The absence of congressional action on cybersecurity legislation has spurred efforts by various entities to exert influence over cybersecurity policy. This client alert focuses on some of those efforts, including the Federal Energy Regulatory Commission’s (“FERC’s”) creation of a new cybersecurity office, North American Electric Reliability Corporation (“NERC”) action on cybersecurity Critical Infrastructure Protection (“CIP”) standards, continuing legislative developments concerning cybersecurity and anticipated White House executive orders on cybersecurity.
Cybersecurity has been one of the highest-profile topics in Washington this year. Yet, despite considering multiple cybersecurity bills, Congress left Washington for the upcoming elections without passing legislation. The chief architect of one such cybersecurity bill, Senator Joe Lieberman (I-CT), has expressed his view that legislation will not likely pass during the lame-duck session following the elections.
The main disagreement over cybersecurity legislation relates to granting the Department of Homeland Security (“DHS”) authority to set mandatory cybersecurity standards for critical infrastructure, accompanying liability protection, and, to a lesser degree, civil liberty concerns associated with public-private cybersecurity threat information exchanges.
With no new legislation forthcoming, officials are exploring cybersecurity policy options under existing authorities.
- FERC Announces New Cybersecurity Office: FERC has announced it is creating a new Office of Energy Infrastructure Security (“OEIS”) focused on potential physical and cybersecurity risks to energy facilities under its jurisdiction. According to FERC, OEIS will develop recommendations, provide assistance, participate in interagency efforts and conduct outreach with the private sector on physical and cybersecurity threats. OEIS will be led by Joseph McClelland, who has been Director of the Office of Electric Reliability since its formation in 2006.
- NERC Activity on Cybersecurity: NERC announced on October 1 that it is moving ahead with developing version 5 of its cybersecurity CIP standards. Balloting on the new version 5 CIP standards will be open until October 12. Read more information on the CIP standards. In addition, on October 3 the director of the NERC Electricity Sector Information Sharing and Analysis Center (“ES-ISAC”) distributed a letter to the electric industry. The letter informs the industry about developments and future actions in furtherance of the ES-ISAC’s role in cyber security, in which it undertakes to ensure grid reliability through improved information sharing and analysis and coordinated sector readiness and triage response. The letter positions ES-ISAC as a “bridge” between peer industry members, and between the U.S. and Canadian governments, and requests industry commitment and participation in collaboration and information sharing in order for ES-ISAC to fulfill this role.
- Senator Rockefeller Fortune 500 CEO Letter: Senator John Rockefeller (D-WV), Chairman of the Senate Committee on Commerce, Science, and Transportation, recently sent a letter to the CEOs of Fortune 500 companies seeking information about company cybersecurity practices as well as those companies’ views on federal legislation related to cybersecurity. Among other things, the letter asks the CEOs about each company’s cybersecurity best practices, how those practices are implemented, the federal government’s involvement in developing those practices and whether the CEOs are concerned about the federal government becoming involved in a cybersecurity standards-setting process. The letter requests responses from the CEOs to the inquiries by October 19. While the letter does not have legal authority requiring action, it is a sign of continued congressional efforts on cybersecurity.
- Cybersecurity Executive Order: The White House has said it is working on an Executive Order (“EO”) patterned on Senator Lieberman’s cybersecurity bill. While a draft has not been publicly released, the EO is said to establish a consultative process, led by DHS, to develop voluntary cybersecurity standards for critical infrastructure. Some have questioned whether, absent congressional action, the president can mandate voluntary cybersecurity standards. However, reports indicate the EO encourages departments and agencies to use existing authority to implement the voluntary cybersecurity standards. The EO also provides guidance to federal government bodies regarding information sharing.
- CIP Presidential Decision Directive: The Administration also reportedly is drafting a separate CIP Presidential Decision Directive (“PDD”) to update the 2003 Homeland Security Presidential Directive-7. A PDD carries significant influence as it is an EO developed through the National Security Council. The draft CIP PDD reportedly focuses on integrating DHS physical and cybersecurity activities, along with updating the National Infrastructure Protection Plan. Officials indicate the draft CIP PDD also addresses challenges faced by the public-private partnerships that were developed to confront national security interests in critical infrastructure and key resources.
Taken together, these developments suggest a piecemeal approach to cybersecurity in lieu of congressional action. Cybersecurity already presents difficult legal and compliance issues. These complexities will continue to be compounded by competing claims of jurisdiction and expertise as players with differing goals and objectives assert roles in cybersecurity policy.
For its part, FERC’s creation of OEIS signals increased Commission action on energy cybersecurity issues. OEIS’s establishment, in and of itself, does not substantively change electric utility compliance obligations. However, this development may indicate FERC intends to respond to presidential and congressional pressure with greater emphasis on cybersecurity or more aggressive investigations of cybersecurity incidents, and perhaps more substantial penalties. The new office may raise concerns within the electric utility industry that OEIS may attempt to strengthen the control of FERC in an arena currently structured for leadership by NERC and industry. Furthermore, while cybersecurity at FERC has been confined to the electric reliability program, OEIS’s application to all FERC-jurisdictional “energy facilities” may suggest the Commission is seeking to expand its influence on cybersecurity practices beyond electricity to natural gas and oil pipeline industries. On the other hand, the industry could consider OEIS to be a benefit if it is able to head off electricity sector cybersecurity regulatory efforts by agencies with less sector-specific experience. Indeed, with appropriate input, OEIS could potentially be an effective voice for industry concerns in any interagency processes.
Going forward, dealing with these and similar issues in other industries will require a multifaceted approach that takes into account the policies, jurisdictional claims and bureaucratic interests of the relevant regulatory and executive agencies, as well as applicable legislative policies and actions, or lack thereof. The team at Hunton & Williams offers diverse experience and knowledge, positioning the firm to assist with all dimensions of cybersecurity concerns in the current technical and political environment.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code