Privacy Update: Rockefeller Cybersecurity Letter

Skadden, Arps, Slate, Meagher & Flom LLP

Stuart D. Levi Ivan A. Schlager

On September 19, 2012, John D. (Jay) Rockefeller IV, chairman of the United States Senate Committee on Commerce, Science and Transportation, sent a letter to the CEOs of the Fortune 500 companies, urging the recipients to consider their role and responsibility in reforming cybersecurity laws and to collaborate with the federal government on drafting and enacting cybersecurity legislation. He also posed a series of targeted questions to each company regarding the company’s views on cybersecurity, requesting that the responses to these questions be returned by October 19, 2012.

Rockefeller has been heavily involved in the cause of cybersecurity, most notably in the introduction of legislation including the Cybersecurity Act of 2010 (S. 773) and the Cybersecurity Act of 2012 (S. 2105), each of which failed to secure Senate approval. In response to the blocking of Cybersecurity Act of 2012 by filibuster in August 2012, Rockefeller urged President Obama to use his executive authority to implement cybersecurity protections via executive order. Rockefeller commended the response of Obama’s chief counterterrorism advisor, who conveyed Obama’s willingness to use existing executive authority to protect the nation from cyber attacks. However, Rockefeller asserted that while an executive order would be a “step in the right direction,” it would at best still only accomplish a part of what was intended by the Cybersecurity Act of 2012 and that legislation is still needed. He noted calls from top military officials, including the chairman of the Joint Chiefs of Staff and the head of the National Security Agency, for the Senate to pass cybersecurity legislation.

In his letter, Rockefeller stressed that the filibuster that prevented the legislation from moving forward was largely due to opposition from certain business lobbying groups and trade associations, including the United States Chamber of Commerce. His letter to Fortune 500 executives seeks to initiate a more direct dialogue with the national business community to elicit their views and concerns about these issues, in order to foster a more collaborative approach to developing cybersecurity legislation.

Rockefeller asked recipients the following eight questions and requested that responses be provided be the committee at by October 19, 2012:

1. Has your company adopted a set of best practices to address its own cybersecurity needs?

2. If so, how were these cybersecurity practices developed?

3. Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association or entity that developed them.

4. When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?

5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?

6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?

7. What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?

8. What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

The Skadden Privacy and Data Security Group understands that there are multiple considerations to take into account in determining how to respond to the Rockefeller letter. Members of the group are available to assist clients with responding to any questions they may have regarding the request or to cybersecurity concerns more generally. Please do not hesitate to contact us if we can be of any assistance.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.