Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Although many economic sectors in the United States have little or no cybersecurity standards, there is a growing trend toward more proscriptive requirements in economic sectors perceived as playing a critical role in the US economy or for US security. For example, defence contractors in the United States face increasingly strict data security requirements for how they manage, store and process sensitive government information. At the same time, there is new focus in the United States on the creation of national privacy legislation. The US Congress has held multiple hearings in the first half of 2019 to investigate a perceived need for the US to craft data handling rules similar to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Over time, we anticipate these trends will ultimately lead to more uniform and clear cybersecurity standards, along with related privacy rules more generally, but a consensus on how to craft such standards is likely to remain elusive in the short term. In the meantime, federal agencies in the United States are likely to continue efforts to craft more aggressive cybersecurity regulatory requirements applicable to particular economic sectors and impose general requirements on companies responding to breaches.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
The United States does not have a uniform data breach notification law. Rather, all 50 US states, as well as DC and a number of territories, have individual data breach notification laws. At the federal level, sector-specific laws for government contractors, certain financial institutions and certain businesses handling health records also impose special breach notification rules. In general, data breaches mandate notification to regulators and consumers when specific categories of sensitive personally identifying information are compromised through a cyber intrusion, inadvertent disclosure or other loss of data. For example, in many jurisdictions, the unauthorised acquisition of and access to data that includes name combined with a social security number, financial account number, driver’s licence number, health record or passport number would likely to trigger a mandatory breach notification obligation to the consumer and may also trigger notification obligations to regulators. States are continuing to expand their definitions of covered information, with username or email address in combination with a password or security question and answers becoming increasingly subject to breach notification requirements. US state regulators are also increasingly investigating cyber incidents and bringing enforcement claims for perceived lapses in reasonable cybersecurity controls.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
Data security incidents, particularly cyber intrusions, may trigger several different significant challenges. For companies handling substantial amounts of sensitive personal information, such incidents may trigger:
- communications challenges for companies that want to provide consumers or other customers with reassurance while also investigating the scope of a particular incident;
- remediation challenges in taking steps to further safeguard sensitive data to both stop a cyber intrusion and to help bolster existing security; and
- investigative challenges to determine the scope of the intrusion, what data was taken and whether the attacker has been removed from the company networks.
Managing these sorts of challenges, often while also coordinating with law enforcement authorities or other regulators, requires all components of a business to work together. Such incidents are not just the province of the information technology team. They are, rather, incidents that require senior attention to manage and address.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
Incident response requires an immediate, coordinated effort to gather the facts through forensic analysis and to execute an incident response plan that enables the company to address multiple work streams simultaneously in a coordinated fashion. The response generally prioritises remediation, reputational harm, communication with all the relevant constituencies (including, critically, customers) and preparing for the range of potential regulatory inquiries and litigation that may follow.
Companies can take several steps to best prepare for improving their ability to respond to such issues, such as the following.
- Reviewing existing incident response plans, benchmarking against industry best practices and proposing changes.
- Developing and participating in tabletop exercises to help those with implementation responsibilities understand how the incident response plan would work in practice.
- Engaging third-party firms in advance, through counsel, to ensure that the right resources are available to address critical issues in a time sensitive manner and under attorney–client privilege.
- Reviewing incident response plans on an annual basis to determine if revisions are warranted. Plans should also be reviewed after any serious incident to incorporate lessons learned from the company’s response to that incident.
- Providing regular updates on, and analysis of, legal and regulatory developments that would influence response plans and practices.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
Cloud services trigger a variety of risks that should be carefully balanced as part of the decision to outsource data storage or other information technology functionality. Although cloud computing is somewhat new for many organisations, the risks associated with cloud computing are similar to other types of IT outsourcing. Those risks include the following.
- Third-party access to data. When company information is outsourced for storage or other processing by third parties, that information may no longer be solely within the control of the information owner. The cloud provider may be compelled to release it to third parties in litigation or to government agencies inside or outside the United States. Moreover, absent appropriate prohibitions in the parties’ agreement, a cloud provider may be entitled to share customer data (or data derived from customer data) with third parties for the cloud provider’s own business purposes.
- Data security. Evaluating the security of data in a cloud environment and ensuring the use of appropriate safeguards can be very challenging. Many cloud providers will not provide full visibility into their own network security posture.
