The proposed Cybersecurity Disclosure Act of 2015: Problematic legislation that raises a host of concerns.

Author:Chassman, Pete

This past December U.S. Senators Susan Collins and Jack Reed introduced the Cybersecurity Disclosure Act of 2015 ("CDA"), which would require public companies to disclose, in public filings, whether their boards of directors include members with "expertise or experience in cybersecurity," and, if not, then to publicly disclose other information about their cybersecurity measures. Although the proposed legislation undoubtedly was intended to protect reporting companies and the information that they possess from the very real and ever-increasing threat of cyberattacks, the proposed legislation is problematic, as currently written, and raises a number of issues. Congress probably would do better by simply starting over. If the legislation passes, company management will need to consider its next steps, although it would be premature to do so at this point.

* Undefined: At the core of the CDA is "expertise or experience in cybersecurity," and, yet, the CDA provides that, at some time after the Act's passage, the SEC in coordination with the National Institute of Standards and Technology (NIST) will define what constitutes that expertise or experience. That is, the key term, and not just an ancillary term, of the entire CDA is undefined and won't be known until sometime after Congress has to vote the CDA up or down. Unless the CDA's proposers want to define "expertise or experience in cybersecurity" in the CDA itself, the absence of a definition, alone, should call the bill into serious question, because of its vagueness.

* Misses the Mark: The CDA is focused on "cybersecurity expertise or experience" at the board or governing body level, but the reality is that the real expertise or experience, whatever it ultimately may be defined to be, simply and likely won't reside at the board or general partner level of a significant company--even those companies that have the best of cybersecurity personnel. Companies may hire in-house cybersecurity expert employees (e.g., information technology managers) or retain outside cybersecurity firms to handle cybersecurity. And those employees or firms are more likely than someone sitting on the board to be the experts actually involved in cybersecurity at those companies.

* Liability Issues?: If the proposed legislation...

To continue reading