Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

There is a growing trend toward more proscriptive cybersecurity requirements in economic sectors perceived as playing a critical role in the US economy or for US security. For example, on 12 May 2021, President Biden issued an executive order focused on combating threats to US computer systems. The Executive Order on Improving the Nation’s Cybersecurity (Cybersecurity EO) sets out to improve cybersecurity, particularly in relation to federal government systems, and follows several high-profile cyber incidents in 2020 and 2021. By leveraging the federal government’s significant purchasing power to direct agencies to develop and ultimately impose a variety of new cybersecurity mandates, the Biden administration seeks to increase cybersecurity requirements across the federal government and a range of critical industries. Companies that do business with the United States government face increasingly strict data security requirements for how they manage, store and process sensitive government information, with mandatory reporting of data breaches and standards for safeguarding sensitive data. At the same time, legislators at the state and federal level are exploring the creation of privacy rules that will include mandatory data safeguarding requirements for consumer information. For example, as of June 2021, there are three US states with comprehensive privacy laws – Colorado, California and Virginia – and many more are exploring potential new laws as well. Congress held multiple hearings in 2020 to investigate a perceived need to craft pre-emptive data handling rules or systems similar to the EU General Data Protection Regulation. We anticipate these trends will ultimately lead to more uniform and clear cybersecurity standards, along with related privacy rules more generally. In the meantime, federal agencies in the United States are likely to continue efforts to aggressively police cybersecurity regulatory compliance applicable to particular economic sectors and to seek to impose new requirements on companies responding to breaches.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

The United States does not have a uniform data breach notification law. Rather, all 50 states, as well as the District of Columbia and a number of territories, have individual data breach notification laws. At the federal level, sector-specific laws for government contractors, certain financial institutions and certain businesses handling health records also impose special breach notification rules. In general, data breaches mandate notification to regulators and consumers when specific categories of sensitive personally identifying information are compromised through a cyber intrusion, inadvertent disclosure or other loss of data. For example, in many jurisdictions, the unauthorised acquisition of or access to data that includes name combined with a social security number, financial account number, driver’s licence number, health record or passport number would likely to trigger a mandatory breach notification obligation to the consumer and may also trigger such notification obligations. States are continuing to expand their definitions of covered information, with username or email address in combination with a password or security questions and answers becoming subject to breach notification requirements. State regulators are also increasingly investigating cyber incidents and bringing enforcement claims for perceived lapses in reasonable cybersecurity controls.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

Data security incidents, particularly cyber intrusions, may trigger several different significant challenges. For companies handling substantial amounts of sensitive personal information, such incidents may trigger:

  • communications challenges for companies that want to provide consumers or other customers with reassurance while also investigating the scope of a particular incident;
  • remediation challenges in taking steps to further safeguard sensitive data to both stop a cyber intrusion and to help bolster existing security; and
  • investigative challenges to determine the scope of the intrusion, what data was taken and whether the attacker has been removed from the company networks.

Managing these sorts of challenges, often while also coordinating with law enforcement authorities or other regulators, requires all components of a business to work together. Such incidents are not just the province of the information technology team. They are, rather, problems that require senior attention to manage and address.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

Incident response requires an immediate, coordinated effort to gather the facts through forensic analysis and to execute an incident response plan that enables the company to address multiple work streams simultaneously in a coordinated fashion. The response generally prioritises remediation, reputational harm, communication with all the relevant constituencies (including, critically, customers) and preparing for the range of potential regulatory inquiries and litigation that may follow.

Companies can take several steps to best prepare for improving their ability to respond to such issues, such as the following.

  • Reviewing existing incident response plans, benchmarking against industry best practices and proposing changes.
  • Developing and participating in tabletop exercises to help those with implementation responsibilities understand how the incident response plan would work in practice.
  • Engaging third-party firms in advance, through counsel, to ensure that the right resources are available to address critical issues in a time-sensitive manner and under attorney–client privilege.
  • Reviewing incident response plans on an annual basis to determine if revisions are warranted. Plans should also be reviewed after any serious incident to incorporate lessons learned from the company’s response to that incident.
  • Providing regular updates on, and analysis of, legal and regulatory developments that would influence response plans and practices.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

Cloud services trigger a variety of risks that should be carefully balanced as part of the decision to outsource data storage or other information technology functionality. Although cloud computing is somewhat new for many organisations, the risks associated with cloud computing are similar to other types of IT outsourcing. Those risks include the following.

