An Employer’s Guide to the President’s Cybersecurity Recommendations

President Obama has released key provisions of his new cybersecurity plan (which he will discuss during his State of the Union address).   As discussion about this plan unfolds, employers should be aware of several important elements.  Please note: a number of commentators have taken a political position on this subject. I am not. 

According to the White House, these proposals are designed to:

• Enhance cyber-threat information sharing within the private sector and between the private sector and the Federal Government;
• Protect individuals by requiring businesses to notify consumers if personal information is compromised; and
• Strengthen and clarify law enforcement’s ability to investigate and prosecute cyber crimes.

I will look at why each matters to employers.

CFAA Amendments

As is well known, some employers have sought to use the civil claims section of Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(g), against former employees who steal ESI or damage a computer system.

This proposed amendment to CFAA would

• Enable the CFAA to reach any person who intentionally accesses a protected computer without authorization and who obtains information from that computer.

• Create separate liability for an individual who intentionally exceeds authorized access to a protected computer and who obtains a material amount of information from that computer. For this materiality provision, the value of the information obtained must exceed $5,000.  This is a new requirement and is different from other provisions related to materiality, which provide simply for a loss in general in excess of $5,000.

In essence, according to the White House, the amendments would ensure “that insignificant conduct does not fall within the scope of the statute,” and that it clarifies that CFAA should reach “insiders who abuse their ability to access information to use it for their own purposes.”

Finally, the proposal would

• Amend the definition of the “exceeds authorized access” of CFAA to include accessing a computer with authorization and then using such access to obtain or alter information in such computer for a purpose that the accesser knows is not authorized by the computer owner.

Critically for employers, this latter amendment CFAA would resolve a circuit split (with a “yes”) on the question of whether violating a written restriction – including an employer’s written policy — falls under the ambit of the CFAA.   See Orin Kerr, “Obama’s proposed changes to the computer hacking statute: A deep dive,” The Volokh Conspiracy.  

Cyber-Threat Information Sharing

This proposed statute will create a mechanism for sharing cyber threat information, notwithstanding any privacy laws to the contrary.  The stated purpose of the statute is

[t]o codify mechanisms for enabling cybersecurity information sharing between private and government entities, as well as among private entities, to better protect information systems and more effectively respond to cybersecurity incidents.

According to the White House

…the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) which will then share it (in as close to real-time as practicable) with relevant federal agencies and with private sector-developed and -operated Information Sharing and Analysis Organizations (ISAOs).

Key among the provisions is that this new information sharing structure will come with liability protection for companies who share cyber threat information under the legislation.

Breach Notification

This proposed statute would create a new breach notification framework and charge the Federal Trade Commission with regulating and enforcing that notification.   While directed at consumers, as I’ve written many times before, employers are also concerned with breach notification.  They key here is that this statute nearly completely preempts state breach laws (with very few exceptions) bringing much more uniformity and certainty to the process. (Typically, notification would occur within a month).

Interestingly, the proposals allow the United States Secret Service or Federal Bureau of Investigation to declare that there is a law enforcement-based or national security reason to exempt a disclosure form notice (many states permit state authorities to make the determination that an investigation would be hampered by disclosure).  Furthermore, this is a signal of the growing role of the FTC in the employee-employer relationship (especially in the FCRA context).

Summary

The key idea behind these proposals is preemption and thus national uniformity.  Whether these proposals survive the legislative process, the likelihood is that federal law will ultimately be made in this area — and the patchwork of state privacy and breach laws will not survive in any meaningful way.