Header graphic for print
Focus on Regulation

Senate Commerce Committee’s Probe of Fortune 500 Corporate Cybersecurity is Unprecedented; Responses Requested Oct. 19

Each of the 500 largest businesses in America has been asked by the Senate Commerce Committee to describe how it deals with cybersecurity, demonstrating that government’s focus on cybersecurity is not going away despite stalled legislative efforts. 

On 19 September, Senator Jay Rockefeller (D-WV) sent an unprecedented letter to the chief executives of the 500 largest companies in the United States, asking probing questions. The letter is noteworthy in several respects: 

Complexity of the topic – Several of the eight questions posed by the letter ask for information on the “best practices” used by the recipient company to address “its own cybersecurity needs.”

 The letter requests a description of such practices, their provenance (i.e., whether based on ISO or other standards, or developed in-house), and the board-level and enterprise-wide governance used to oversee their implementation.  

When asked of complex and large organizations such as the Fortune 500, such questions while seemingly simple require considerable work to answer meaningfully and accurately. Organizations of scale typically employ multiple approaches and practices — technological, management and policy — to assess and manage cybersecurity and related risks. 

Sensitivity of the information – While the Commerce Committee intends to maintain the confidentiality of individual corporate responses, given the sensitivity of the topic it is also prudent to draft such responses so as to minimize risk if confidentiality is unexpectedly compromised.

Considering the prominence and market position of the companies receiving the letters, any details provided in any responses should carefully be reviewed to avoid tipping off unauthorized readers about information security practices and to avoid inconsistencies with prior or future company statements, for example those made in security-related notifications under U.S. state breach laws, in online privacy policy statements likely to be the subject of FTC oversight, in litigation, or in regulatory or corporate securities filings. 

Complexity of the politics – Government and business leaders uniformly agree that cybersecurity risk has increased and additional efforts by government, industry, and individuals are needed. Substantial disagreement exists, however, as to the role of government to help industry ― which owns and operates over 80 percent of the United States’ critical infrastructure ― protect its key operations. 

Much of the letter ― four out of the eight questions ― probes its recipients directly for their views on the appropriate role of government in this area. 

Any responses to the Rockefeller letter should be informed by an understanding of the extremely complex global political environment involving the White House (which recently indicated it is preparing an Executive Order on this topic), Congress (which is divided as to the scope of needed legislation and executive branch action), key business groups such as the U.S. Chamber of Commerce, and other governments (such as the European Union) with an interest in developing policy on this subject.  

Hogan Lovells lawyers are providing complementary briefings for firm clients to provide current insights on the Commerce Committee letter and relevant considerations. To request a briefing, contact Sonya Snyder Erickson at sonya.snydererickson@hoganlovells.com.