Our economic activities, our social lives, and even our physical safety increasingly depend on computers and other devices linked together through the Internet. Protecting those systems and the information they contain has thus become a national imperative. As President Obama stated near the outset of his Administration, "America's economic prosperity in the 21st century will depend on cybersecurity."1
In the past decade, an increasingly sophisticated cybersecurity industry has grown up to help companies, individuals, and government agencies contend with the growing array of threats posed by cyber attackers and cyber thieves. A recent PricewaterhouseCoopers study puts spending on cybersecurity in the United States at $30 billion a year and growing at 10-15% per year.2
The legal system has been slower to respond. But both lawmakers and law enforcers—at the federal and state levels—have begun to hear the alarms, and this coming year may well see major developments in the legal regime governing cybersecurity.
Five Bottom Lines Up Front
- Cybersecurity has grabbed the top spot on the federal government's national security agenda, both in the Executive Branch and on Capitol Hill. Not since the 9/11 terrorist attacks made combating Al Qaeda and its allies the number one national security goal has a single issue so galvanized leaders of both parties and in both Congress and the Administration.
- Increased regulatory and enforcement initiatives. In 2011, the number of regulatory and enforcement initiatives designed to strengthen cyber defenses—prosecutions, inter-agency collaborations, public-private partnerships—has markedly ramped up. That trend is likely to accelerate in 2012, particularly in "critical infrastructure" sectors, such as energy, telecommunications, finance, defense, and Internet infrastructure.
- Increased litigation. Many of the relevant existing statutes—such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFAA)—were written in the pre-Internet era, indeed even before personal computers and email had become pervasive in the workplace. All the more so is that true with respect to the common-law causes of action plaintiffs are relying on to pursue data security breach claims. Courts are thus still hashing out basic definitional issues about who can sue and for what. The coming year will likely see a number of these issues—such as who has standing to sue, what kinds of damages are cognizable, and what kinds of contractual arrangements give rise to implicit guarantees of data security protection—reach State supreme courts and the US Supreme Court.
- More State legislation. State legislatures have become increasingly active, both in trying to promote cybersecurity efforts and in protecting privacy. Efforts of both kinds will impose new obligations on businesses. The more States do, the more there may be a push for uniform federal standards to avoid a regulatory patchwork that many companies may find difficult to adhere to.
- New federal legislation. As a result of all these developments, new federal legislation is very likely. Both the President and Senate Majority Leader Harry Reid have announced that they consider cybersecurity a top legislative priority for the second session of the 112th Congress. Republicans in the House have created their own study group to generate legislative proposals. This is one of the few subjects about which Congress is likely to be able to muster enough bipartisan agreement to put significant new laws on the books. The areas most likely to be addressed in resulting legislation are: (i) new institutions and legal protections designed to encourage information-sharing about threats and responses, both among private-sector entities and between the private sector and the government, including the defense and intelligence communities; (ii) additional authorization for sector-specific public-private collaborations, like one already underway with defense contractors; (iii) greater centralization of and support for cybersecurity work within the federal government, including efforts aimed at protecting the government's own systems; and (iv) new cybersecurity requirements (or incentives) for businesses in critical infrastructure sectors, such as energy, telecommunications, finance, defense, and Internet infrastructure. It remains unclear how much change we are likely to see designed to remove legal obstacles or uncertainties concerning particular kinds of cybersecurity self-help.
1. Threats and Risks
As our commercial lives are ever more dependent on devices connected to the Internet, and the reach of the Internet becomes more pervasive, so do the vulnerabilities that cyber malefactors exploit. More than two billion people use the Internet, which contains nearly 300 million websites. The number of devices other than personal computers—including cell phones, BlackBerries, and tablets—linked into the Internet is growing exponentially and creating new openings for malicious cyber activities.3
Attack. The national security agencies of the Government have turned greater attention to preventing (and responding to) attacks by foreign adversaries, whether hostile nations or terrorist groups. May 2010 saw the creation of a distinct Cyber Command in the military, headed by a four-star general and dedicated both to protecting the military's computer systems and to carrying out a full spectrum of military activities in cyberspace. The Defense Department issued its basic Strategy for Operating in Cyberspace in 2011.4 These concerns have also led to an increased sense of urgency about protecting critical infrastructure, such as the power grid and the infrastructure of the Internet itself. We can expect further elaboration of these capabilities in 2012, and a push for greater use of them to help protect institutions in the private sector.
