Proposed Cybersecurity Framework Presents Litigation Risk, Uncertainty for Companies Involved in Nation’s “Critical Infrastructure”

October 30, 2013


Issue: On October 22, 2013, the Obama administration through the U.S. Department of Commerce’s National Institute for Standards and Technology (“NIST”) issued a “Preliminary Cybersecurity Framework” proposing national voluntary standards aimed at reducing cybersecurity risk to the country’s “critical infrastructure.”[1] The Preliminary Framework partially implements a February 12, 2013, Executive Order calling for the development of standards to enhance cybersecurity in key private sectors and hews to the Order’s basic directive that the standards adopt a flexible, technology-neutral approach that can be applied across sectors and organizational models.[2] As currently conceived, the administration’s cybersecurity standards are likely to have significant implications for the private sector companies deemed to be “critical infrastructure” because the standards—though purportedly voluntary—may be enforceable through private litigation, governmental incentives, and potential regulation. The cybersecurity framework will be released in its final form in February 2014, after a 45-day period of public comment.[3]

What Is Critical Infrastructure? The framework defines “critical infrastructure” as the “[s]ystems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters.”[4] The Presidential Policy Directive accompanying the February 12, 2013, Executive Order identified 16 basic critical infrastructure sectors, and the Preliminary Framework incorporates guidance describing those sectors in more detail.[5] The sectors encompass activity related to communications, manufacturing, energy, financial services, food and agriculture, health care and public health, information technology, and transportation, among other things.[6]

What Is the Framework? The Preliminary Framework describes itself as a tool that can be used in identifying and responding to cybersecurity risk using a “common language.”[7] It states that it can be a mechanism to assist companies with managing cybersecurity risk, and it outlines five categories of basic cybersecurity activities, or “functions,” performed by organizations: Identify, Protect, Detect, Respond, and Recover.[8] The tool is oriented around a variety of desired outcomes, framed in general terms as “categories,” with specific objectives supporting the outcomes itemized as “subcategories.” Thus, for example, the category “Data Security” within the “Protect” function encourages the management of information and records “to protect the confidentiality, integrity, and availability of information”; the subcategories serving this outcome include protecting intellectual property; eliminating unnecessary data; maintaining adequate capacity to ensure data availability; protecting individual privacy and personally identifiable information; and protecting against data leaks.[9] The Preliminary Framework identifies a host of categories and subcategories broadly governing issues including resource inventories, corporate governance, risk management, record storage, personnel obligations, and public relations.[10] For each category, the Preliminary Framework also provides a “methodology” for handling related privacy and civil liberties issues.[11] The Preliminary Framework suggests the use of “Target Profiles” to calibrate cybersecurity risk and the adoption of an “Implementation Tier” to guide how a firm acts to reduce such risk in light of factors including organizational goals, legal and regulatory requirements, and organizational constraints.[12]

Why You Should Care: The Preliminary Framework identifies dozens of actions it considers best practices in service of cybersecurity priorities as well as civil liberties and privacy concerns. Any of these may develop into de facto standards for firms in the affected industries, whether through governmental incentives, sector-specific regulation, or private litigation. Beyond the categories and subcategories identifying specific desired outcomes, the Preliminary Framework also identifies eight “areas for improvement” for private organizations as well as public sector actors. The areas for improvement include shortcomings in authentication, privacy standards, supply chain risk management, and data analytics; many of them could be used to support legal or regulatory challenges to practices dealing with these issues. Thus, while adoption of the final cybersecurity framework will ostensibly be voluntary, firms in the critical infrastructure sectors can expect increased pressure to conform to the standards, at minimum, and may even face significant litigation risk keyed to alleged violations of the standards.

As mentioned in our February 2013 alert regarding the Executive Order that the Preliminary Framework partially implements, the proposed national cybersecurity standards create considerable uncertainty for the affected firms. Unlike legislation, the Order may be changed at any time by the President, without the consent of Congress. Compliance with the standards may implicate other, potentially competing statutory and regulatory obligations, including obligations under existing federal privacy laws. And it is not clear what additional efforts the federal government will undertake, if any, to encourage or even compel compliance with the standards.

On October 29, 2013, President Obama met with a group of executives from the affected sectors to discuss the Preliminary Framework. Companies concerned about the increased regulatory burdens potentially associated with implementation of the final Framework may wish to participate in the remaining opportunities for public input, including the 45-day period of public comment and an upcoming workshop to discuss implementation of the Framework and further governance.[13]

If You Want Further Information: The complete text of the Preliminary Framework is here. The antecedent Executive Order and the accompanying Presidential Policy Directive can be found here and here, respectively.

If You Want Further Analysis: Contact Randy Edwards, redwards@omm.com.


[1] See NIST, U.S. Dep’t of Commerce, Preliminary Security Framework (“Preliminary Framework”) 1 (Oct. 22, 2013).
[2] See Press Release, NIST Releases Preliminary Cybersecurity Framework, Will Seek Comments (“Press Release”) (Oct. 22, 2013), available at http://www.nist.gov/itl/cybersecurity-102213.cfm; Exec. Order, Improving Critical Infrastructure Cybersecurity (“Order”) (Feb. 12, 2013).
[3] See Press Release.
[4] Preliminary Framework, App’x E.
[5] Presidential Policy Directive (“PPD-21”), Critical Infrastructure Security and Resilience (Feb. 12, 2013), at 10-11; Homeland Security, Critical Infrastructure Sectors (“Critical Infrastructure Guidance,” at http://www.dhs.gov/critical-infrastructure-sectors.
[6] See Critical Infrastructure Guidance.
[7] Preliminary Framework 5.
[8] Id. at 1, 5-6.
[9] Id. at 18-19.
[10] Id. App’x A.
[11] Id. App’x B.
[12] Id. at 7-11.
[13] See Press Release.


This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall Edwards, an O'Melveny partner licensed to practice law in California, and Meaghan VerGow, an O'Melveny counsel licensed to practice law in the District of Columbia and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2013 O'Melveny & Myers LLP. All Rights Reserved.