During his address, the President recognized growing cybersecurity concerns, noting that “America must also face the rapidly growing threat from cyber-attacks” and called on Congress to pass legislation to protect the nation’s critical infrastructure from cyber-attacks, recognizing that the Executive Order can only direct federal agencies to act.

The EO includes four components to address cyber risks for critical infrastructure:

1.     Information Sharing. Designing a process for government agencies to share real time classified and unclassified cyber threat information with targeted critical infrastructure entities.

2.     Risk Assessment. Identifying the critical infrastructure entities currently facing the greatest cyber risks and attacks on which would create a severe impact on national security, economic security or public health and safety.

3.     Cybersecurity Framework. NIST (National Institute of Standards and Technology) will develop a “Cybersecurity Framework” to collect cybersecurity best practices and standards of conduct in one place and issue a preliminary framework within 240 days.

4.     Voluntary Incentive Program. DHS will design a program to encourage the critical infrastructure community to voluntarily adopt the Cybersecurity Framework through the use of a benefits and incentives program.

Getting right down to business, NIST released a Request for Information (RFI) on February 26 seeking information to help “identify, refine, and guide the many interrelated considerations, challenges, and efforts needed to develop the framework.”

While the EO provides guidance on the Administration’s cybersecurity policy, it can’t take the place of legislation to address industry concerns, such as liability protection, regulatory-use protections, and avenues for private-to-private and private-to-government information sharing. The EO has renewed the debate on Capitol Hill over comprehensive cybersecurity legislation. The  “Cyber Intelligence Sharing and Protection Act,” or “CISPA” has been reintroduced in the House and the Senate Commerce and Homeland Security Committee announced they will hold a joint hearing on March 7 to discuss implementation of the EO and potential legislation.

One thing is clear, 2013 is shaping up to be a big year for cybersecurity developments and legislation.

As contemplated by the White House framework, the U.S. Department of Commerce National Telecommunications and Information Administration (“NTIA”) has requested comments on enforceable codes of conduct and the multistakeholder process. NTIA seeks comment on the following issues in particular:

• Transparency of privacy notices for mobile apps;

• Online services directed to kids and teens; and

• The use of technologies like browser cookies, local shared objects, and browser cache to collect personal information. 

These issues have also been a focus of lawmakers, the FTC, and the states. 

The Administration urges Congress to pass legislation that applies the Consumer Privacy Bill of Rights to sectors not subject to existing privacy laws, and calls for a national security breach notification standard. Even in the absence of comprehensive legislation, these developments demonstrate that the U.S. privacy legal landscape continues to rapidly evolve.

• Sen. Jay Rockefeller, who introduced a “Do Not Track” bill earlier this year, plans to hold a hearing on Facebook’s use of cookies following a USA TODAY report.  Rockefeller sent letters to Visa and MasterCard last month about their information collection practices. 
• Reps. Ed Markey and Joe Barton, who introduced a “Do Not Track Kids Act” earlier this year, have also made inquiries to Facebook about its information collection practices. 
• The FTC is reportedly close to reaching a settlement with Facebook over allegedly deceptive privacy practices.
• Earlier this month, the FTC entered into a consent agreement with the online advertiser ScanScout regarding claims that consumers could opt-out of targeted ads by changing their browser settings to remove or block cookies, when in fact it that was not possible with flash cookies. 
• Several private lawsuits were brought in 2010 and 2011 relating to the use of tracking technologies on websites, which alleged violations of various federal and state laws.

It may be some time before a comprehensive federal privacy law is adopted, but we can expect that the FTC will continue to exercise its authority over unfair and deceptive practices and plaintiffs will continue to pursue privacy-related lawsuits.  With this evolving landscape, it is important for a company’s review of its privacy policies and information collection practices to encompass not only personal information, but also information that has historically been deemed “non personal” in nature (e.g., pages viewed, referring websites, and the like). 

Privacy notices should not only accurately reflect current practices regarding the collection, use, sharing, and security of personal information, but also cover possible future transactions, such as a dissolution, merger, or sale of assets or the sharing of personal information with service providers. 

In an e-mail sent to Borders customers and a notice on the Barnes & Noble website, customers were advised that they can opt-out of having their contact information (which includes names, addresses, and e-mail addresses) and purchasing history shared with Barnes & Noble.  This came about because Borders reportedly had at least three different privacy policies since 2006 that limited how personal information collected from customers could be shared; earlier policies stated that Borders would not share information without express consent, and a later policy indicated that information could be transferred if Borders was sold, merged, or reorganized, but the company would seek appropriate protections in such cases.  The FTC questioned whether the later policy covered dissolution and the sale of assets in bankruptcy, and the later policy only applied to information collected after the date it was adopted, so customers’ consent to the transfer was required.

