2014 was a tumultuous year in data security, as cyberthreats rose to unprecedented levels. High profile data breaches at JPMorgan Chase & Co, Home Depot, Target Corp., Sony Pictures and Entertainment, among others, made data security in the private sector a legislative priority in the United States. The House has answered with the Protecting Cyber Networks Act bill, which allows companies under threat to share data with the government in order to better protect themselves and others from cyber attacks. President Barack Obama has voiced his support for the bill, which is expected to pass the Senate.
Chief Legal Officers are rightfully concerned with data breaches, both reactively and by keeping up with the changing regulatory environment. According to the 2015 ACC CLO Survey, 27 percent of CLOs reported data breaches at their organizations in the past two years, with big organizations at greater risk. The cover story in the May edition of the Docket, provides guidance on compliance and preparing for data breaches. Below, excerpts from "Cybersecurity - Emerging Trends and Regulatory Guidance":
- Step one: assess your company's exposure to a cybersecurity threat by figuring out what your company needs to protect.
- Step two: identify where the vulnerabilities exist. This is complex and multilayered issue.
- Step three: prepare and coordinate among the key stakeholders in your company. The legal department should be able to identify legal requirements and ways to limit liability.
- Step four: develop a plan. Your plan should include — among many other things — guidance on a potential media response by your company.
One conceptual framework worth considering as a standard of care for company readiness against cyberattacks was developed by the National Institute of Standards and Technology (NIST). The NIST framework core includes five functions that are performed concurrently and continually to create a culture that addresses the dynamic nature of cybersecurity risks:
- Identify: understand the business context, resources that support critical functions and the related cybersecurity risks to focus and prioritize efforts.
- Protect: develop and implement safeguards to limit or contain the impact of a potential cyberincident.
- Detect: develop and implement activities to detect a cyberincident in a timely manner. Respond: develop and implement activities to contain the impact of a potential cyberincident.
- Recover: develop and implement activities that support timely recovery to normal operations to reduce the impact of the cyberincident.
Corporate cybersecurity is not limited to the United States. From the article:
With the growing number of data-security breaches around the world, security remains a great concern. Seventeen countries have enacted mandatory breach-notification laws that require organizations to notify individuals and/or government regulators in the event of a data breach. Ten other countries have issued voluntary data-breach-notification guidelines. With respect to data safeguards, there is a broad range of data security obligations. Some countries such as those in the United Kingdom, simply require that companies use reasonable organization and technical measure to protect personal information. Other countries have detailed security obligations such as South Korea (which requires encryption of certain types of data at rest) and Argentina (which requires encryption of sensitive data over the Internet).
With respect to privacy, more than 90 countries now have comprehensive privacy statutes. Most privacy laws outside the United States are broader than US law, covering any personally identifiable information, not only customer or consumer information. Generally, these laws require that the existence of databases be publicly disclosed and that the databases be registered with the government or with an independent data-protection authority. They also require that individuals whose personal information is maintained in these databases be given notice of, and in certain circumstances consent to, the collection, use and transfer of their personal information as well as the right to access and correct the information held about them.
For now, all in-house counsel should carefully monitor the legislative developments and continue to stay vigilant about cyberthreats.
To read "Cybersecurity - Emerging Trends and Regulatory Guidance" in full, please register here.