What The Cybersecurity Executive Order Means For The Rest Of Us

by Gray Reed & McGraw

If you are the CEO of Google, Facebook, Verizon, Comcast, Exxon or Boeing, don’t read this.  You have a team of lawyers working for you who have already spent hours analyzing President Obama’s Cybersecurity executive order and the numerous articles about it.  If you own a one-location cupcake shop, auto repair facility or truly a “mom and pop” business, you can go back to looking at Harlem Shake videos online.   This post is for the rest of us.

Even if you are not into defense, a major international conglomerate or think no foreign entities, hacktivists or cyber-terrorists are coming after your company, you may need to take steps now to respond to the executive order.

The Basics

The focus of the order is on “critical infrastructure“ which largely means energy, health care, transportation, financial services, heavy manufacturing, food and drugs.  If you are wondering whether you are “critical infrastructure,” you probably aren’t.  In fact, the Secretary of Homeland Security is tagged with identifying “critical infrastructure at the greatest risk.”  Those identified will be confidentially notified of the designation and encouraged to adopt the cybersecurity framework.  But, you probably work with someone who is considered “critical.”

If you contract in any way with the government, or even contract with those who contract with the federal government, you should probably pay attention.  If you work with those in likely to be identified as “critical infrastructure,” you should pay attention. Right now, many of the directives are voluntary, but it is likely preferences will be given to contractors who tighten their sybersecurity.  You can expect cybersecurity to become part of the RFP process, so you need to be ready. 

Have a data breach plan in place.  If you store any individual’s personally identifiable information, including credit cards, or other sensitive information, you should already have a plan in place that complies with many state laws so you can report any breaches to the appropriate authorities.  Now, you should have a plan in place in case you lose trade secrets or get hacked for other reasons.  This plan should include the technological response to mitigate the harm and reporting requirements to the appropriate agencies.  

The Government is promoting more transparency and a private-public partnership to address these national security concerns.  If you do business with any federal agencies, or companies that do, start asking them what they think is appropriate for your situation.  If you are in a heavy-regulated industry or would be considered “critical infrastructure,” your requirements are likely to be dicated by the National Institute of Standards and Technology (NIST) or your specifc industry regulators.  

Think about your vendors and contractors.   We have already written a two-part series about some state laws requiring you and your contractors to have Written Information Security Plans or WISPs.   Now, think about whether you are doing business with or for anyone who may be considered “critical infrastructure.”  Here’s looking at you internet marketing and web development firms.  You need to be prepared to provide notices and information about data breaches.  What are you prepared to disclose?  How much will you have to disclose while still not disclosing too much personal privacy?  You need to make sure you and your contractors have plans in place.  

Go Hack Youself.  Yes, I mean this literally.  Your plan should include some type of periodic risk audits.  Have someone try to hack into your system so you know and can address your vulnerabilities.  Although not required at this point, it may become law before year’s end.  If your IT guy can get through, imagine in the full weight of a foreign power or legions of hacktivists coming after you.  Think about whether your business partners are also up to snuff and do periodic testing. 

But wait, there’s more . . .

Just when you thought that was enough, if you are doing business in Europe, you might want to check out the EU’s Cybersecurity Directives.

Finally, Homeland Security may not be the only one interested in your cybersecurity.  The SEC requires disclosures of your cyber-risks and protections.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Gray Reed & McGraw | Attorney Advertising

Written by:

Gray Reed & McGraw

Gray Reed & McGraw on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.