Main Menu

New Cybersecurity Law – Are You Prepared?

MSK Client Alert
January 11, 2016

On December 18, 2015, President Obama signed into law the Cybersecurity Act of 2015. Beginning at Division N, Public Law 114-113 deals with cyber threats and includes the framework for the means and methods by which the private sector may submit such information to the government and by which the government is intending to share comparable information with the private sector (and others). The actual processes will be put together by the Director of National Intelligence along with the Secretaries of Commerce, Defense, Energy, Homeland Security and Treasury, plus the Attorney General, a process which is to be completed and submitted to Congress no later than February 16, 2016, so we will know soon enough what will occur.

The antitrust protection of the new law is limited to disclosure of cyber threat indicators or information that is exchanged or assistance that is provided with “facilitating the prevention, investigation, or mitigation of a cybersecurity threat” for information stored, processed or passing through a system.

Information sharing is to extend beyond the private sector to also include non-federal government agencies or departments and state, tribal and local governments. The information sharing itself is supposed to extend to cybersecurity threats to prevent or mitigate adverse effects. The form of sharing is to be periodic, through publication and targeted outreach, of cybersecurity best practices developed based on on-going analyses of cyber threat indicators, defensive measures and so on. According to the new law, attention will be given to the accessibility and implementation challenges faced by small business concerns. In theory, the information sharing is to be in real time (but do not assume it will be instantaneous), but there are provisions which allow for delay in the sharing of the information, for example for national security reasons or to remove information that identifies an individual.

What this new law reminds all companies is to be prepared. There are key pre-breach and post-breach factors to consider in putting together your plan. We recommend the following:

Pre-Breach Issues/Measures

Post-Breach Crisis Management

Whether or not you sell products/services on your website, you need to be prepared. It makes no difference what industry you are in, whether you are regulated by any federal or state agencies, or whether your industry has been subjected to a guidance document from any regulatory agency or commercial organization, the reality is that every company is at threat to be hacked. If you have not already prepared your plan, now is the time to do so. If you have a plan, when was it last updated? When was the last time your team trained on it?

There are two primary sources of potential headaches – having your data in the cloud and having your provider hacked, or you yourself being hacked. Either way, it is a recipe for disaster if you have not figured out how you will respond before the crisis arises. Keep in mind, if the device can be connected to the Internet, it is susceptible to be hacked! 


Back to Page