In a keynote address delivered on September 27, 2016 at the U.S. Chamber of Commerce’s fifth annual Cybersecurity Summit in Washington, DC, Commerce Department Secretary Penny Pritzker conceded that “the federal government cannot regulate cyber risk out of existence.” Additionally, while calling for more cooperation between business and government in the cybersecurity realm, Secretary Pritzker acknowledged that, “we cannot blame executives for worrying that what starts today as an honest conversation about a cyberattack could end tomorrow in a ‘punish the victim’ regulatory enforcement action.”
Those worries – that a company that has been victimized by a cyberattack and reports it to the government will then becomes the target of a government investigation – are legitimate. Just ask Anthem, the health insurer that reported in February 2015 that it was the subject of a “very sophisticated external cyberattack” against its database of up to 80 million customer records. As we wrote last year, five days after it reported the attack, the Connecticut Attorney General sent Anthem’s CEO a letter, seeking information “on how this breach occurred, what steps have been taken to protect the affected individuals, and what new procedures have been adopted to prevent future breaches.” The last two pages of the letter set out 11 questions seeking detailed information about topics ranging from the data protection safeguards that were compromised in the attack, to the compliance documents showing compliance with federal health record security laws, to breach response steps that it Anthem had already implemented. Dealing with a governmental investigation of corporate cybersecurity procedures while simultaneously trying to determine the extent of the cyberattack and data breach creates an awkward situation, at best, for a company that has been the victim of a cyberattack.
Secretary Pritzker acknowledged this concern, stating: “when companies under attack by hostile nations fear coming to their government for help, something is wrong! We must change the value proposition for businesses to engage with regulators in a setting based on partnership, not punitive enforcement.”
This is not the first time the federal government has extended an olive branch, of sorts, to the private sector in an effort to address the trust gap. As we wrote in June 2015, an Assistant Attorney General noted in public remarks that the government was encouraging companies to cooperate with the government in data breach investigations. Furthermore, FBI Director James Comey, also recognizing the persistent trust gap, has recently publicly encouraged companies to report cyberattacks to the government when they occur. Moreover, federal legislation, including the Cybersecurity Sharing Act of 2015, and the federal government’s push for the creation of Information Sharing and Analysis Organizations are largely intended to facilitate the sharing of cyber threat information between private industry and the federal government. However, as long as the trust gap remains, with companies uncertain if their efforts to share cyberattack information with some government agencies will be used against them by other regulatory agencies in a “punish the victim” scenario, it is unclear whether the new information sharing goal will be met. Stay tuned for further developments.