[BreachExchange] The year ahead in cybersecurity law

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 11 18:48:42 EST 2018


If 2017 taught us anything, it is that cybersecurity and data privacy are
going to remain hot button issues for business leaders from here on out. As
we get into the swing of 2018, major legal cases and proposed state and
federal legislation will shape how companies respond to and attempt to
mitigate cybersecurity and data privacy risks.

These cases and bills highlight the fact that the patchwork of old laws and
regulations – across the United States and across every industry – are
having a difficult time keeping up with rapidly developing technology,
particularly when they have to balance privacy rights with law enforcement
needs. This year, some of the biggest issues to watch will be data
disclosures to law enforcement, civil liability for data breaches, and
board-level responsibility for data security.

The proper balance with data disclosures

Already, technology, media and telecommunications companies that store
personal information receive a large number of law enforcement requests to
disclose individuals’ information every year. The question of the proper
boundaries for an individual’s expectation of privacy in the digital age
versus the burden of proof necessary by law enforcement before requesting
personal data has been a contentious issue. Two cases before the Supreme
Court may shed new light and provide practical guidance for companies.

The first case, Carpenter v. United States, will be another milestone in
the evolving debate over whether existing Constitutional jurisprudence is
sufficient or whether new law is needed to address this technology-induced
tension. One of the main issues in this case is what burden of proof police
need to obtain personal data from companies.

As background on the case, a 1979 Supreme Court case gave some structure to
the process required under the Fourth Amendment for law enforcement to
compel third parties to disclose information they possessed about an
individual. At that time, these third parties would have included the likes
of banks (with account information and transaction dates and amounts) and
telephone companies (with the numbers dialed or phone numbers from which an
individual received calls at what dates and times).

Under the Fourth Amendment, when an individual was willingly give her
personal information to these third parties – such as by dialing a phone
number and having it routed through a telecommunications company – the
individual relinquished privacy rights to it (because individuals do not
control what telecommunications operators do with that information). Law
enforcement could obtain an individual’s information from the third party
without asking the user through a legal process that is less rigorous than
a search warrant, which requires approval from a magistrate judge. Under
the Stored Communications Act of 1986, law enforcement could obtain such
data by affirming that the information would be relevant or material to an
ongoing case.

In the new digital era, third parties hold an exponentially larger amount
of personal information relating to their users, from search engine data to
geo-locating functions in smart phones or connected cars. A very legitimate
tension therefore exists in the digital era where everyone stores a large
amount of personal information in interconnected devices and apps instead
of on paper records.  While that information must be free from unreasonable
searches and seizures by the government, law enforcement also must have the
ability to carry out its obligation to investigate crimes, including to
legally obtain digital data that criminals intentionally attempt to hide in
mobile devices.

In Microsoft v. United States, the Government has asked the Supreme Court
to overturn a Second Circuit ruling that barred law enforcement from being
able to obtain user data stored overseas by using a U.S. search warrant.
The Government argues that this restriction would be almost insurmountably
detrimental to law enforcement investigations because criminals’
information stored by U.S. companies that happens to use cloud storage on
servers outside the country. Microsoft, on the other hand, contends that
the Government has no jurisdiction over data held in overseas data centers
physically located in other sovereign nations even if that data relates
solely to American users (in this case, the data in question is customer
email content stored in Ireland as part of a drug investigation). While
Microsoft points out that the U.S. government could use an international
process for requesting the evidence from Ireland under a Mutual Legal
Assistance Treaty (MLAT), the MLAT process is generally a drawn-out and
sometimes inefficient process that does not meet more urgent needs of law
enforcement investigations. Ireland, the UK and the European Commission
have now all submitted amicus briefs in the case.

The decision in both cases will inform how companies should respond to data
access requests. Businesses more than ever need a clear path forward that
balances their need to prove to customers that they are keeping data
private and secure, while also supporting the investigations of law
enforcement agencies when it concerns valid concerns.

