Rockefeller Questions Fortune 500 on Cybersecurity Act / Data Security Practices

Senate Commerce Committee Chairman John D. Rockefeller (D-WV) yesterday blanketed the entire FORTUNE 500 list of companies with a pointed letter inquiring about business opposition to cybersecurity issues and seeking a response by October 19. (Press release here) The letter asks for information on companies’ cybersecurity practices and companies’ concerns about the federal government’s role in setting cybersecurity standards as provided in the proposed Cybersecurity Act of 2012, S. 3414, legislation that Sen. Rockefeller and his colleagues sponsored that has failed to advance this year. Additional posts on Cybersecurity Act of 2012 can be accessed here.

The letter is a not-so-subtle attempt to evince political support from business for S. 3414 and overcome opposition from the US Chamber of Commerce and other groups that, among other things, fear the bill will ultimately lead to mandatory government-imposed standards.  Rockefeller and the Chamber have been going back-and-forth about the bill for the last few months and the Obama Administration is now reportedly considering issuing an Executive Order while still urging the adoption of legislation.

It’s important to note that while the Cybersecurity Act addresses protection of the nation’s “critical infrastructure” from cyber-attack, Chairman Rockefeller is genuinely concerned that US companies don’t fully grasp their cybersecurity vulnerabilities and responsibilities, including data privacy and security issues related to customers’ personal information more generally. So the letter is broader in its use of the term “cybersecurity” than some recipients may initially realize.  In any case, the committee apparently plans no hearings at this time and is simply interested in learning where companies stand on these issues.

How companies choose to respond to the letter depends on a variety of factors, including recent SEC guidance on cybersecurity risk disclosures and, potentially, compliance considerations with other privacy and data security laws. Of course, the responses will no doubt be made public, potentially thrusting companies into the midst of a divisive political debate. Thus, the letter and data privacy and security policy issues call for cross-disciplinary consideration.

With Congress set to adjourn this week until after the November elections, further action – in the Senate at least – will have to wait.