United States: Legal Standards Proposed For Cybersecurity-Is Your Company In Compliance?

With a gridlocked Congress, President Obama issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," on February 12, 2013. The Order emphasized that the "cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must onfront." The Executive Order directed the National Institute of Standards and Technology ("NIST") to establish a framework to reduce cyber risks to "critical infrastructure," which the Executive Order defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

As directed, NIST has prepared a preliminary framework for public comment. The preliminary framework notes that cybersecurity issues cannot be addressed with a "one size fits all" approach: "Because each organization's risk is unique, . . the implementation of the framework will vary." The preliminary framework provides a common language and mechanism for organizations to:

• describe their current cybersecurity posture;
• describe their target state for cybersecurity;
• identify and prioritize opportunities for improvement within the context of risk management;
• assess progress toward the target state; and
• foster communications among internal and external stakeholders.

The NIST framework proposes security standards for certain "critical" industries, focusing on how to identify, assess and respond to cybersecurity risks. Such "critical" industries include healthcare and public health, banking and financial institutions, information technology, energy, communications, defense, commercial facilities and others.

If your industry is deemed "critical," the NIST framework may require mandatory compliance with certain risk evaluation and recovery procedures. You may want to review the proposed framework and consider commenting during the open comment period. You may also consider reviewing and updating your company's cybersecurity policies to ensure that your company complies with the proposed NIST framework.

For non‐"critical" industries, it is not yet clear what the liability implications will be for companies who fail to comply with the framework, and then sustain a cyber attack that results in a data breach. Nonetheless, the framework is the only comprehensive standard available for private organizations in the United States to look to for guidance and therefore has the potential to become the de facto standard and, absent any Congressional action otherwise, a "best business practices" measurement. Accordingly, most prudent companies with data security concerns will want to study the framework as soon as practicable. Among other steps, many companies will want to consider developing a comprehensive written information security program ("WISP"). But it may not be sufficient just to establish a boiler‐plate WISP: the critical factors must be its applicability to what your company does; how your company stores, maintains, uses and protects its data; what are the likely sources/causes of a breach (both internal and external); and the actual day‐to‐day implementation and maintenance of the WISP.

Issues relating to cybersecurity continue to evolve. All companies need to be aware of these issues and the state‐of‐the‐art technologies intended to address cybersecurity threats, as well as current best practices for their industry and size in order to better prepare and reduce their business and legal risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.