Under Obama’s Feb. 12 order, the U.S. is to develop voluntary cybersecurity standards for critical industries and speed up government sharing of threat information with the private sector. Companies such as Dow Chemical Co., AT&T Inc., and Intel Corp. want lawmakers to give companies immunity from lawsuits on data exchanges with other firms and the government.
“Cybersecurity is largely a voluntary effort, and the task of the government is encouraging companies to participate,” said Gus Coldebella, a former top lawyer at the Department of Homeland Security and a partner in Washington at Goodwin Procter LLP. “If you don’t have liability protection, that task is infinitely harder.”
Companies are concerned about privacy lawsuits if they share information on customers; negligence lawsuits for failing to act on information they receive; and public disclosure of information they give the government through Freedom of Information Act requests, Coldebella said in an interview.
Companies that adopt the voluntary standards also want protection from lawsuits if they are subject to a catastrophic attack, he said.
West Virginia Democrat Jay Rockefeller, chairman of the Senate Commerce Committee, and Delaware Democrat Tom Carper, chairman of the Senate Homeland Security and Governmental Affairs Committee, have scheduled a joint hearing today on possible legislation to complement Obama’s executive order.
Obama said the executive order, issued after Congress failed to agree on cybersecurity legislation last year, is aimed at shoring up computer defenses for vital sectors such as the power grid, financial institutions and air traffic control systems. Administration officials say there are limits to what they can accomplish through the order and have encouraged Congress to act.
The administration supports “targeted” liability protections for companies that share cyber threat data and for those that follow voluntary security standards, White House Cybersecurity Coordinator Michael Daniel said at a Feb. 15 event at the Center for Strategic and International Studies in Washington.
White House spokeswoman Caitlin Hayden declined to elaborate in an e-mail on what such targeted protections would entail.
“There is absolutely a potential for liability protections to be too broad, creating a moral hazard and absolving companies of negligence,” she said.
The U.S. Chamber of Commerce, the Edison Electric Institute and 16 other business groups joined on Feb. 13, a day after Obama’s order, in a letter supporting U.S. House legislation giving liability protection to companies that provide information about computer threats.
“The bill provides the needed legal certainty that threat and vulnerability information voluntarily shared with the government would be provided safe harbor against the risk of frivolous lawsuits, would be exempt from public disclosure, and could not be used by officials to regulate other activities,” they said.
AT&T Chief Executive Officer Randall Stephenson, in a separate letter supporting the bill, called for “adding legal certainty to the sharing of critical cyber threat information.”
The House measure also includes an exemption from antitrust laws for companies that exchange cyber data with other businesses in the same industries, the groups said.
In the Senate, Rockefeller “has supported certain liability protections to promote more information sharing,” Kevin McAlister, a Commerce Committee spokesman, said in an e- mail. Regarding critical-infrastructure companies that follow cybersecurity standards, Rockefeller “thinks that granting broad liability protections is committing the American taxpayer to a potentially massive bailout for what should properly be a corporate responsibility,” McAlister said.
Senate Republicans and the Chamber of Commerce last year opposed an Obama-backed bill sponsored by Rockefeller and Carper to set up voluntary cyber standards, saying they would lead to burdensome regulation.
Obama, on the other hand, last year threatened to veto the House bill, which was reintroduced on Feb. 13 by House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, and the panel’s top Democrat, C.A. “Dutch” Ruppersberger, of Maryland. Obama said the measure didn’t go far enough to boost U.S. computer defenses or adequately protect the privacy of consumer data.
Rogers has said he’s talking with the White House about the legislation and expects it to pass the House in April.
The American Civil Liberties Union opposes the Rogers bill, saying it would allow companies to share sensitive consumer information with the government, including the National Security Agency and military agencies.
The ACLU yesterday called on the administration to renew its veto threat against the Rogers bill. The measure “would give unprecedented power to companies to give Americans’ private Internet and communication information to the government, without a warrant, if they believe it is relevant to cybersecurity,” the group said in a news release.