Cybersecurity And The Law: What To Expect In 2012

Our economic activities, our social lives, and even our physical safety increasingly depend on computers and other devices linked together through the Internet. Protecting those systems and the information they contain has thus become a national imperative. As President Obama stated near the outset of his Administration, "America's economic prosperity in the 21st century will depend on cybersecurity."1

In the past decade, an increasingly sophisticated cybersecurity industry has grown up to help companies, individuals, and government agencies contend with the growing array of threats posed by cyber attackers and cyber thieves. A recent PricewaterhouseCoopers study puts spending on cybersecurity in the United States at $30 billion a year and growing at 10-15% per year.2

The legal system has been slower to respond. But both lawmakers and law enforcers—at the federal and state levels—have begun to hear the alarms, and this coming year may well see major developments in the legal regime governing cybersecurity.

Five Bottom Lines Up Front

Cybersecurity has grabbed the top spot on the federal government's national security agenda, both in the Executive Branch and on Capitol Hill. Not since the 9/11 terrorist attacks made combating Al Qaeda and its allies the number one national security goal has a single issue so galvanized leaders of both parties and in both Congress and the Administration. Increased regulatory and enforcement initiatives. In 2011, the number of regulatory and enforcement initiatives designed to strengthen cyber defenses—prosecutions, inter-agency collaborations, public-private partnerships—has markedly ramped up. That trend is likely to accelerate in 2012, particularly in "critical infrastructure" sectors, such as energy, telecommunications, finance, defense, and Internet infrastructure. Increased litigation. Many of the relevant existing statutes—such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFAA)—were written in the pre-Internet era, indeed even before personal computers and email had become pervasive in the workplace. All the more so is that true with respect to the common-law causes of action plaintiffs are relying on to pursue data security breach claims. Courts are thus still hashing out basic definitional issues about who can sue and for what. The coming year will likely see a number of these issues—such as who has standing to sue, what kinds of damages are cognizable, and what kinds of contractual arrangements give rise to implicit guarantees of data security protection—reach State supreme courts and the US Supreme Court. More State legislation. State legislatures have become increasingly active, both in trying to promote cybersecurity efforts and in protecting privacy. Efforts of both kinds will impose new obligations on businesses. The more States do, the more there may be a push for uniform federal standards to avoid a regulatory patchwork that many companies may find difficult to adhere to. New federal legislation. As a result of all these developments, new federal legislation is very likely. Both the President and Senate Majority Leader Harry Reid have announced that they consider cybersecurity a top legislative priority for the second session of the 112th Congress. Republicans in the House have created their own study group to generate legislative proposals. This is one of the few subjects about which Congress is likely to be able to muster enough bipartisan agreement to put significant new laws on the books. The areas most likely to be addressed in resulting legislation are: (i) new institutions and legal protections designed to encourage information-sharing about threats and responses, both among private-sector entities and between the private sector and the government, including the defense and intelligence communities; (ii) additional authorization for sector-specific public-private collaborations, like one already underway with defense contractors; (iii) greater centralization of and support for cybersecurity work within the federal government, including efforts aimed at protecting the government's own systems; and (iv) new cybersecurity requirements (or incentives) for businesses in critical infrastructure sectors, such as energy, telecommunications, finance, defense, and Internet infrastructure. It remains unclear how much change we are likely to see designed to remove legal obstacles or uncertainties concerning particular kinds of cybersecurity self-help. 1. Threats and Risks

As our commercial lives are ever more dependent on devices connected to the Internet, and the reach of the Internet becomes more pervasive, so do the vulnerabilities that cyber malefactors exploit. More than two billion people use the Internet, which contains nearly 300 million websites. The number of devices other than personal computers—including cell phones, BlackBerries, and tablets—linked into the Internet is growing exponentially and creating new openings for malicious cyber activities.3

Attack. The national security agencies of the Government have turned greater attention to preventing (and responding to) attacks by foreign adversaries, whether hostile nations or terrorist groups. May 2010 saw the creation of a distinct Cyber Command in the military, headed by a four-star general and dedicated both to protecting the military's computer systems and to carrying out a full spectrum of millitary activities in cyberspace. The Defense Department issued its basic Strategy for Operating in Cyberspace in 2011.4 These concerns have also led to an increased sense of urgency about protecting critical infrastructure, such as the power grid and the infrastructure of the Internet itself. We can expect further elaboration of these capabilities in 2012, and a push for greater use of them to help protect institutions in the private sector.

Theft of Intellectual Property. Cyber theft of intellectual property, particularly by individuals and organizations in China, Russia, and former Warsaw Pact countries, has skyrocketed into the billions of dollars in value. This has become a major focus of concern not only in the private sector but also in the national security and intelligence communities.5

Theft of Money. Cybercriminals are devising more...