UNITED STATES – Cybersecurity is now headline news across the globe, with data breaches hitting nearly every industry—from retail, to healthcare, to banking. Amid growing concerns about U.S. interests, President Obama has waded into the cybersecurity waters with a recent Executive Order. This Order moves the needle in the right direction, but does it do anything to ease the rising tide of class action litigation? The short answer is “no.”
The President’s Order and accompanying comments emphasize the need for cooperation among the public and private sectors, calling greater collaboration the answer to achieving the “shared mission” of meeting growing cyber threats. The Order relies on both government and industry to meet this goal.
First, it instructs federal agencies to produce unclassified reports of potential threats to affected private sector companies in a timely manner. Second, it encourages an open dialogue with and among the private sector through the development of industry-specific Information Sharing and Analysis Organizations (“ISAO”) to allow companies to more easily share cyber threat information. While no funding is provided to establish these ISAOs, they will be supported by a Department of Homeland Security funded non-profit established to help develop a common set of standards the ISAO’s can adopt. The Order even streamlines the mechanisms to share classified threat information with these to-be-established ISAOs.
While a step in the right direction, the President’s Order is far from a panacea for the private sector. While the contemplated information sharing should help companies protect against future cyber attacks, it provides no help once a breach has occurred. The Order is silent on this major component of the problem.
Most importantly, the Order does not have the force of long-awaited federal legislation that would provide a single standard for notification of and liability for data breaches. In fact, the Order says nothing about a company’s obligation to notify its customers, and is silent on any limitation of liability. Moreover, some commentators have recognized that the enhanced information sharing might even place companies at greater risk of class action litigation by affected consumers because of the potential that additional information could raise the bar for a company’s reasonable protective efforts to prevent breaches.
As a result, companies must continue to adhere to the patchwork of federal and state data privacy legislation when responding to a breach. Because data privacy and cyber security will remain hot topics, the legislative landscape should be continually monitored at all levels of government. Finally, in-house legal teams should carefully weigh the benefits of participating in threat information sharing against any potential risks of increased liability for the inevitable breaches that even this additional information cannot prevent. Stay tuned to this blog for future updates on this and other cyber security issues as they relate to class and collective action litigation.
