On February 12, 2013, in the wake of daily stories about corporate computer intrusions from China, the president released his highly anticipated executive order on cybersecurity. The order, which relates only to critical infrastructure, set forth two main mandates: (i) it directs the National Institute of Standards and Technology (NIST) to develop voluntary cybersecurity standards for owners and operators of private sector critical infrastructure, and (ii) it requires the Department of Homeland Security (DHS) and other specific industry departments to develop programs to share sensitive cyber threat information with private industry. Notably, it does not actually require the private sector to do anything.
Elements of the Executive Order
The order outlines procedures designed to support the creation of a “Cybersecurity Framework.” DHS will attempt to identify critical infrastructure in which the occurrence of a cybersecurity incident would create the most damage to “public health or safety, economic security, or national security.” Reports of cyber threats and underlying related information will be produced and disseminated to specific entities that are the targets of such threats, all the while taking care to ensure that individual privacy and civil liberties are being safeguarded throughout the process. Any information voluntarily submitted by private entities shall be protected from disclosure “to the fullest extent permitted by law.” Once the information foundation has been set, DHS shall establish a consultative process designed to enhance and improve cybersecurity measures within and among critical infrastructure entities. This process will serve as the foundation for the cybersecurity framework, which will be created by the NIST and include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” The framework will attempt to guide critical infrastructure companies in identifying and managing cyber risk, and will include performance measurements designed to gauge a company’s success in implementing the framework.
DHS, in conjunction with other appropriate federal agencies, will establish voluntary programs to enable critical infrastructure companies to actually adopt and implement the cybersecurity framework. Such programs will offer incentives to these companies designed to promote the effective implementation of the framework. Further, the Department of Defense will attempt to incorporate security standards into their acquisition planning and contract administration efforts.
Analysis and Commentary on the Implications of the Executive Order
While the executive order focuses exclusively on critical infrastructure, the implications are likely to be much more widespread. Some commentators have expressed concern that the new NIST cybersecurity policies will form a de facto security standard that can be used in litigation. However, as discussed below, private industry should take a more proactive approach, embracing this standard as a tool to defend itself against the wave of security breach litigation coming through the courts.
By way of background, it is important to note that the order was completely consistent with other recent government sharing plans, such as the 2011 Defense Industry Base (DIB) Program, which directs the DOD and DHS to share non–classified information about cybersecurity-related threats with DIB partner companies, like contractors.
In contrast, the order fell short of the 2010 Protected Critical Infrastructure Information (PCII) Program designed to protect the information provided by the private sector. The PCII is an information-protection program that promotes voluntary information sharing between critical infrastructure owners and the government. PCII protection means that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data. Under the PCII, the government protects industry information from:
- The Freedom of Information Act (FOIA);
- State, tribal and local disclosure laws;
- Use in regulatory actions; and
- Use in civil litigation.
PCII can be accessed only in accordance with strict safeguarding and handling requirements. Only trained and certified federal, state and local government employees or contractors may access PCII.
Business should welcome the executive branch’s hands-off approach to private industry (as reflected by DIB and PCII). By the same token, companies involved in critical infrastructure protection need to focus on the expansion of tort law by federal and state courts. In fact, for years the courts have been finding that corporations have a duty to provide appropriate security for their data. Three significant cases deserve mention.
In re September 11 Litigation (S.D.N.Y., September 2003)
Much of the tort law expansion in this area started to develop in the weeks and months after Sept. 11and the seemingly unpredictable events of that day. The use of airplanes as weapons of mass destruction was roundly regarded as an asymmetrical threat.
