On September 19th, Senator Jay Rockefeller, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, sent a letter to the CEO of each Fortune 500 company requesting detailed information on his/her company’s cybersecurity practices. Given the particular importance of the energy sector to overall U.S. cybersecurity readiness, Senator Rockefeller’s expectations as to energy sector responses will undoubtedly be high.
The introductory message of the Rockefeller letter is emphatically simple: [we paraphrase] “In the face of an unprecedented national security challenge, The Chamber of Commerce and other inside-the-Beltway lobbyists have thwarted the passage of The Cybersecurity Act of 2012 which was supported by the President and the country’s top military officers. I now call on each of you as business leaders and Americans to express your support for the legislative efforts necessary to protect our economy and country.” Punchy perhaps, but on a stand-alone basis it would not be more than one would expect to get from a Ranking Democrat on a hotly debated issue in an election year. It does not, however, stand-alone.
The letter really begins very near its end where Senator Rockefeller almost casually adds: “To help me understand your company’s views on cybersecurity, I ask that you provide responses to the following questions by Friday, October 19, 2012.”
The eight squirm-inducing questions that follow will be painful to answer, but (Senator Rockefeller hopes) perhaps more painful to not answer. They are carefully crafted to both put recipient CEOs on the spot and to thwart attempts at un-responsiveness. Significantly, the short turn-around time, combined with the company specific and commercially sensitive nature of individual responses, may also make it difficult for a standard “safe” response to emerge from the legal community.
It is difficult to recall in recent memory a single, isolated event that will have triggered such an immediate and uniform reach-out from corporate America to their corporate counsel; 500 CEOs almost in unison placing a call to their GCs and then 500 GCs placing a second call to the relationship partner at the company’s go-to corporate firm.
So what advice are Fortune 500 companies getting? Unsurprisingly (in our growing pile of alerts), the key message is to be mindful of the many contexts (e.g. SEC reporting, litigation, confidentiality provisions, politics, etc.) in which responses may ultimately be considered and the significant risk that those responses will somehow/somewhere/someday be used against the responding companies; i.e. tread VERY carefully.
“The letter is not a subpoena, or other legally binding demand, and was not co-issued with the Ranking Republican. Nonetheless, companies should carefully determine whether and how to respond. Some of the questions may touch on privileged or sensitive matters, including existing cooperation with governmental agencies on cybersecurity issues. Moreover, answers to these questions may be compared against corporate disclosures, particularly given the SEC Guidance on disclosure obligations for cybersecurity risks and incidents.”
King & Spalding:
“While Senator Rockefeller’s letter appears to be more focused on securing support from Fortune 500 companies for his policy initiatives, and less on investigative probing, it is still too early to say where this will lead… It is also possible-consistent with Committee action in other investigations and inquiries-that the Committee is gathering information that may eventually surface at a Committee hearing, in a Committee or staff report, or during Senate debate. With this in mind, it is prudent, as with any Congressional request, to proceed carefully and to respond with a well-considered, accurate response.”
Although responses to Senator Rockefeller’s letters to the Fortune 500 CEOs are voluntary, many businesses will likely offer some response (although that need not come from the CEO)….Recipients of the requests should, of course, recognize that their responses (or failure to respond) may be used in the political battle over cybersecurity regulation and could potentially trigger further contact or Congressional inquiry.
This situation is one fraught with risk for the companies, because even if they feel it is appropriate to respond, the responses have to be carefully constructed so as not to reveal any information that could be used against them at a later date, especially with respect to litigation. Before any company responds to the letter from the Senator, it should be aware of the circumstances surrounding the letter and the potential consequences of responding to inquiries contained therein.
“In sending the letter to the CEOs, Senator Rockefeller is essentially performing an end run around the Chamber of Commerce. He states that he would be ‘surprised to learn’ that American companies, realizing that what’s good for national security is good for their bottom line, would be as ‘intransigently opposed’ to cybersecurity legislation as the Chamber of Commerce.”
To read more from myCorporateResource and to access this document as well as other legal resources for the energy sector, visit their site here.