eDiscovery

President Obama Announces Sweeping Cyber Legislation Primarily Aimed at Policing a Virtual Environment Built on Privately Owned Infrastructure

Securing cyberspace is a daunting task. The national security component of that dynamic cannot be overlooked either.

By Matthew S. Adams  
on

Ed note: This post originally appeared on Fox Rothschild’s The E-Discovery Stage.

Securing cyberspace is a daunting task. I have frequently pointed out on this blog, in a variety of contexts, including here in connection with my discussion of the Sony Pictures cyber terrorism event, that a sizeable percentage of the technology infrastructure in the United States is privately owned, presenting unique legal challenges both in terms of data collection for use in private civil litigation and in criminal prosecutions. The national security component of that dynamic cannot be overlooked either.

In an apparent response to a growing number of high profile cyber events, including the most recent, the apparent infiltration of the United States Central Command (“Centcom”) Twitter page by sympathizers of the terrorist group ISIS, detailed here, President Obama has announced a sweeping legislative plan that appears to be primarily focused on coalesing the unique public and private interests at play in the technology sector around the goal of eradicating the current wave of nefarious activity in cyberspace. For its part, the White House does not appear to hide the fact that its announcement is timed to coincide with recent high profile hackings. A statement issued by the White House Press Secretary no more than 24 hours after news of the Centcom Twitter breach surfaced on this blog and elsewhere read, in part: “Today, at a time when public and private networks are facing an unprecedented threat from rogue hackers as well as organized crime and even state actors, the President is unveiling the next steps in his plan to defend the nation’s systems.” The entire White House statement can be found here.

The hallmark of the new legislative initiative is providing “targeted liability protection for companies that share information” with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (“NCCIC”). Just what that means, and whether an actual new body of law will ultimately come out of a polarized Congress that is already at odds with a President entering the last two years of his final term in office, remains to be seen. However, the focal point of the proposed legislative package, liability protection for companies that engage in information sharing with the government, is worth a deeper dive.

Even before our steady dose of weekly high profile hackings, data privacy was at the forefront of the public debate. Numerous reported retail data breaches have dominated the headlines over the past couple of years, and what duties businesses have to their customers to keep private data secure became a hot button topic at water coolers and in the corridors of government alike. For good reason, because of the potential for liability by the corporate victim of the data security event, the business community has been fearful of a knee jerk legislative reaction that would further penalize it in response to the influx of cyber crime that has quickly and steadily stepped into the spotlight. In the eyes of the business community, that would be tantamount to blaming the victim.

The President’s proposal appears to represent an appreciation for the private sector business community’s legitimate interest in protecting itself from costly liability for data breaches orchestrated by a new breed of modern criminals, and an acknowledgement that the solution to the problem simply cannot come from the government alone, given that, among other compelling reasons, the computer networks subject to near constant attack are by and large privately owned and operated. Granted, according to what the White House has released of its plan, liability protection for information sharing by the private sector will have certain prerequisities built into it, like a requirement that reporting companies adhere to strict privacy guidelines, as well as oversight of the program by civil liberties watchdog groups, the public/ private partnership sought through the proposal is apparent and striking. From what has been revealed of the President’s plan, he appears to have avoided taking the punitive approach (in an already regulation heavy environment) of further penalizing the corporate victims of these attacks, and has instead sought to reach the source of the problem through enabling the nation’s intelligence and law enforcement communities with critical details and investigative leads that might very well never have reached them if there was no benefit in disclosing such details to the company suffering the breach.

Other components of the proposed reforms touted by the White House in its announcement include:

Sponsored

1. Mechanisms reportedly aimed at modernizing law enforcement tools to combat cyber crime, such as: (a) further criminalizing certain computer offenses like the sale of botnets, spy ware, and trafficking in stolen identifying information; (b) amendments to the federal RICO statute which would clearly bring cyber crime within the reach of the statute; (c) modifications to the Computer Fraud and Abuse Act needed to account for the advent of new technologies; and

2. Consolidating the present “patchwork of 46 state laws (plus the District of Columbia and several territories)” on the subject of data breach reporting into one consolidated federal statute.
This announcement by the White House is just another in a series of recent examples of how prominent a role e-discovery related issues are now playing in our daily lives. The White House has called a Summit on Cybersecurity and Consumer Protection, which will be held on February 13, 2015 at Stanford University. It is aimed at further melding the viewpoints of the public and private sectors into workable legislative action for protecting a virtual environment that is built on the infrastructure of private enterprises. Furthermore, the President’s latest cyber initiative is expected to be mentioned during the State of the Union address on January 20, 2015, according to reporting on the subject by New York Times White House Correspondent Julie Hirschfeld Davis found here.

It is an interesting time to be practicing in this area of the law, and the climate is rapidly changing for businesses with sensitive, highly regulated ESI stored within their digital networks. These issues involve a specialized understanding of applicable law, an appreciation for the technology at issue, and a level of adaptability for an evolving regulatory climate driven by widely publicized events. To further appreciate the impact of this or any other proposed or current body of cyber law on your business, or to respond to a cyber event or claims otherwise related to a cyber event, do not hesitate to give me a call.

Fox Rothschild’s The E-Discovery Stage is part of the LexBlog Network (LXBN). LXBN is the world’s largest network of professional blogs. With more than 8,000 authors, LXBN is the only media source featuring the latest lawyer-generated commentary on news and issues from around the globe.”

Sponsored

Topics

, ,