Theft of Intellectual Property. Cyber theft of intellectual property, particularly by individuals and organizations in China, Russia, and former Warsaw Pact countries, has skyrocketed into the billions of dollars in value. This has become a major focus of concern not only in the private sector but also in the national security and intelligence communities.5
Theft of Money. Cybercriminals are devising more sophisticated ways of manipulating computer users to gain illicit profit. In November 2011, the FBI and the US Attorney's Office for the Southern District of New York announced the indictment of seven individuals connected to an Estonian company called Rove Digital that had legitimate operations but was also accused of developing a botnet computer worm that had infected more than four million computers around the world (and more than 100 servers in the US). The botnet is alleged to have enabled Rove Digital to reap millions of dollars in illicit revenue by having users unknowingly diverted from legitimate advertisements to fake sites.6 The struggle between cyber criminals and cyber cops can be expected to intensify in 2012, with some prospect of increasing international cooperation on the law enforcement side catching up a little on the already substantial international collaboration by organized crime.
Disclosure of Personally Identifiable Information. Banks and payment service companies have been frequent targets because of their possession of individuals' financial information. But no sector has been immune. As many financial institutions have hardened their defenses, cybercriminals have increasingly set their sights on other sectors, including retail, hospitality, entertainment, health care, education, and social media. In April 2011, for example, Sony acknowledged a breach into its PlayStation network had led to the disclosure of more than 100 million users' names and other personal information. Breaches may result not only from cyber intrusions, but also from inadequate physical security, resulting in stolen or lost computers or back up tapes.
Insurance. The increasing frequency and severity of data security breaches are leading to increased interest in insurance products designed to help companies cope with attendant remedial and litigation costs. Whether there will be a "boom" in cybersecurity insurance remains to be seen, but there will certainly be further developments in 2012.7
2. Federal Regulatory and Enforcement Initiatives
The federal government has ramped up its cybersecurity enforcement and regulatory efforts, and these efforts are likely to expand further in 2012. Some recent highlights and likely areas for expansion include:
SEC Guidance. On October 13, 2011, the Securities and Exchange Commission's Division of Corporation Finance issued guidance on disclosure obligations relating to cybersecurity risks and cyber incidents. The guidance notes several types of negative consequences public companies may confront in the wake of a cyber incident, including remediation costs, costs of increased cybersecurity protection measures, lost revenues, litigation costs, and reputational damage. In light of the damage a cyber incident can cause and existing obligations to disclose information that a "reasonable investor would consider important to an investment decision," companies may be required to provide information that allows investors to understand the nature of a company's cybersecurity risks.8
Defense Industrial Base (DIB) Pilot Program. Announced in June 2011, this voluntary trial enables DIB companies or their ISPs to get access to information, including classified information, about cyber threats and responses from the government. Advocates for the program expressly see it as a model that may be expanded to other industrial sectors.9
Cybercrime Prosecutions. In 2008, the government formally designated the National Cyber Investigative Joint Task Force (NCIJTF), an interagency group headed by the FBI to respond to cyber threats inside the US.10 In conjunction with a greatly expanded corps of cybercrime prosecutors—up to 270 at Main Justice and US Attorneys Offices around the country—this has led to a considerable rise in cybercrime prosecutions, a trend that should increase in 2012.
