U.S. Senator Rockefeller Seeks Information on Cybersecurity from All Fortune 500 CEOs

September 19, 2012

U.S. Senator Jay Rockefeller announced today that he has sent letters to the chief executive officers of all Fortune 500 companies requesting information by October 19, 2012 on how each company is addressing cybersecurity.  The broad requests for each company’s views on cybersecurity–including how each company developed its own practices and the role of the federal government in developing cybersecurity practices–follow recent unsuccessful efforts by Senator Rockefeller and other lawmakers to pass legislation imposing heightened cybersecurity standards at the national level.  The most recent effort, introduced by Senator Joe Lieberman and co-sponsored by Senator Rockefeller, was voted down in the U.S. Senate last month despite White House support.

This is not the first effort by lawmakers to focus on cybersecurity outside of the legislative process.   In May of last year, Senator Rockefeller and four other Senators petitioned the SEC to issue guidance to public companies concerning their obligation to provide disclosure about cybersecurity.  The SEC’s Division of Corporation Finance responded last October by releasing guidance to public companies to assist them in assessing what disclosures should be made when faced with cybersecurity risks and incidents.  (Gibson Dunn’s alert discussing that guidance is available here.)  Senator Rockefeller has also petitioned the White House to issue an executive order that would accomplish similar goals as the Lieberman/Rockefeller bill–such as establishing a voluntary program to designate cybersecurity standards for companies in control of critical infrastructure.  Critics argue that such efforts circumvent the legislative process, would create new liability risks for covered businesses, and potentially impose an impractical "one-size-fits-all" approach to cybersecurity across very different settings and businesses.

Although responses to Senator Rockefeller’s letters to the Fortune 500 CEOs are voluntary, many businesses will likely offer some response (although that need not come from the CEO).  The letters include eight questions designed to discover how companies are addressing cybersecurity and the views of the CEOs on the system the Lieberman/Rockefeller cybersecurity bill would have established if voted into law, including concerns the CEO might have with the voluntary program contemplated in the bill.  Recipients of the requests should, of course, recognize that their responses (or failure to respond) may be used in the political battle over cybersecurity regulation and could potentially trigger further contact or Congressional inquiry.  A copy of Senator Rockefeller’s letter is available here.

Gibson, Dunn & Crutcher LLP 

Gibson Dunn’s Information Technology and Data Privacy Practice Group has counseled leading businesses across the country on a wide range of cybersecurity issues, including preventing, anticipating, and responding to security breach incidents, providing guidance on the legal implications of high-priority business actions, and representing clients in matters of privacy-related regulatory scrutiny, litigation, and law enforcement interest.  Our Securities Regulation and Corporate Governance Practice Group works closely with the nation’s most prominent public companies on securities disclosure and regulatory issues, including those raised by the SEC staff’s October 2011 guidance on cybersecurity disclosure.  Our Public Policy Practice Group assists clients whose interests are affected by government on a federal, state, local, or international level and provides counsel in an effort to maximize the potential benefit or minimize the potential adverse impact of governmental action on clients’ business interests. 

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues.  Please contact the Gibson Dunn lawyer with whom you work, or any of the following: 

Information Technology and Data Privacy Practice Group:
S. Ashlie Beringer – Palo Alto (650-849-5219, [email protected])
Karl G. Nelson – Dallas (214-698-3203, [email protected])
M. Sean Royall – Dallas (214-698-3256, [email protected])
Alexander H. Southwell – New York (212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (213-229-7472, [email protected])

Securities Regulation and Corporate Governance Practice Group:
John F. Olson – Washington, D.C. (202-955-8522, [email protected]
Brian J. Lane – Washington, D.C. (202-887-3646, [email protected]
Ronald O. Mueller – Washington, D.C. (202-955-8671, [email protected]
Amy L. Goodman – Washington, D.C. (202-955-8653, [email protected]
James J. Moloney – Orange County (949-451-4343, [email protected])
Elizabeth Ising – Washington, D.C. (202-955-8287, [email protected])
Gillian McPhee Washington, D.C. (202-955-8201, [email protected])

Public Policy Practice Group:
Michael Bopp – Washington, D.C. (202-955-8256, [email protected])

© 2012 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.