Cybersecurity law: What's at stake?

The events of Sept. 11, 2001, spawned an assortment of cybersecurity bills, the majority of which are either innocuous or only marginally beneficial, calling for increased federal funding for long-term, high-risk cybersecurity research; grants to fund cybersecurity research and education at universities; or antitrust liability exemptions for information sharing related to cybersecurity vulnerabilities and breaches. However, two of the bills warrant close scrutiny as they might affect enterprise network security.

The 'standards' bill

The first is the Cyber Security Research and Development Act, introduced by Sen. Ron Wyden (D-Ore.). An amended version directs the National Institute of Standards and Technology (NIST) to set benchmark cybersecurity standards for federal agencies. While the Wyden bill does not impose government-developed security standards on the private sector, industry members are concerned that NIST standards could hamstring innovation.

Despite such concerns, the Senate Commerce Committee approved the Wyden bill on May 17, in effect guaranteeing that debate over the bill's amended provisions will intensify.

The 'best practices' bill

The second bill to watch is S. 1900, supported by Sen. John Edwards (D-N.C.). Known as the Cyberterrorism Preparedness Act of 2002, the bill authorizes NIST to establish a nonprofit, nongovernmental consortium of academic and private sector experts to promulgate cybersecurity "best practices." Although the bill calls for initial implementation of these best practices only in government systems, some supporters hope that the practices will serve as a model for private sector cybersecurity. In fact, the bill requires study on how to achieve broad adoption of these best practices in the private sector and hints at the possibility of requiring companies that do business with the federal government to comply with these practices.

Some industry leaders are concerned that the federal "best practices" are designed to be used in litigation against large companies. For example, federal best practices could become the baseline against which the adequacy of a company's security practices would be measured in a class action suit in which plaintiffs seek to recover losses arising out of a security breach.

Nonetheless, Edwards' bill, which has cleared the Senate Commerce Committee, might be more appealing than the Wyden bill to those who believe the key to improved federal cybersecurity is not the development of technological standards, but the adoption of performance guidelines and best practices.

While the industry should monitor these bills, legislative imposition of cybersecurity standards on the private sector does not appear imminent. That said, legislators and federal regulators easily could be spurred to action by a catastrophic cybersecurity-related event, such as a breach at a major online bank leading to significant losses, disclosure of sensitive information or identity theft.

Accordingly, if the industry is to stave off burdensome federal cybersecurity regulation in the long run, it must not only monitor legislative efforts to prevent the de facto imposition of government cybersecurity standards on the private sector, but also consider industry self-regulatory initiatives.

Baker is a partner and Schneck an associate with Steptoe & Johnson in Washington, D.C.