Sector-Specific Initiatives. Many other federal efforts targeting particular economic sectors are being rolled out, and more will be forthcoming in 2012. Two representative examples include: (i) Electric grid: in 2010, the National Institute of Standards and Technology (NIST) issued a report on cybersecurity strategy and requirements for the electric grid; in 2011, the Federal Energy Regulatory Commission (FERC) began, but put on hold, an effort to issue a rule on interoperability standards for the grid; in September 2011, the Department of Energy (DOE) issued a Roadmap to Achieve Energy Delivery Systems Cybersecurity; and on January 5, 2012, the White House and DOE announced an Electric Sector Cybersecurity Risk Maturity Pilot, a public-private collaboration to develop a model to help identify how to secure the electric grid is from cyber threats and test that model with participating utilities;11 (ii) Health care: in November 2011, the Office of Civil Rights at the Department of Health and Human Services announced it was beginning a pilot program of security and privacy audits of 150 entities covered by the privacy and security rules under the Health Care Portability and Accountability Act.12
3. Litigation and Developments in the Courts
As data security breaches have become more common and more significant, litigation about them has proliferated as well. Many of the common-law and statutory causes of action being relied upon were developed for other circumstances, so parties and courts are struggling to fit them to the novel situation of data security breaches. We will provide a more detailed report on the data security litigation landscape in the next few weeks, but here are brief descriptions of a few of the leading issues that are likely to see further focus in 2012:
- Who has standing to sue?
Does disclosure of personal information itself, and the attendant heightened risk of identity theft, constitute sufficient injury to give a plaintiff standing to get into court? Or does there have to be some more concrete economic harm? There is an emerging split among the federal courts of appeals on this issue. Compare Reilly v. Ceridian Corp., 2010 WL 6144191 (3rd Cir. Dec. 12, 2011) (disclosure, possibility of identity theft not enough), and Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (disclosure, possibility of identity theft may suffice); Pisciotta v. Old National Bancorp. (7th Cir. 2007) (same); see also Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (disclosure suffices for standing, but not to ground constitutional right-to-privacy claim). Two cases pending at the Supreme Court may also have implications for resolution of this question. The issue presented in FAA v. Cooper, No. 10-1024, argued Nov. 30, 2011, is whether mental and emotional distress from disclosure of personal medical information constitutes "actual damages" under the federal Privacy Act, 5 U.S.C. § 552a, but the question of whether such distress constitutes injury for purposes of standing was discussed at oral argument and the Court's opinion could touch on the issue. In First American Financial Corp. v. Edwards, No. 10-708, argued Nov. 28, 2011, the Court will address whether violation of a statutory right by itself may suffice to support a plaintiff's standing.
- What suffices to create an implied contractual guarantee of security?
When a customer or affected third party does not have a contractual agreement with the company suffering the breach, when can they nonetheless sue based on a purported implied contractual guarantee that the company would have adequate cybsersecurity protections in place? Many of these claims turn on the particular State's contract-law doctrines, but a leading case in the First Circuit interpreting Maine law found such an implied contract, reasoning that when "a customer uses a credit card in a commercial transaction, she intends to provide that data to the merchant only. Ordinarily, a customer does not expect—and certainly does not intend—the merchant to allow unauthorized third-parties to access that data." Anderson v. Hannaford Bros. Co., 659 F.3d 151, 158-59 (1st Cir. 2011); see also In re Michaels Stores PIN Pad Litigation, 2011 WL 5878373, at *10 (N.D. Ill. Nov. 23, 2011) (following Hannaford).
- May failure to provide adequate security suffice to violate consumer protection statutes?
Again, the answer will turn on the particulars of individual States' consumer protection laws. But at least some courts are letting such claims proceed. See, e.g., In re Michaels Stores, at *5 (permitting claim to proceed under Illinois Consumer Fraud and Deceptive Business Practices Act) (citing In re TJX Cos. Retail Sec. Breach Litigation, 564 F.3d 489 (1st Cir. 2009) (Massachusetts law); see also In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, 2011 WL 6012598, at *22-*33 (dismissing claims under several States' consumer protection statutes).
- What constitutes cognizable damage?
