By David Fagan and Josephine Liu

The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity.  The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework.  As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress.  Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request. 

While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:

  • National data breach notification.  The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach.  Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances.  These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general. 
  • Development of critical infrastructure cybersecurity plans.  DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks.  An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate.  Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors.  DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient. 
  • Voluntary sharing of cybersecurity threat information.  The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so.  DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information. 

The White House’s proposed framework also increases the penalties for computer crimes; prohibits states from requiring that private data centers be located in that state as a condition of doing business; updates the Federal Information Security Management Act; authorizes DHS to provide voluntary assistance to industry and state government to mitigate cyber incidents; formalizes DHS’s role in overseeing intrusion prevention across the executive branch’s civilian computers; gives DHS greater flexibility in hiring cybersecurity professionals; and reactivates an “expert exchange” program between the government and private companies to share best practices. 

The proposal drew initial positive reactions from principal drivers of cybersecurity legislation in the Senate – Senator Lieberman (I-CT), Senator Collins (R-ME), Senator Carper (D-DE), Senator Rockefeller (D-WV), and Senator Snowe (R-ME) – and from certain trade associations, although observers have noted that much work remains to be done if legislation is to be enacted this year. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.