Originally published February 17, 2012
Keywords: Cybersecurity Act, Department of Homeland Security, DHS, infrastructure, DHS regulations
The Cybersecurity Act of 2012 (the Act) was introduced on February 14, 2012, by Senators Joe Lieberman, Susan Collins, and Dianne Feinstein. The bill was the subject of a hearing on February 16th before the Senate Homeland Security and Governmental Affairs Committee.
The following is a summary of key elements of Title I of the Act, relating to critical infrastructure protection provisions. It may be of interest to owners and operators of such infrastructure who would be required to institute and certify cybersecurity measures in accordance with DHS regulations, and who may also be required to submit to government or third-party assessments.
"Covered" Critical Infrastructure
The Act would direct the Department of Homeland Security (DHS), working with other agencies and the private sector, to conduct sector-by-sector risk assessments of cybersecurity threats to critical infrastructure (as defined by the USA PATRIOT Act, 42 U.S.C. 5195c(e)). The Secretary of Homeland Security (Secretary) must then determine which critical infrastructure will be covered by the Act. As the Act is currently drafted, a critical infrastructure system or asset may be deemed "covered" only if damage or unauthorized access to the infrastructure could lead to:
- The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
- Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
- Severe degradation of national security capabilities.
An owner of infrastructure designated as critical may appeal the Secretary's designation by petitioning the US District Court for the District of Columbia.
Covered Critical Infrastructure Subject to Risk-Based Cybersecurity Performance Requirements and Security Measures
Under the Act, the Secretary will develop risk-based cybersecurity performance requirements. Owners of covered critical infrastructure will be required to remediate or mitigate the identified cyber risks and their associated consequences.
Additionally, within one-year of enactment, the Secretary must promulgate regulations to enhance security against cyber risks. These regulations shall establish procedures for regularly informing covered infrastructure owners of cyber risk assessments, security threats, and performance requirements appropriate to the owner's business sector. The regulations will also create procedures for owners to select and implement those cybersecurity measures that they determine are best-suited to (i) satisfy the new performance requirements, (ii) develop continuity of operations and incident response plans and (iii) report significant cyber incidents affecting critical infrastructure.
Owners will be obliged to annually certify their compliance with the performance requirements, or to submit to third-party assessments, unless an owner demonstrates (through a process to be developed by DHS) that the covered infrastructure is sufficiently secured, or that compliance with the Secretary's performance requirements would not substantially improve the security of the infrastructure. Owners that fail to comply with the certification or assessment, or that fail to remediate violations, will be subject to civil penalties to be set forth by rule.
Of final note, the Secretary will have to establish procedures by which DHS, in consultation with relevant agencies, may perform cybersecurity assessments of selected covered critical infrastructure. Such assessments may be based on the cyber risks affecting the information infrastructure of the specific network, the reliable intelligence indicating a risk to the infrastructure, the actual knowledge or reasonable suspicion that an owner is not in compliance with the performance requirements, or other risk-based factors as the Secretary may be identify in the regulation. Owners will be entitled to a copy of any federal assessment.
Sectors Subject to Existing Regulation
The Act includes exemptions for sectors already adequately regulated under existing law. If covered critical infrastructure is currently subject to risk regulations, the Secretary may only promulgate new performance requirements if the Secretary determines that the existing regulations are inadequate. In addition, the President may exempt critical infrastructure from the new Title I requirements if the President determines that a sector-specific agency has sufficient requirements and enforcement mechanisms in place to effectively mitigate cyber risk.
Information Technology Products
The Act prohibits the Secretary from designating a commercial information technology product, including hardware or software, as "covered" under the Act. It also prohibits the Secretary from designating any information technology product or service as covered based solely on a finding that the product or service is being used in covered critical infrastructure.
The Act further provides that the "performance requirements" do not authorize any federal entity to regulate commercial information technology products or their design, development, or manufacture. Moreover, the performance standards may not require the use or non-use of any commercial information technology products in covered critical infrastructure.
Trade Secret Protection
The bill includes measures aimed at protecting privileged or confidential trade secrets or commercial or financial transactions, provided they are appropriately identified by the owner or operator. Such information shall be treated as voluntarily shared critical infrastructure information under section 214 of the Homeland Security Act (6 U.S.C. 133), notwithstanding that the owner or operator may not meet that section's standards for a "voluntary" submission. Moreover, the Secretary will be required to develop guidelines for sharing that information as necessary among governmental and nongovernmental entities.
The Act protects the identity of individuals who report security threats, risks, and incidents affecting critical infrastructure to the Secretary.
Punitive Damages Safe Harbor
The Act provides a degree of civil liability protection to those subject to its provisions. An owner or operator that satisfies the performance requirements, successfully completes the annual certification and third-party assessments, and is in substantial compliance with the performance requirements at the time of an incident relating to cyber risk will be shielded from punitive damages in any civil action relating to the incident (unless additional or intervening acts or omissions by the owner or operator cause additional damages, which would then be subject to potential punitive liability).
State Law Preempted
The Act would supersede state law that expressly requires comparable cybersecurity practices to protect covered critical infrastructure.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2012. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.