Even if a plaintiff has standing to sue, her claims may nonetheless fail because the claims themselves may require as an element a type of damage that the plaintiff's injury does not meet. This issue is arising in a number of contexts, including state common-law claims, see, e.g., Anderson, 659 F.3d at (negligence and implied contract; mitigation costs); Krottner, 406 Fed. Appx. 129 (Dec. 14, 2010) (negligence), Pisciotta, 499 F.3d at 634-39 (negligence), state statutory claims, see, e.g.,In re Michaels Stores, at *5-*6 (under Illinois Consumer Fraud and Deceptive Business Practices Act disclosure not enough, but unreimbursed monetary losses from hacked accounts suffice), the federal Computer Fraud and Abuse Act, see, e.g., United States v. Janosko, 642 F.3d 40 (1st Cir. 2011) ("loss" may include credit monitoring costs); Farmers Insurance Exchange v. Auto Club Group, 2011 WL 4888889 (N.D. Ill. Oct. 13, 2011) (review cases on "damage" and "loss" under CFAA and finding response costs constitute "loss), and the federal Privacy Act, where a variant on this issue has reached the Supreme Court, see FAA v. Cooper, No. 10-1024, argued Nov. 30, 2011 (whether mental and emotional distress from disclosure of personal medical information constitutes "actual damages").
- Under the Computer Fraud and Abuse Act, what constitutes use in excess of authorization?
The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, began as a criminal statute designed principally to protect federal computers from hacking. But it includes a private right of action, and it has been amended to cover virtually any computer connected to the Internet. As a result, it—and the growing number of State statutory analogues—are increasingly being used in data breach cases, especially ones involving former employees accused of making improper use of their access to a company's databases.
A closely watched case on this issue is United States v. Nosal, argued before the en banc Ninth Circuit on December 15, 2011. Nosal was accused of conspiring with employees of his former company to steal client information for use in a new business. While the former employees who are alleged to have funneled the information to Nosal were authorized to have access to it, the company's computer use agreement did not authorize them to use it for this purpose. A district judge threw out the count, but a Ninth Circuit panel reversed, holding that "an employee 'exceeds authorized access' under §1030(a)(4) when he or she violates the employer's computer access restrictions—including use restrictions." 642 F.3d 781, 784 (9th Cir. 2011). The en banc court's decision, expected in the spring or summer, may go to the Supreme Court.13
4. Developments in the States
In the past decade, State legislatures have become increasingly active in regulating data security, often with any eye to improving privacy protections for individuals and protecting government data of various kinds. Beginning with California in 2003, 46 States and the District of Columbia now have breach notification laws. California just strengthened its law, and other may follow suit in 2012 with respect to both reporting obligations and enforcement authorities. At least 10 states (AR, CA, CT, MD, MA, NV, OR, RI, TX, UT) have data security laws that generally require "reasonable security," or its equivalent, for covered information, with some variances in the scope of coverage and specificity. More States may well join that group in 2012.
Many States have wiretap or surveillance statutes that need to be scrutinized carefully before undertaking many cybersecurity efforts. An increasing number of States have their own equivalent of the federal Computer Fraud and Abuse Act, and at least two States (CT and DE) require employers in many circumstances to provide notice to employees before engaging in monitoring of email communications or Internet access. Continued State legislative activity in all these areas is likely in 2012, and may help strengthen calls for uniform federal standards.
5. Federal Legislative Proposals
Both the President and congressional leaders have identified enhanced cybersecurity as a top legislative priority for 2012. While cybersecurity bills have been considered in each of the last several sessions of Congress, none has gotten very far. We expect 2012 to be different.
