President Barack Obama on Feb. 19 signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” and issued Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience,” which placed new emphasis on combating attacks on the nation’s corporate and industrial sectors.
The executive order and the directive outline a three-phased approach to cybersecurity: information sharing, privacy protection and enhanced, voluntary cybersecurity practices. While legislation will most likely be forthcoming to put additional “meat on the bones,” the directive provides insight into the administration’s viewpoint on the issue.
Both before and after it was issued, federal agencies put forth myriad agency and sometimes, contract-specific sets of standards and requirements to govern cybersecurity, including breach notification, audit access, screening of employees and penalties. Moreover, existing federal law in certain areas — such as financial institutions and energy — already has established robust network security requirements.
Making sense of these various contract, regulatory and policy requirements is a daunting task. If there is one takeaway from this exercise it is that companies, especially those designated as “critical infrastructure” under the executive order, must develop and/or refine their cyber-incident response plans.
Developing these plans requires an active buy-in from the company’s senior management and full cooperation of information-technology and security departments.
Not uncommon is the failure to address both internal and external cyberthreats. All plans should provide employees with best practices for maintaining a secure environment. For example, passwords should be changed regularly. Plans should not only focus on preventing an attack, but also should assume that a breach has occurred, and develop protocols that help isolate and insulate a company’s most treasured assets from intruders that have already bypassed exterior protections.
To meet this requirement, knowing and fully understanding the company’s most important intellectual property and data — its “crown jewels” — is imperative.
In addition to U.S. cybersecurity standards, multinational corporations also face the challenge of compliance with the rules of different countries, along with the privacy requirements of those jurisdictions. Efforts have been made — especially by the European Union — at bringing greater uniformity to the various cybersecurity regimes.
Indeed, in February, the EU drafted yet-to-be-adopted rules to avoid disparate cybersecurity standards that would be more vulnerable to attack. Thus, plans that incorporate Executive Order 21 requirements should also be mindful of governing international standards that may be applicable.
Plan development must also address corporate responses to a breach, including notification of governmental authorities and the public. In certain areas, regulations govern some data breaches. In some instances, the company must determine the appropriate and ethical way to disclose discovery of compromised data.
Special considerations arise when the discovered breach compromises personally identifiable information of its personnel, which occurred in a widely publicized case involving a company in the Tri-Care Program.
Companies that do not have professional counsel to incorporate in their plan a standard of care for maintaining and protecting such sensitive data that includes written policies and procedures for obtaining and maintaining such data leave themselves vulnerable to liability and worse.
Employees also should be provided clear instructions on what personally identifiable information will be collected and the choices afforded to employees on the data that will be collected.
Protection of both company and personnel data becomes even more important when firms use cloud or other off-site storage capabilities.
Care must be taken to ensure that protection is applied to data sent to the cloud, how it is packaged, transmitted and precisely how the cloud vendor intends to safeguard the company’s sensitive data. Some but not all of these protections are governed by federal and/or regulatory agencies, such as the Securities and Exchange Commission and the National Institute of Standards and Technology.
In short, response plans should be comprehensive, should address operational, logistic and legal concerns and should ensure utmost protection to all employee and client privacy interests. Indeed, section 5 of the executive order explicitly mandates consideration of privacy and civil liberties in developing voluntary cybersecurity standards.
Companies clearly must balance meeting regulatory and contractual standards with protecting the privacy interests of its employees, and this requires them to carefully determine the personally identifiable information that should — and, conversely, should not — be collected and maintained.
Also critical is for all employees to know what is being collected and maintained. Purging corporate files once the personally identifiable information is no longer needed is equally important.
Once the plan is established, the company should conduct training to make sure that all employees understand their responsibilities. Practice implementing the plan is also essential. A “fire drill” of a cyber-event will show the company where the plan works, where it is vulnerable and where changes are needed. In the event of a cyber-intrusion, interaction with law enforcement may be required, so the plan should clearly specify lines of responsibility and authority for such interactions.
Cyber-attacks are becoming the “new normal” of enterprises. The presidential pronouncements highlight the seriousness of cyberthreats. Companies need to develop response plans to train their employees, develop secure networks, police outside vendors, protect employee privacy and develop a clear line of responsibility for notification of governmental authorities and the public.Jacob Pankowski is a shareholder in Greenberg Traurig LLP’s government contracts practice group and Debra McGuire Mercer is a counsel in the firm’s telecommunications practice group. The views expressed are solely those of the authors.