  • Third-party access to data. When company information is outsourced for storage or other processing by third parties, that information may no longer be solely within the control of the information owner. The cloud provider may be compelled to release it to third parties in litigation or to government agencies inside or outside the United States. Moreover, absent appropriate prohibitions in the parties’ agreement, a cloud provider may be entitled to share customer data (or data derived from customer data) with third parties for the cloud provider’s own business purposes.
  • Data security. Evaluating the security of data in a cloud environment and ensuring the use of appropriate safeguards can be very challenging. Many cloud providers will not provide full visibility into their own network security posture.
  • Location of data. Data entrusted to a third party may be stored or otherwise processed in a jurisdiction that gives rise to unique legal or regulatory concerns. Moreover, some cloud providers do not provide transparency or assurances concerning where the data will be located.
  • Privacy and consumer notice. Processing of consumer data by a third-party cloud provider may necessitate special notices to consumers or employees and it may trigger a number of privacy and data protection obligations with respect to how their data will be handled, retained and distributed.
  • Business continuity or provider lock-in. Cloud providers and sub-processors may go out of business or otherwise experience a disaster or other incident that results in the loss, corruption or temporary inaccessibility of their customers’ data. Further, it may be difficult to extricate data from a software as a service solution at the end of the parties’ engagement, at least in a format that does not require substantial processing before the data can be ingested into a competitor’s software as a service product.

There are a wide range of different regulatory regimes that impact cloud outsourcing. Some regulations that are agnostic about whether data is outsourced in a cloud environment or remains within a company’s firewall impose general obligations that have the effect of imposing rules that data owners must satisfy in a cloud scenario (such as National Institute of Standards and Technology requirements to track and specially secure sensitive data). Other regulations are cloud-specific, such as ISO 27017, an independent security standard that provides guidance on the information security aspects of cloud computing and is often used by organisations to judge their ability to manage data in a cloud environment. Certain sectors, particularly the financial services and government contracting sectors, are subject to more stringent requirements on their use of cloud services to host consumer or government data.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

Cybersecurity remains a substantial focus of federal and state law enforcement efforts in the United States and is an area of particular concern as destructive ransomware events become more common and more substantial. The Federal Bureau of Investigation has grown its cyber capabilities substantially over the past several years and President Biden’s administration is increasingly focused on efforts to combat ransomware groups.

Specific laws that address criminal activity in the cyber context include the Computer Fraud and Abuse Act, which outlaws intrusions into or interference with the security of a government computer network or other computers connected to the internet. In addition, several federal surveillance laws prohibit unauthorised eavesdropping on electronic communications, which can limit a variety of cybersecurity activities. For example, the Electronic Communications and Privacy Act prohibits unauthorised electronic eavesdropping. The Wiretap Act prevents the intentional interception, use or disclosure of wire, oral or electronic communication, unless an exception applies. The Stored Communications Act precludes intentionally accessing without authorisation a facility through which an electronic communication service is provided and thereby obtaining, altering or preventing authorised access to a wire or electronic communication while it is in electronic storage.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

Cybersecurity and privacy is increasingly a significant topic for M&A due diligence because of potential regulatory or litigation exposure that a company may acquire through an acquisition. Acquirers often seek special assistance to evaluate the scope of exposure by examining the nature of the target business, the type of data it collects, maintains and shares about customers or third parties, the regulatory environment in which it operates and the types of controls the company has in place to protect its systems, limit data sharing to permissible means and otherwise ensure compliance with regulatory requirements.


The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

Legal advice around cybersecurity issues requires counsel that is experienced at addressing and managing the wide range of issues that cybersecurity incidents and related preparation activities may trigger.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

Cybersecurity is an evolving and changing field that requires lawyers to provide a mix of legal, policy and business guidance to clients navigating new and often challenging issues. An increasingly large number of federal and state regulatory agencies, categories of litigation plaintiffs and business partners are interested in understanding how companies are protecting their data, resulting in an increasingly complex web of risks.

How is the privacy landscape changing in your jurisdiction?

Privacy is becoming a critical part of contracting arrangements between parties, with greater focus on compliance with state, national and international laws. Greater regulation of the handling, securing and transfer of data is resulting in an increasing focus by companies on privacy issues, particularly on specifying the obligations that must be met in the handling of data between parties. The California Consumer Privacy Act of 2018 went into effect in 2020 and new laws in Virginia and Colorado will go in to effect in the near term.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

Understanding about cyberthreats is generally increasing in the United States. High-profile incidents involving espionage and criminal actors receive frequent public attention. But companies need to be constantly on guard for the latest threats. In the recent past incidents involving tax fraud were on the rise and today ransom and extortion demands associated with cyber intrusions are becoming more common.