Here are some highlights of the unfolding legislative developments:
In May 2011, President Obama set out a 10-point legislative proposal that collected elements of many earlier bills, including a federal data breach notification requirement; new requirements for companies in "critical infrastructure" sectors, such as energy, telecommunications, and finance; opportunities for greater information-sharing, within the private sector and between the private sector and the federal government about cyber threats; and enhanced authority for the Department of Homeland Security to protect federal systems and assist the private sector.14
In October 2011, a House Republican Cybersecurity Task Force issued a report and set of recommendations. Those included incentives to encourage businesses to improve their cybersecurity precautions, requirements for owners and operators of critical infrastructure, establishment of a non-governmental clearinghouse for information-sharing about cyber threats and responses, and creation of a litigation safe harbor for cybersecurity information-sharing activities.15 That same month, at the Administration's initiative, officials from a number of national security agencies gave a series of classified briefings on the Hill designed to press for prompt action on cybersecurity legislation.
In November 2011, Senate Majority Leader Harry Reid sent an unusual letter to Minority Leader Mitch McConnell declaring publicly that "[g]iven the magnitude of the threat and the gaps in the government's ability to respond, we cannot afford to delay action on this critical legislation. For that reason, it is my intent to bring comprehensive cybersecurity legislation to the Senate floor for consideration for the first Senate work period next year."16The same day, a number of the leading Republican Senators on the relevant committees sent a letter to President Obama expressing their commitment to move forward on cybersecurity legislation, but cautioning that they favored focusing first on spurring better information-sharing about threats, strengthening protection of the government's own systems, and stiffening penalties for cybercrimes.17 Senators Reid and McConnell have set up a bipartisan cybersecurity working group in an effort to bring together the leaders of the several committees with jurisdiction and avoid the jurisdictional squabbling that has hindered earlier legislative efforts.
The bill that moved forward with the seemingly greatest odds of success near the end of the last session of Congress was one approved by the House Permanent Select Committee on Intelligence on December 1, 2011 by a bipartisan vote of 17-1. Here is a summary:
- H.R. 3523, Cyber Intelligence Sharing and Protection Act
- Would give companies access to data from the National Security Agency and other intelligence agencies to help protect their networks.
- Would immunize companies using such data and cybersecurity providers who assist them from liability for good faith using or sharing of such information in aid of cybersecurity efforts.
- Would authorize expedited and temporary security clearances.
- Includes an express preemption of contrary State laws.18
The House Homeland Security Committee considered its own bill at a hearing on December 6, 2011. Introduced shortly thereafter, the bill would provide:
- H.R. 3674, Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act
- Would give the Department of Homeland Security (DHS) the lead role in protecting federal and critical infrastructure systems.
- Would create non-profit National Information Sharing Organization, with a majority-private board, to serve as a national clearinghouse for information on cyber threats and defenses.
- Would direct DHS and NIST to develop sector-specific security standards.19
With the start of the new congressional session, it is unclear whether either of these bills, or some composite, will move forward to the House floor. Even if one does, it is not at all clear whether the Senate will wait for a House bill to come over. More likely, the Senate will move ahead on a bill or set of bills of its own.
The bill that has previously received the greatest attention in the Senate comes from the Homeland Security and Government Affairs Committee. Approved by the Committee in 2010, it never reached the floor. A revised version received a hearing in May 2011:
- S. 413, Internet Freedom Act
- Would create an Office of Cyberspace Policy in the Executive Office of the President.
- Would require owners of "covered critical infrastructure" to report network breaches to National Center for Cybersecurity and Communications (NCCC) within DHS.
- Would authorize NCCC to establish regulations for "risk-based security performance requirements to secure covered critical infrastructure against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director."
- Would authorize President to declare national cyber emergency.
- Upon a declaration, the NCCC would direct owners of affected critical infrastructure to implement response plans.
- For the duration of the emergency, owners would be required to comply with emergency measures developed by the NCCC.
- Would limit liability for owners' actions taken to implement measures resulting from a declaration of emergency.20
A collection of draft bills are currently circulating among Senators and their staffs. They include proposals addressing the areas that seem most likely to gain substantial support in the Senate.21 Those are:
- New institutions to promote information-sharing about cyber threats and responses, both between the private sector and the federal government, particularly intelligence and law enforcement agencies, and among private companies, along with liability protections for these activities;
- Additional authorization for sector-specific public-private collaborations, like one already underway with defense contractors;
- Strengthened and centralized authorities for protecting federal information systems; and
- Establishment of federal requirements (or incentives) for cybersecurity plans by businesses in critical infrastructure sectors.
