Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses. The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices. While not binding requirements, the recommendations may inform what CISA and U.S. regulators view as “reasonable” cybersecurity practices.
Continue Reading CISA Releases Cyber Readiness Recommendations for Small Business
DHS
White House Releases Presidential Policy Directive on U.S. Cyber Incident Response
The White House has released a Presidential Policy Directive on United States Cyber Incident Coordination (PPD-41). PPD-41 is part of President Obama’s broader Cybersecurity National Action Plan, which was unveiled this past February.
Continue Reading White House Releases Presidential Policy Directive on U.S. Cyber Incident Response
SAFETY First: Using the SAFETY Act to Bolster Cybersecurity
By Ray Biagini and Scott Freling
We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan. Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital. The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption. Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?
In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism. Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.” The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level[] of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.” Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.
Continue Reading SAFETY First: Using the SAFETY Act to Bolster Cybersecurity