- Location of data. Data entrusted to a third party may be stored or otherwise processed in a jurisdiction that gives rise to unique legal or regulatory concerns. Moreover, some cloud providers do not provide transparency or assurances concerning where the data will be located.
- Privacy and consumer notice. Processing of consumer data by a third-party cloud provider may necessitate special notices to consumers or employees and it may trigger a number of privacy and data protection obligations with respect to how their data will be handled, retained and distributed.
- Business continuity and provider lock-in. Cloud providers and sub-processors may go out of business or otherwise experience a disaster or other incident that results in the loss, corruption or temporary inaccessibility of their customers’ data. Further, it may be difficult to extricate data from a software as a service (SaaS) solution at the end of the parties’ engagement, at least in a format that does not require substantial processing before the data can be ingested into a competitor’s SaaS product.
There are a wide range of different regulatory regimes that impact cloud outsourcing. Some regulations that are agnostic about whether data is outsourced in a cloud environment or remains within a company’s firewall impose general obligations that have the effect of imposing rules that data owners must satisfy in a cloud scenario (such as National Institute of Standards and Technology requirements to track and specially secure sensitive data). Other regulations are cloud-specific, such as ISO 27017, an independent security standard that provides guidance on the information security aspects of cloud computing and is often used by organisations to judge their ability to manage data in a cloud environment. Certain sectors, particularly the financial services and government contracting sectors, are subject to more stringent requirements on their use of cloud services to host consumer or government data.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
Cybersecurity is increasingly a substantial focus of federal and state law enforcement efforts in the United States. The Federal Bureau of Investigation has grown its cyber capabilities substantially over the past several years and the US Congress is increasingly focused on resources needed to combat cyberespionage, cybercrime and other forms of improper cyber activity. In 2018, the Department of Justice (DOJ) established a Cyber-Digital Task Force to assess how DOJ is responding to global cyberthreats and how federal law enforcement can more effectively accomplish its cyber mission.
Specific laws that address criminal activity in the cyber context include the Computer Fraud and Abuse Act, which outlaws intrusions into or interference with the security of a government computer network or other computers connected to the internet. In addition, several federal surveillance laws prohibit unauthorised eavesdropping on electronic communications, which can limit a variety of cybersecurity activities. For example, the Electronic Communications and Privacy Act prohibits unauthorised electronic eavesdropping. The Wiretap Act prevents the intentional interception, use or disclosure of wire, oral or electronic communication, unless an exception applies. The Stored Communications Act precludes intentionally accessing without authorisation, a facility through which an electronic communication service is provided and thereby obtaining, altering or preventing authorised access to a wire or electronic communication while it is in electronic storage.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
Cybersecurity and privacy is increasingly a significant topic for M&A due diligence because of potential regulatory or litigation exposure that a company may acquire through an acquisition. Acquirers often seek special assistance today to evaluate the scope of exposure by examining the nature of the target business; the type of data it collects, maintains and shares about customers or third parties; the regulatory environment in which it operates; and the types of controls the company has in place to protect its systems, limit data sharing to permissible means and otherwise ensure compliance with regulatory requirements.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Legal advice around cybersecurity issues requires counsel that is experienced at addressing and managing the wide range of issues that cybersecurity incidents and related preparation activities may trigger.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
Cybersecurity requires lawyers to provide a mix of legal, policy and business guidance to clients navigating new and often challenging issues. An increasingly large number of federal and state regulatory agencies, categories of litigation plaintiffs and business partners are interested in understanding how companies are protecting their data, resulting in an increasingly complex web of risks.
How is the privacy landscape changing in your jurisdiction?
Privacy is becoming a critical part of contracting arrangements between parties, with greater focus on compliance with state, national and international laws. Greater regulation of the handling, securing and transfer of data is resulting in an increasing focus by companies on privacy issues, particularly on specifying the obligations that must be met in the handling of data between parties. On 28 June 2018, California enacted the California Consumer Privacy Act of 2018 (CCPA), a sweeping privacy law. The law, which takes effect on 1 January 2020, may prompt similar laws in other states and it is already prompting companies to take steps now to try to be prepared to comply with the CCPA when it goes into effect.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Understanding about cyberthreats is generally increasing in the United States. High profile incidents involving espionage and criminal actors receive frequent public attention. But companies need to be constantly on guard for the latest threats. In the recent past, incidents involving tax fraud were on the rise and today ransom and extortion demands associated with cyber intrusions are becoming more common.