On September 19th, U.S. Senator John Rockefeller, writing on behalf of the Senate’s Committee on Commerce, Science, and Transportation, sent a letter to the Fortune 500 Chief Executive Officers seeking information about their cybersecurity policies and their positions on certain cybersecurity issues.  (Read the Committee’s press release here).

The letter is a result of the Senate’s recently failed effort to pass the Cybersecurity Act of 2012 in August.  As Senator Rockefeller explains in his letter, the Committee “would like to hear more – directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of beltway lobbyists.”  Senator Rockefeller argued that the legislation failed in part due to significant opposition from various business lobbying groups, including the U.S. Chamber of Commerce.  (The Chamber disagrees that this is the reason why it failed).

The letter asks the Fortune 500 CEOs to answer the following questions:

  • Has your company adopted a set of best practices to address its own cybersecurity needs?
  • If so, how were these cybersecurity practices developed?
  • Were they developed by the company solely, or were they developed outside the company?  Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
  • Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
  • What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
  • What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
  • What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outline in the Cybersecurity Act of 2012?

These questions raise several issues for the companies responding to them.  For example, how much detail should a company provide in response to these questions, keeping in mind that responses will likely be a matter of public record and may be viewed by competitors or potential cyber attackers?  What about companies that have not yet prepared formal cybersecurity practices?  Do they now have to admit this failure on the record, keeping in mind that the Committee also wants to know when those practices were developed?  Regarding the Cybersecurity Act, the responses will likely need to express concern about excessive government intervention and regulation while at the same time demonstrate sensitivity to protecting critical infrastructure like utilities, transportation, and telecommunications.

The lessons to be learned from this letter are not just for the Fortune 500.  All companies can benefit from auditing their systems and policies, implementing properly tailored cybersecurity measures for their organizations, and staying abreast of the best practices in their respective industries.

Responses to Senator Rockefeller’s letter are due by October 19th.


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.