Publication - 03/11/2014

White House’s Cybersecurity Framework Highlights Need for Preparedness

Client Alert

By Ronald A. Sarachan and Zoë K. Wilhelm

The White House recently announced the official launch of the Cybersecurity Framework, which provides voluntary guidelines for both public and private organizations operating as part of the “critical infrastructure” to create or improve upon their defenses and response protocols for cyber-attacks. The framework was drafted as a result of the President’s February 12, 2013 Executive Order 13636 called for the development of a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for “critical infrastructure services” to manage cybersecurity risk. In October, the U.S. Department of Commerce’s National Institute of Standards and Technology released a Preliminary Framework. The release of the Preliminary Framework was followed by a 45-day public comment period.

The official Cybersecurity Framework is largely unchanged from the preliminary draft, which Drinker Biddle partner Kenneth K. Dort thoroughly detailed in a previous client alert. The Cybersecurity Framework is organized around three components: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.

  • The Framework Core suggests that organizations categorize and assess all activities related to cybersecurity into five basic functions: identification, protection, detection, response, and recovery.
  • The section on Framework Implementation Tiers describes four levels of rigor in an organization’s cybersecurity practices: Partial, Risk Informed, Repeatable and Adaptive. The Tiers provide criteria for an organization to both assess its current preparedness to deal with cyber risks and determine its goal level of preparedness. Organizations determine their current and goal Tiers by examining criteria such as regulatory requirements, business objectives, feasibility, actual threat, and considerations of privacy and civil liberties.
  • An organization’s Framework Profile is essentially a description of the organization’s cybersecurity activities that addresses the five functions of the Framework Core in light of the organization’s unique circumstances. The Framework Profile suggests that an organization determines both a current and target Profile to identify gaps.

For organizations seeking to use the Framework’s principles to establish or improve a cybersecurity program, the Framework recommends seven steps, described as: Prioritize and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine Analyze and Prioritize Gaps, and Implement Action Plan.

While the framework is entirely voluntary, we strongly recommend that all of our clients—whether a part of critical infrastructure or not—perform cyber risk assessments and analysis to implement appropriate cybersecurity programs for their organizations and prepare for data-privacy incidents and cyber-attacks. Given the ever-increasing number of these incidents and attacks, and given that the Cybersecurity Framework provides a convenient benchmark for both litigants and regulators to use in challenging the sufficiency of an organization’s preparedness and response, it is more important than ever for organizations to re-evaluate their existing programs. We encourage organizations to use the official release of the framework as an occasion to do just that. Drinker Biddle can provide guidance and advice on the framework and all aspects of data privacy and cybersecurity.

A public-private partnership created by the Department of Homeland Security, the Critical Infrastructure Cyber Community (C3) Program, is available to support organizations in implementing the cybersecurity framework. The C3 Program has a useful list of resources for businesses to use in the process.

While the Cybersecurity Framework is now official, the framework openly contemplates revisions. The framework describes itself as a “living document” and is prominently labeled “Version 1.0.” Drinker Biddle will continue to monitor the progression of the Framework and follow up when revisions occur.

If you have questions about the Cybersecurity Framework and would like to speak to one of our lawyers, please contact Ronald A. Sarachan at (215) 988-1122 or, or Kenneth K. Dort at (312) 569-1458 or

Strict New California Fair Pay Act Will Become Effective January 1, 2016

Client Alert
Mark E. Terman

This week, Governor Jerry Brown signed the California Fair Pay Act (“Act”), Senate Bill 35, a new law intended to increase requirements for wage equality and transparency. The Act amends Section 1197.5 of the California Labor Code relating to private employment.

Securities and Governance Update

October 2015 Update
Daniel E. Brewer, William L. Carr, Ryan T. Costa, Elizabeth A. Diffley, Robert T. Esposito, Mary P. Hansen, Chanda A. Miller

In this installment of the Drinker Biddle Securities and Governance update, we address the SEC’s proposed new clawback rule 10D-1; the implementation of the Pay Ratio Rule; and provide an update on the SEC’s interpretive guidance for whistleblower retaliation protections.

Trans-Pacific Partnership Agreement Finalized

Client Alert
Nicolas Guzman

On Monday, October 5, an agreement on the Trans-Pacific Partnership (TPP) was reached between the Unites States and 11 other Pacific Rim nations. This historic partnership would potentially link 40 percent of the world’s economy, covering the map from Canada to Chile and Japan to Australia.

CJEU Declares Safe Harbor Framework Invalid

Drinker Biddle Client Alert
Peter A. Blenkinsop, Mary Devlin Capizzi, Stanley W. Crosley

In a decision with significant potential ramifications for flows of personal data from the European Union to the United States, the Court of Justice of the European Union (CJEU) today ruled in Maximillian Schrems v. Data Protection Commissioner (C-362/14) that the Safe Harbor Framework no longer provides adequate protection for data transferred to the United States. The decision is likely to leave the over 4000 companies that are currently self-certified to the Safe Harbor Framework scrambling t...

Debtor Sues Lenders for Alleged Violations of the Fair Credit Reporting Act

Creditors Digest
Stephen C. Baker, Christian Brito , Alan M. Kidd, Stephen A. Serfass, Nolan B. Tully

On September 18, 2015, Margaret M. Okamoto (“Plaintiff”) filed a complaint (the “Complaint”) in The United States District Court for the District of Nevada alleging violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (the “FCRA”), against, inter alia, Bank of America, N.A. (“BOA”), Mutual of Omaha Bank (“MOB”), and Experian Information Solutions, Inc. (collectively, “Defendants”). See Okamoto v. Bank of America et al., No. 2:15-cv-01800-GMN-GWF (Sept. 18, 2015).