Recent privacy enforcement actions by the FTC and lawsuits have focused on companies’ deceptive or unfair practices in failing to adhere to their stated privacy policies, applying a material change in a privacy policy to personal information collected under a prior policy without an affected individual’s consent, and failing to adequately secure personal information.  In light of this, it is important to ensure that privacy policies accurately describe the company’s current practices and are comprehensive enough to cover possible future transactions involving personal information.  In addition, personal information collected from consumers should always be appropriately secured from unauthorized acquisition or use.  

Sony estimates its costs from the attacks- which exposed personal information for more than 100 million individuals and resulted in more than 50 class action lawsuits, potential actions by state attorneys general, and other claims- to be $170 million by the end of fiscal year 2011.  The class action suits against Sony allege damages due to unauthorized access to personal information and Sony’s delay in notifying consumers.  Sony’s commercial general liability policy covers bodily injury, property damage, and certain personal and advertising injury offenses.

The increase in cyber attacks, data breaches, and lawsuits (in particular class action suits) from aggrieved parties makes cyber insurance an attractive option, but there are many factors to consider.  In addition, the uncertainty associated with general liability insurance and cyber attacks underscores that insurance cannot and should not be relied upon in lieu of internal privacy and data security programs, training, and risk assessments to mitigate the impact of cyber incidents.       

An article on this issue prepared by Keller and Heckman LLP attorneys is available on our website.

While the nature of the business and type and sensitivity of the information that is collected and shared with service providers will dictate the specific requirements to be imposed, it is important to contractually require providers to implement and maintain appropriate administrative, physical, and technical safeguards, share information regarding their security practices with the company, and notify the company of any incidents that do or could affect the security of personal information.  It is also important to review the provider’s privacy and data security programs, policies, training materials, and data breach response procedures.  Further, access to and use of sensitive information should be limited to individuals with a need for the information to perform the services. 

Compliance with the various federal and state laws and industry standards (such as the Payment Card Industry Data Security Standards) is another key consideration.  The global privacy landscape is quite different from the U.S. legal framework, so companies must also be mindful of international laws as they outsource activities to other jurisdictions.

In short, privacy and data security should be considered at every step as companies expand their activities and outsource functions to third parties.

While a company's practices will vary depending on the type of information that is collected and the nature and scope of a breach, below are some steps companies can take before a breach occurs and after they experience a breach to help facilitate a timely response and mitigate the impact:

Before a Breach Occurs:

• Take stock of the information that you collect, store, and share.
• Assess the security measures in place and identify risks.
• Create company awareness.
• Review service providers’ policies, practices, and contracts.
• Understand the applicable laws.
• Adopt a written data breach response plan.
• Determine available remedies in the event of a breach.
• Identify law enforcement and agency contacts.

After a Breach Occurs:

• Act promptly!
• Investigate the nature and scope of the breach.
• Identify the type of information accessed or acquired.
• Determine which laws are triggered.
• Assess who must or should be notified, when, and how.
• Decide what remedies will be offered.
• Document responsive actions taken.
• Anticipate regulatory investigations and/or litigation after a major breach.

Given the variety of ways that personal information is collected, stored, used, and shared, the prevalence of data breaches, and an increase in agency enforcement and litigation relating to companies’ privacy and data security practices, it is critical to have a plan in place before a breach occurs, then conduct a thorough investigation and promptly respond if and when you experience a breach. 

Recent breaches illustrate the ways that personal information can be compromised.  In April:

• Sony  experienced an unauthorized network intrusion that compromised account information for the PlayStation® Network and Qriocity™ service, including names, addresses, email addresses, birth dates, passwords, and logins for more than 70 million consumers;
• One week later, Sony announced that hackers may also have stolen information for approximately 24.6 million Sony Online Entertainment customer accounts, as well as information from a database with 12,700 non-U.S. credit or debit card numbers and 10,700 direct debit records of customers in Europe;
• The email marketing provider Epsilon (whose clients include major supermarket chains, hotel chains, banks, and retail stores) announced that a hacker obtained customer names and email addresses from the company’s system (but not more sensitive information, such as credit card numbers and social security numbers);
• The Texas Comptroller’s office inadvertently disclosed personal information of about 3.5 million residents (including names, addresses, social security numbers, dates of birth, and driver’s license numbers) on a server that was accessible to the public; and
• A New York Yankees employee sent an email to season ticket holders that mistakenly attached a spreadsheet with names, addresses, phone numbers, fax numbers, email addresses, and Yankees account numbers for approximately 20,000 ticket holders.

We are still experiencing the aftermath of the Sony and Epsilon breaches.  Just days after Sony reported the breach, the company was named in a class action lawsuit, and Rep. Bobby Rush announced  his intent to reintroduce data security legislation.  Senator Richard Blumenthal requested an investigation  of the Epsilon breach, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade sent letters to both Sony and Epsilon inquiring about the breaches, and the Subcommittee Chair, Rep. Mary Bono Mack, stated  that she plans to introduce legislation. 

Given the possibility of lawsuits, government action, and not to mention negative publicity following a major data breach, all companies that handle personal information and/or entrust it to other parties should carefully assess their policies, practices, and procedures before an incident occurs and get ready for new laws down the road.