aimed at de-classifying information about cybersecurity threats and sharing that information with eligible private-sector businesses.  Establishing the program will require industry involvement to determine what types of information will be most helpful in combatting cyber security threats. The a accompanying presidential policy directive identifies 16 critical infrastructure sectors with which the federal government aims to “increase the volume, timeliness, and quality of cyber threat information shared…”  and targets such industries as financial services, utilities and healthcare.

(2)  The order calls for the government to develop a “baseline framework” to reduce cyber risk.  This work will be led by the director of the National Institute of Standards and Technology.  The framework will attempt to align “policy, business, and technological approaches” in combatting cyber risk.  The framework will also include a “voluntary consensus…and industry best practices…” Since the framework will be built around industry best practices it follows that it could become the standard for measuring cybersecurity programs.

(3)  The order requires the Secretary of Homeland Security (“Secretary”) and agencies to create a voluntary program to promote the adoption of the framework by creating incentives for private-sector businesses.  If targeted industries are receptive to the voluntary framework this definitely increases the odds that the baseline will be a measuring stick for all cybersecurity programs within those industries.

Other Measures in the Executive Order

The Order also requires agencies to establish safeguards based on the Fair Information Practice Principles to protect the customer information that companies may share with the government and calls for the Chief Privacy Officer and the Officer for Civil Liberties of the Department of Homeland Security to release a report assessing the privacy and civil liberties risks of the program.

The Secretary is also charged with identifying critical infrastructure at the greatest risk. “Greatest risks” means that if a cybersecurity incident occurred it could “reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This list will be updated on an annual basis and will not specifically identify commercial information technology products or consumer information technology services.

In addition, agencies that are responsible for regulating the security of critical infrastructure are required to work with Department of Homeland Security, Office of Management and Budget and National Security staff to determine if current cybersecurity regulatory requirements are sufficient, if not what actions need to be adopted to mitigate cyber risk and whether the agencies have regulatory authority to adopt the preliminary cybersecurity framework.  If the agencies find that they do not have the appropriate authority to adopt the framework they must identify what additional authority is required.

Finally, agencies are required to work with private-sector business owners and operators of critical infrastructure and determine which businesses, if any, are subject to “ineffective, conflicting, or excessively burdensome” cybersecurity requirements.

Cybersecurity concerns have been at the forefront of much debate and congressional leaders such as Senator Rockefeller have been trying to push legislation forward, but have not been successful. Last month Sen. Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 and this month the House is slated to reintroduce the Cyber Intelligence Sharing and Information Act (CISPA) which passed the House last year.

Developments and information regarding this Executive Order and potential Congressional action continue and you can find updates here.  We will also be presenting a webinar on how to prepare your business, so stay tuned for the date/time.

©1994-2014 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

About the Author

Amy Malone, Corporate, Securities, Attorney, Mintz Levin, Law Firm
Associate

Amy’s practice is focused on corporate matters, such as compliance with SEC regulations and privacy and security issues.

Prior to joining Mintz Levin, Amy served as the director of privacy at Fidelity Investments. Her work there included overseeing the updates of the firm's privacy notice and coordinating privacy incident response. Amy also served as a legal risk advisor for that company.

617-348-3099

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.