However, in 2002 a class action was brought by the surviving family members of the Sept. 11th victims. The survivors sued the airlines, airports, aircraft manufacturers and the World Trade Center. In evaluating the case the court examined two elements: (1) whether the various defendants owed a duty of care to the people in the World Trade Center and on the planes that crashed; and (2) whether the terrorist act was foreseeable. In finding that the case should go to a jury, the court found that the law imposes a duty of care on a company to protect the user of its services from the conduct of third parties — even criminal third parties. The court noted that the public already depends on others to protect the quality of water and the air we breathe, and to bring power to our neighborhoods. This duty of care extends to private companies and has liability ramifications for technology companies that, for example, store or host sensitive data.
The court also observed that, while a criminal act (such as terrorism or hacking) typically severs the liability of the defendant, that doctrine has no application when the terrorism or hacking is reasonably foreseeable. The court went on to note that the danger of a plane crashing as a result of unauthorized individuals invading the cockpit was the very risk that defendant plane manufacturer s should reasonably have foreseen, indicating that terrorist acts can, under certain circumstances, actually be foreseeable.
State of Maine Public Utilities Commission (April 2003)
The second case involved Verizon and the Maine Public Utilities Commission. The case dealt with whether Verizon could get a waiver of certain performance failure penalties that it was required to pay. Verizon argued that it should not have to pay, because its website went down due to the Slammer Worm. The commission found that viruses and worms are foreseeable events, as evidenced by the regular security bulletins issued by software companies. In review of this history, the commission found that Verizon had not taken the reasonable steps available to it, steps that competitors AT&T and WorldCom did take (installing certain patches that prevented the Slammer Worm from affecting their systems, etc.). Ultimately, the commission found that Verizon should be held accountable for its failure to employ adequate security, indicating that virus attacks are completely foreseeable events.
Patco Construction Company, Inc. v. People’s United Bank (1st Cir., July 2012)
It is worth noting that the above two cases are nearly 10 years old. Since then, the willingness of courts to evaluate and require demonstrable security steps has become more aggressive. In Patco Construction v. People’s United Bank , hackers used malware to masquerade as the construction company and fraudulently withdraw more than $588,000 from the company’s bank account. Initially a federal district court in Maine upheld the disclaimer of liability terms in the contract between Patco and the bank, and found in favor of the bank. However, in July 2012, the U.S. Court of Appeals for the 1st Circuit overturned the district court and found that, while the bank was fully aware that its electronic banking was ” “high risk,” and implemented enhanced security as a result, it had neglected to actually effectively use its own security systems by failing to adopt security measures that, according to the court, were available and commercially reasonable under the circumstances.
Implications and Conclusions
These three cases, viewed in light of the new executive order, generate three comments. First, while the current White House interest in cybersecurity is a step in the right direction, it does not employ adequate controls and protections for companies that want to share critical infrastructure vulnerabilities with the government. Protections similar to those used in the PCII program should be incorporated into the current initiative.
Second, the hostile technology at large on the Internet is completely foreseeable by companies and the courts. Courts are willing and able to enter into detailed evaluations of the steps taken by the private sector to protect proprietary information. They expect to see a graduated approach to security that fits the security level to the sensitivity of the information involved. They also expect to see advanced corporate planning and security policies in place that show that the company took security seriously.
Finally, as suggested above, given the current cyber threat level, an organization must have “court provable” security if it hopes to prevail in any litigation involving the loss of information. The first step is to document that the company did an aggressive risk assessment of its systems in view of the threat to its industry. Federal programs — DIB, PCII and information from sector specific agencies of the government — can help with this determination. The president’s February 12 order will help free this information for use by private industry. Second, a company must make information security a board-level function such that adequate funding is made available to meet the company’s cyber threats. Third, a company must evaluate all emerging technologies, including cloud computing, from both an economic viewpoint and from the perspective of how it will impact its cyber vulnerability and common law liability. Fourth, a company should evaluate its entire threat exposure and consider the protection of a well-tailored cyber insurance policy.
When a company gets sued as a result of a breach of its internal security, it goes a long way with a court if the company is able to cite its adherence to nationally recognized security policies, such as the NIST standards called for by the executive order, and its implementation of programs that effectively use those policies.