On Feb. 26, 2015, in an effort to make "New York State’s computer infrastructure the most secure in the nation," the New York State Senate passed a suite of four cybersecurity-related bills focused on protecting critical infrastructure entities, such as providers of financial services, telecommunications, energy and health care. The bills mark an aggressive effort to toughen penalties on cybercriminals who attack critical infrastructure (S3404 and S3406),1 to implement cybersecurity review processes and reporting by key state agencies (S3405),2 and to establish a "baseline framework" and information-sharing protocols around cybersecurity risks (S3407).
Although the Senate bills put New York at the forefront of state critical infrastructure cybersecurity legislation, certain provisions should cause significant concern in corporate boardrooms and C suites because they effectively transform "voluntary" government guidelines into mandates without at least offering confidentiality protections sufficient to prevent use of that information against them.
"Consultative" Cybersecurity Risk-Reduction Framework
S3407 is styled as the "New York State Cyber Security Initiative." It proposes a multi-factor "baseline framework" that includes, among other things, the development of "a set of standards, methodologies, procedures and processes" to address cyber risks facing both public and private critical infrastructure players―similar to existing standards such as those of the National Institute of Standards and Technology (NIST) and Control Objectives for Information and Related Technology (COBIT). In connection with this effort, the bill implements a "consultative process" whereby public and private entities would be required to engage and consider "advice" relating to cybersecurity improvements offered by the New York State Department of Homeland Security and Emergency Services (DHSES), and potentially other state agencies and additional experts.
By mandating that cybersecurity mitigation recommendations be considered, the framework and the consultative process create an ad hoc standard against which organizations’ cybersecurity programs will be measured by regulators and plaintiffs in breach-related proceedings, enforcement actions, and lawsuits. Thus, even if an organization has thoroughly and carefully vetted the recommendations, and reasonably differed in opinion, the failure to implement consultative process advice could be used as prima facie evidence that the organization breached its duty to protect data and assets from a cyberattack. Accordingly, though adoption of DHSES’s advice is deemed "voluntary" under the proposed legislation, functionally entities may have little other choice, with the failure to implement suggested mitigation measures resulting in potentially serious adverse consequences.
Cybersecurity Board and Information Sharing
To promote innovative, actionable cybersecurity polices, S3407 establishes the New York State Cybersecurity Advisory Board, an 11-member committee charged with making cybersecurity recommendations to both public and private sector organizations for protecting the state’s critical infrastructure. To facilitate quality information sharing between New York State and critical infrastructure, S3407 also proposes creation of the New York State Cyber Information Sharing and Threat Prevention Program, and directs DHSES to promulgate regulations for the production and dissemination of cyber threat information, tracking of production and dissemination of such information, and a voluntary cyber threat information-sharing program which would allow discretionary sharing of that information.
Notably missing from the bill, however, is any explicit provision clearly excluding the availability of this information―such as the identities of participating organizations and the information shared―from disclosure under New York’s Freedom of Information Law. The lack of strong confidentiality protections threatens to undermine the program’s effectiveness by failing to offer assurances that information will not be easily obtained by threat actors and would-be litigants looking for a foothold to file suit. (Although the New York Freedom of Information Law allows a party disclosing critical infrastructure information to request an exemption from disclosure―for example, because it was "complied for law enforcement purposes"―application of such exemption is left to the agency’s discretion.) Accordingly, should the bill become law, organizations would be well advised to proceed with caution in deciding to share threat information with DHSES or any other New York State agency because that information could potentially, and easily, be discovered.
In contrast, the federal Critical Infrastructure Information Act (CIIA) of 2002 explicitly provides that critical infrastructure security information shared with the federal government is protected from disclosure requests made under the Freedom of Information Act. It further prohibits state and local governmental agencies who receive that information from the federal government from disclosing that information pursuant to any state public disclosure law. Moreover, unlike S3407, the CIIA provides that threat information shared with the government will not be used against the disclosing entity.
If these bills pass, New York State would emerge as a leader in formalizing cyber threat information-sharing and coordination between state government and private sector critical infrastructure entities (involved in financial services, health care and energy, among other sectors). Indeed, as recent efforts to pass more general federal cyber threat information-sharing legislation have stalled, this is a signal that states may be prepared to step in where Congress has failed, and a strong indication of their likely approach.
S3407, however, puts private sector organizations in a difficult position by requiring that they consider the government’s cybersecurity threat mitigation recommendations without providing protections from those who might seek to acquire that information and then use it against the entity, either in court in or in an attack. Should the bill become law, private sector businesses will have to consider whether and how to engage in with government in a manner that minimizes the potential for these negative consequences.
1 S3404 and S3406 create new enforcement mechanisms for threat actors. S3404 creates the new crimes of first- and second-degree cyber terrorism for use of a computer to coerce a civilian population, influence the policy of a unit of government by intimidation or coercion, affect the conduct of a unit of government, or cause mass injury, damage, destruction or debilitation to persons or property. S3406, similar to the federal Computer Fraud and Abuse Act, makes it a felony to use a computer or device to carry out a cyberattack that results in over $100,000 in damages.
2 S3405 would require DHSES to work with the Superintendent of State Police, the Chief Information Officer and the President of the Center for Internet Security to complete a comprehensive review every five years of New York’s cyber security measures and issue a report identifying the state’s security needs and updates to meet industry best practices.
Orrick’s Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.