"Cybersecurity Update: Key US and EU Regulatory Developments"

by Skadden, Arps, Slate, Meagher & Flom LLP

In recent months, federal and state governments have taken an increasingly active role in reviewing cybersecurity issues within the private sector. There has been a flurry of activity as different government bodies discuss new review processes and information-sharing guidelines, and the promulgation of new regulatory requirements. We foresee the following three key developments:

  • An expansion of disclosure obligations with respect to cybersecurity incidents;
  • A potential increase in regulatory compliance obligations for network security practices, especially in heavily regulated industries; and
  • Increased involvement by agencies and law enforcement officials in network security incidents, requiring companies to manage a diverse set of requests for information.

Executive Branch

In February, President Obama issued an executive order on cybersecurity1 outlining various steps for agencies to take. This included a requirement that the National Institute of Standards and Technology (NIST) commence work on a Cybersecurity Framework (Framework) for operators of critical infrastructure, such as the energy and telecommunications sectors. Weeks later, NIST published a request for information (RFI) on critical infrastructure cybersecurity practices and released its initial analysis of the responses it received in May.2 An annotated preliminary version of the Framework is expected in July, and an official draft of the Framework will be released for public comment in October.

The Department of Homeland Security (DHS) is concurrently developing a set of incentives to encourage voluntary adoption of the Framework by the private sector. In addition, various sector-specific agencies will be assessing the current network security practices of the entities they regulate. If these agencies have the appropriate regulatory authority and determine that the entities they regulate are critical but lack adequate protection, they will take steps to foster better network security, which might include increased regulation.

Significantly, “critical infrastructure” remains undefined, and therefore the extent to which the NIST Framework applies to specific industries is unclear. For example, NIST has requested that respondents focus on a few key critical infrastructure sectors, such as telecommunications, energy and financial services, while DHS, in its response to the NIST RFI, referenced “16 critical infrastructure sectors,”3 reflecting the DHS view that critical infrastructure needs to be defined broadly.

On a separate track, the General Services Administration, along with the Department of Defense and DHS, has started reviewing network security auditing in government procurement processes, as also was required under the Cybersecurity Executive Order.4 Companies can expect that the government will use its procurement processes as an indirect means to improve vendors’ security practices. Congress is slowly endorsing this approach. For example, in March, it required a few select government agencies to make an “assessment of any associated risk of cyber-espionage or sabotage” before acquiring new information technology systems.5

Additional sector-specific standards are developing outside the NIST Framework as regulatory agencies begin to address network security:

  • In May, the new SEC chairman issued a letter indicating her intent to have staff review whether “further action” on cybersecurity disclosures is required in SEC filings.6
  • In April, NIST released a revised version of SP 800-53,7 its official standards for federal government cybersecurity controls and an unofficial security reference for the private sector.
  • Also in April, the Federal Energy Regulatory Commission issued a proposed rule codifying the latest version of the energy sector Critical Infrastructure Protection standards.

Cybersecurity Legislation Hits a Potential Roadblock

In April, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA),8 a bill reintroduced with small changes from the previous session of Congress. CISPA would allow the government to share certain classified intelligence related to cybersecurity threats with private sector entities. In addition, it would allow private sector entities to share with federal agencies or other private sector entities information about threats to their own network security. As this information sharing might otherwise breach other laws, including federal privacy and antitrust laws, CISPA clarifies that such sharing is permitted “[n]otwithstanding any other provision of law.”

Passage of CISPA suggested a potential for compromise between the White House and House Republicans on the passage of information-sharing cybersecurity legislation without the need to enact new regulatory authorities. In a demonstration of Democratic support, this latest version of CISPA received nearly 50 more Democratic House votes than its predecessor. In addition, the White House indicated a willingness to pursue private sector cybersecurity standards through existing powers and the Cybersecurity Executive Order, backing away from its prior position that cybersecurity legislation must include new regulatory authorities.9 While threatening to veto the current version of CISPA, the White House signaled that it might accept a version with additional protections for civil liberties and narrowed limitations on liability for the sharing of information.

