Much of the cyber security community is focused on pending cyber legislation and the forthcoming Executive Order to be issued by the Administration.
Without a doubt the aforementioned actions are on the cutting edge of a new and massive federal regulatory program. Furthermore the actions being taken by a number of firms whose IT network are part of the US “critical infrastructure” are commendable in that they are reducing the risk of losing intellectual property and are also reducing the risk of substantial economic disruption.
Less obvious and more imminent is the rapidly emerging role of trial attorneys abetted by “guidance” issued by the SEC in which an agency spokesman stated:
Center for Regulatory Effectiveness
As a result of the SEC issuing guidance for SEC registrant companies, the said companies must disclose cyber intrusions into their computer networks. The problem is that the SEC guidance is overly expansive and ambiguous.
Accordingly trial attorneys are taking steps to initiate class action legal actions against owners of critical infrastructure. See the attachment below.
CRE has been following cyber intrusions into critical infrastructure for nearly a decade and was always of the view that such intrusions were a precursor to a new wave of federal regulation. Well after these many years the signs of the tsunami are finally occurring. See these actions by the trial attorneys,
An immediate remedy is to develop a “safe harbor” which will define the line between reporting and not reporting intrusions to a federal body.
Other remedies include actions which will ensure that the SEC adheres to the “good government” laws which “regulate the regulators” when they require public disclosure of intrusions into the network of a critical infrastructure.