Cybersecurity is a hot topic. But what are the White House and Congress doing to ensure protection of the nation’s critical information assets? And how does the executive and legislative action affect companies who store vast amounts of intellectual property (IP) and private information on their system networks and on the internet? Dykema has been actively involved in contributing towards and analyzing the new standards and laws. Here are some recent developments:
As ordered by the Cybersecurity Executive Order signed by President Obama in February 2013, the National Institute of Standards and Technology, in partnership with industry stakeholders (including Dykema), is developing a “best practices” cybersecurity preparedness and response plan (known as the “Framework”), due to be rolled out in 2014. The Framework will be offered to companies, particularly those in critical infrastructure industries—energy, telecomm, finance, automotive and manufacturing, health, and Fortune 500—as a model to implement for protection against cyber-attacks. Companies will be able to use the Framework if they do not already have a plan, or to perform a gap analysis to evaluate and improve an existing plan. Attorneys will be able to use the Framework to help clients perform cyber due diligence, ensuring they meet their existing and future cyber legal obligations, such as state and federal disclosures, non-disclosures, and notice following IP or consumer data theft events. Companies will also be able to use the Framework to detail response assessment considerations, which they can use after a cyber-attack to determine when and whether the attack can or should be prosecuted either civilly or criminally. Finally, companies vying for an edge over competitors can look forward to being “cybersecurity-certified” if they implement the standards.
The Framework is voluntary. But proposed bills in Congress give incentives, such as liability protection, to companies who adopt it. The White House also recently released its proposed incentives, which include grants, cyber-breach assistance preference, and discounted cybersecurity insurance. The Framework and its incentives, along with the SEC’s recently issued cybersecurity risk and incident disclosure guidance, are the start of a cybersecurity compliance program.
Cybersecurity compliance is viewed as a necessary step to protect the nation’s economic security. It can also be a way for companies to improve their IP and information security, which can lead to better protected products and information, happier customers, and long-term business success.