However, recent leaks regarding government surveillance programs that collect telecommunications information about private citizens may have clouded the prospects for CISPA and similar legislation, such as the FBI’s reported proposal to require Internet communications services to build wiretap-ready products or face fines.10 Such legislation is now likely to face harsher scrutiny. In addition, the Senate has indicated that it will again address information sharing as part of a broader package of cybersecurity reforms, including additional reforms to federal agency information security requirements and codification of the regulatory efforts undertaken as part of the Cybersecurity Executive Order.

State Governments

Historically, given the lack of omnibus federal legislation, state governments have taken the lead in data security. Therefore, it is not surprising they are taking an active role in network security as well. Both New York and California have launched task forces to advise state agencies on statewide cybersecurity practices.11 In May, the New York Department of Financial Services issued a request for information from insurance companies as part of a review of network security practices in the insurance industry.12 We expect state governments to continue to expand efforts to address cybersecurity.

European Union

In February, the European Commission published its proposed directive on network and information security.13 The proposed directive takes a more prescriptive approach to the issue by asking EU governments to establish national reporting authorities with the power to regulate network security in the technology services, energy, financial services, transportation and health care industries. These authorities would have the power to require entities to establish risk management measures and to review private sector risk management policies. They also would serve as central clearinghouses for the reporting of information security breaches and would be empowered to audit and issue binding instructions to regulated entities. Members of the European Parliament and member states have received the proposed directive with skepticism, asking whether a more voluntary and flexible approach might better suit the disparate needs of European governments. The proposed directive continues to be debated before the European Council, and its path forward remains unclear.

What Companies Should Consider

The foregoing is just a brief overview of recent developments in cybersecurity. Companies should monitor ongoing developments, and participate in forums that allow companies to provide their input on how cybersecurity regulation should be shaped. This is especially true in critical infrastructure sectors such as energy, financial services and defense contracting, where the chances of regulation being enacted are greatest. Finally, companies should routinely review their internal data and network security practices — and ensure that their executives understand the cybersecurity risk profiles.


1 The White House — Office of the Press Secretary, Executive Order: Improving Critical Infrastructure Cybersecurity, Feb. 12, 2013 (Cybersecurity Executive Order); see also Antoinette C. Bush, Stuart D. Levi, Ivan A. Schlager, John M. Beahn and Joshua F. Gruenspecht, “President Issues Cybersecurity Executive Order,” Skadden Privacy & Cybersecurity Update, Feb. 13, 2013.

2 See Initial Analysis of Cybersecurity Framework RFI Responses, NIST, at http://csrc.nist.gov/cyberframework/nist-initial-analysis-of-rfi-responses.pdf (May 15, 2013); see also Developing a Framework to Improve Critical Infrastructure Cybersecurity, Notice and Request for Information, 78 Fed. Reg. 13024 (Feb. 28, 2013).

3 See White Paper: DHS Response to the NIST Cybersecurity Framework Request for Information here (May 28, 2013).

4 Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition, Request for Information, 78 Fed. Reg. 27966 (May 13, 2013).

5 Consolidated and Further Continuing Appropriations Act of 2013, Pub. L. No. 113-6, Div. B § 516 (2013).

6 See Christopher Matthews, “White Asks SEC Staff for Cyber Disclosure Briefing,” The Wall Street Journal, May 13, 2013.

7 See National Institute of Standards and Technology, NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations (2013).

8 H.R. 624 (2013).

9 See Ellen Nakashima, “White House Backs Off Mandatory Cybersecurity Standards for Companies,” Washington Post, April 26, 2013.

10 Charlie Savage, “U.S. Weighs Wide Overhaul of Wiretap Laws,” New York Times, May 7, 2013.

11 See Colin Wood, California Launches Cybersecurity Task Force, Emergency Management, May 20, 2013; “New York Regulator Asks Insurers About Readiness for Cyber Threats,” Insurance Journal, May 29, 2013.

12 See “New York Regulator Asks Insurers About Readiness for Cyber Threats,” Insurance Journal, May 29, 2013.

13 See Pierre Servan-Schreiber, Stuart D. Levi, Shari L. Piré and Joshua F. Gruenspecht, “Flaming Worms, Stuxnets and Other Cyber Threats — The European Union’s Response,” Skadden Privacy & Cybersecurity Update, April 8, 2013.

Download PDF

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.