February 27, 2015 Practice Points

Executive Order re: Cybersecurity

On February 13, 2015, at the Summit on Cybersecurity and Consumer Protection at Stanford University, President Obama issued an Executive Order titled "Promoting Private Sector Cybersecurity Information Sharing."

By Megan Donohue

On February 13, 2015, at the Summit on Cybersecurity and Consumer Protection at Stanford University, President Obama issued an Executive Order titled "Promoting Private Sector Cybersecurity Information Sharing." The central provision of the order contemplates ways to increase voluntary disclosure and real-time sharing of cybersecurity threat information among private sector companies, non-profits, and federal agencies. In that vein, the order suggests a framework for the Department of Homeland Security to encourage the formation of Information Sharing and Analysis Organizations (ISAOs).

These ISAOs would be groups organized on the basis of sector, regions or other affinity, including in response to a particular threat or vulnerability, which would collaborate with the Department of Homeland Security to share information about cybersecurity threats. In addition, the order gives the Department of Homeland Security authority to enter into information-sharing agreements with ISAOs and directs it to create a non-profit organization to develop baseline standards and practices for information sharing. Participation in ISAOs will be voluntary and whether private industry will join remains unclear.

Crucially, the order does not substantively address the liability risks that may accompany cybersecurity attacks, including consumer class actions and shareholder lawsuits, threats that may undermine the willingness of some companies to readily share details regarding a hacking incident. Instead, the order calls for legislative action by Congress to enact targeted liability protection for companies that participate in ISAOs and share information. Indeed, only two days prior to the order, Senator Tom Carper of Delaware introduced a separate bill entitled "Cyber Threat Sharing Act of 2015" which proposes limitations of liability in certain instances for sharing by ISAOs. The bill is presently pending in committee.

Keywords: intellectual property, litigation, cybersecurity, Summit on Cybersecurity and Consumer Protection, Executive Order, information sharing, ISAOs, Department of Homeland Security

Megan Donohue is with Cooley LLP in San Diego, California.


Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).

Megan Donohue – February 27, 2015