On February 12, 2013, President Obama signed an Executive Order titled “Improving Critical Infrastructure Cybersecurity.” The order calls for heightened measures in the private sector to ensure the country’s security in the face of cyber-threats. The release mandates increased visibility and communication between government agencies and private companies that hold highly sensitive data.
The order begins, “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.” Though the president did not explicitly name any such intrusions, his dire statement connotes the security concerns that have been populating the news recently. There has been extensive media coverage following the discovery of evidence that the Chinese government is sponsoring hackers and several large companies, Facebook and Apple among them, have announced that they had been hacked. However, the general public only knows of the organizations that have voluntarily admitted to being hacked. Most have not, either because they don’t know or because, understandably, they do not want to publicize their vulnerabilities.
The executive order promises guidelines rather than legislation, so it will require some degree of voluntary compliance from companies. Within the next year, the order mandates, the National Institute of Standards and Technology will release a “Cybersecurity Framework,” which will include “voluntary consensus standards and industry best practices” to minimize security risks. Will law firms be advised to adhere to the Framework?
The “critical infrastructure” that the president has deemed as in need of protection refers to those essential systems whose compromised status would pose a serious threat to national security. The industries in question will be also identified in the near future. There are some obvious entities that we can imagine that the term will include. For example, we can reasonably expect that the New York Stock Exchange will fall under the heading of “critical infrastructure,” as well as manufacturers of weapons (one of which has, scarily enough, been successfully targeted recently).
But where do law firms fit in? Will government representatives be contacting the heads of firms with the new guidelines as well? Law firms certainly are repositories of critical information, including intellectual property and trade secrets.
In November 2011, in a meeting with representatives from New York’s top 200 law firms, the cyber security division of the FBI warned that hackers look to law firms as a roundabout way to get to their clients’ corporate data. Mary Galligan of the FBI warned, “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.”
While there has been discussion of what a law firm hacking could mean for firm’s cases and for the businesses it represents, national security has not really been taken the forefront as a concern in this conversation. This may be changing, and some firms may have to adapt to the new framework in the near future.