Cybersecurity Bill Defeat Won’t Turn Down Regulatory Heat

November 15, 2012 – In The News

Many industry attorneys believe that despite the U.S. Senate’s recent rejection of the cybersecurity bill, the issues surrounding the legislation will not disappear any time soon. President Obama is expected to establish a new regulatory regime through an executive order, which will set corporate cybersecurity standards and push businesses to share information with the federal government.

This legislation was rejected by the U.S. Senate on November 13 in a 51-47 vote, falling short of the 60-vote requirement needed to push the bill forward. A previous Senate vote of 52-46 on August 2 blocked the first effort to advance the bill. The recent ruling has led Senate Majority Leader Harry Reid, D-Nev., to declare that the bill is “dead for this Congress.”

However, industry attorneys expressed skepticism that the legislation would truly end, predicting that either Congress will try one more time during the lame-duck session to reach a consensus or that President Obama will issue an executive order directing federal agencies to secure the nation’s critical infrastructure against mounting cyberthreats by working with the private sector.

“For now, the short-term impact is that companies won't have to live with government imposed regulations in terms of what their cybersecurity standards should be,” Fox Rothschild LLP partner Scott Vernick told Law360. “But companies are fooling themselves if they think that this issue is just going to go away.”

An executive order would not be able to mandate new safeguards that companies would need to put into place, but it could establish a strengthened regulatory regime by using the existing powers of various federal agencies.

The potential executive order would not only dictate security standards but also adopt the act’s proposal to give the government permission to develop a mechanism for sharing information with the private sector. Critics argue that this suggestion is weakened by the executive order’s inability to shield companies from liability regarding security breaches and an absence of privacy protections around the shared information.

“There is no doubt that information-sharing does pose some threats to privacy, but balancing that against the national security threat would come out in favor of a mechanism that allows companies to share information so that both sides can be prepared when a cyberattack happens,” Vernick said. “The threat to the nation’s infrastructure from a cyberattack is larger than either the public or private sector can handle on [its] own, but the private sector won’t talk to the government unless it has some immunity from liability.”