Businesses with ties to foreign hackers engaged in cyber security breaches may be a target for substantial government penalties in the next few years. On April 1, President Obama issued an executive order authorizing sanctions on any person complicit in harming or significantly compromising the computer networks of an entity in a critical infrastructure sector.
The sectors at issue are defined by the U.S. Government and cut across a wide variety of industries. The 16 critical infrastructure sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials and waste; transportation services; and water and wastewater systems.
It appears that it is up to the Secretary of the Treasury to designate individuals or entities engaged in prohibited activities for sanctions. One potential target of this law identified in the media reports was the state-owned enterprises in China which benefit from the industrial espionage by Chinese military hackers.
This executive order reminds me of the economic sanctions against Iran, Cuba and other foreign nations. These economic sanctions, administered by the Office of Foreign Assets Control (OFAC), have generated a couple substantial settlements with corporations over the past year. BNP Paribas and Commerzbank both had to pay settlements exceeding $1 billion for prohibited interactions with members of these nations.
A few weeks ago, we explored the potential for whistleblowers to report violations to the SEC whistleblower program for the failure of an issuer to disclose hacking incidents and material weaknesses in their cybersecurity defenses. There’s no reason yet to think that the SEC would play an enforcement role in President Obama’s prohibition against hacking. But it may be worth discussing this matter with one of our securities whistleblower attorneys in the future should evidence of corporate misconduct arise.