1 Remarks by the President on Securing Our Nation's Cyber Infrastructure, available at: www.whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure.
2 PricewaterhouseCoopers, Cyber Security M &A: Decoding Deals in the Global Cyber Security Industry (Nov. 2011).
3 Cisco estimates that the number of networked IT devices will more than double in the next five years, from roughly 12 to 25 billion. See Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace (Oct. 2011).
4 The full document can be found at: www.defense.gov/news/d20110714cyber.pdf.
5 See Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace (Oct. 2011); see also ch. 4 of U.S.-China Economic and Security Review Commission, 2009 Report to Congress (Nov. 2009), available at: www.uscc.gov/annual_report/2009/annual_report_full_09.pdf.
6 The indictment can be found at: www.justice.gov/usao/nys/vladimirtsastsin/rovedigitalindictment.pdf.
7 N. Perlroth, Insurance Against Cyber Attacks Expected to Boom, New York Times (Dec. 23, 2011), available at www.bits.blogs.nytimes.com/2011/12/23/insurance-against-cyber-attacks-expected-to-boom/?hp.
8 For a fuller discussion, see our earlier client alert: www.wilmerhale.com/publications/whPubsDetail.aspx?publication=9960.
9 The Defense Department's announcement of the program can be found at: www.defense.gov/news/newsarticle.aspx?id=64349. For a recent report on an initial evaluation of the program, see Ellen Nakashima, Cyber Defense Effort Is Mixed, Study Finds, Washington Post (Jan. 12, 2012), available at: www.washingtonpost.com/world/national-security/cyber-defense-effort-is-mixed-study-finds/2012/01/11/gIQAAu0YtP_story.html.
10 A description of the Task Force and ways to work with it can be found at: www.fbi.gov/about-us/investigate/cyber/ncijtf.
11 The August 2010 NIST report can be found at: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf. The September 2011 DOE Roadmap can be found here: http://energy.gov/oe/downloads/roadmap-achieve-energy-delivery-systems-cybersecurity-2011. The FERC effort can be followed at 74 Fed. Reg. 4102 (Jan. 24, 2011) and 2011 WL 2860092 (July 19, 2011). Descriptions of the Electric Sector Cybersecurity Risk Maturity Pilot can be found here: http://www.whitehouse.gov/blog/2012/01/09/protecting-nation-s-electric-grid-cyber-threats?utm_source=related, and here: www.energy.gov/articles/department-energy-launches-initiative-industry-better-protect-nation-s-electric-grid-cyber.
12 A fuller description of the audit program can be found at: www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.
13 For a fuller discussion, see our earlier alert: www.wilmerhale.com/publications/whPubsDetail.aspx?publication=9972.
14 The full proposal can be found at: www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal.
15 The Task Force Report can be found at: www.thornberry.house.gov/-/media/files/CSTF_Final_Recommendations.pdf.
16 The full letter can be found at: www.dataprivacymonitor.com/letter.pdf.
17 The letter can be found at: www.op.bna.com/der.nsf/id/rtar-8ntvg2/$File/GOP%20cyber%20letter.pdf.
18 The text of the bill can be found at: http://www.gpo.gov/fdsys/pkg/BILLS-112hr3523ih/pdf/BILLS-112hr3523ih.pdf; for related materials, see also www.intelligence.house.gov/bill/cyber-intelligence-sharing-and-protection-act-2011.
19 The text of the bill can be found at: www.homeland.house.gov/bill/hr-3674-promoting-and-enhancing-cybersecurity-and-information-sharing-effectiveness-act-2011.
20 The text of the bill can be found at: www.gpo.gov/fdsys/pkg/BILLS-112s413is/pdf/BILLS-112s413is.pdf.
21 Copies of the discussion drafts are not readily available online. If you would like copies, please email Jonathan Cedarbaum at [email protected].