Cybersecurity liability

The next big cybersecurity issue to watch this year will be on civil
liability for data breaches. We live in an era in which an increasing
number of companies have been hit with cyberattacks while others have had
employees lose a USB stick containing unencrypted customer data, for
example. Because of this, the link between a certain data incident and
fraudulent activity (which may or may not lead to concrete harm) is
becoming murky. Enter the fray class actions in which plaintiffs allege
that they were harmed by having their data stolen in a security incident
because they now face the risk of future harm that may (or may not) occur
due to the breach. According to Article III of the Constitution, plaintiffs
can only bring a case to court if harm was suffered and they are the actual
party that suffered harm (called having “standing” to sue).

CareFirst has petitioned the Supreme Court to review a DC Circuit’s ruling
in CareFirst Inc. v. Attias on future harm and informational injury
following a 2014 data breach. A class action was brought against the health
insurer claiming future harm that could result from the breach. Following
the ruling in Spokeo v. Robins in 2016, which found that a plaintiff must
affirmatively plead particularized and concrete injury to establish Article
III standing, several Circuits have split on the issue of whether potential
future harm was enough to constitute standing. With the rise of
cyberattacks and data breaches, this case will have wide-ranging
ramifications for any business that holds personal data as well as cyber

The Federal Trade Commission has recently held a public meeting on
“consumer informational injury”. As the FTC seeks to expand its role in
data security and privacy enforcement, particularly recently in relation to
the Internet of Things products, onlookers will be watching closely to
assess the Commission’s stance on potential future harm.

The legal fallout from the Equifax breach will also have important
ramifications in this area. After a rare class action was filed in 50
states against the credit monitoring agency, the Independent Community
Bankers of America, on behalf of thousands of community banks, has also
filed a class action in November in the District Court for the Northern
District of Georgia. This case again brings up the issue of whether the
simple threat of future harm – as opposed to alleging that actual harm has
already been suffered – is sufficient to establish Article III standing.

Potential relief from liability

On the bright side for data breach victim organizations, a proposed state
bill in Ohio could pave the way for shielding businesses from law suits
following data breaches if the organization can demonstrate that its
cybersecurity program meets certain industry standards. Ohio Senate Bill
220 would create a ‘safe harbor’ for businesses if they comply with the
NIST Cybersecurity Framework or certain other standards.  The bill
specifically mentions NIST 800-171, 800-53, the ISO 27000 family, the
Center for Internet Security (CIS) critical security controls, Health
Insurance Portability and Accountability Act (HIPAA) and the Federal
Information Security Modernization Act (FISMA).

If other states start to follow suit, this could help to protect businesses
that have legitimately taken reasonable steps to protect personal data
appropriate for their particular situation, but who were ultimately still
victims of an attack.

Lawmakers look to the board

In the wake of a large number of high-profile breaches last year, scrutiny
is now turning more and more to senior executives and the Board. In the
current day and age, customers or clients and shareholders have a
reasonable expectation that data privacy and cybersecurity will be a major
consideration for every company, big or small, regardless of the sector
they are in. Lawmakers are also starting to scrutinize the company leaders
with the expectation for stewardship in this area.

The Cybersecurity Disclosure Act of 2017 (S.536) aims to promote to promote
transparency in the oversight of cybersecurity risks of publicly traded
companies. The bill would require publicly traded companies to disclose the
cybersecurity expertise of any members of the Board or general partner "in
such detail as necessary to fully describe the nature of the expertise or
experience". If none have such experience as designated by NIST or the
Securities and Exchange Commission, the company would have to describe the
cybersecurity measures they have taken for identifying and nominating
future nominees to the Board. Given the risk of not having such expertise
on the Board in the current day and age, investors would no doubt read
these types of reports closely. The same bill was introduced back in 2015
though, so while its passage is far from clear, it does point to the
increasing scrutiny from lawmakers on corporate boards in relation to

Another bill that could be keeping C-Suite executives up at night is the
potential for criminal action. A U.S. Senate bill would criminalize
failures to report data breaches. The Data Security and Breach Notification
Act, filed by three Democratic Senators, was recently introduced and calls
for the FTC to develop security standards and procedures for businesses.
Some industries, such as healthcare providers and insurers under HIPAA,
already have many of these responsibilities.

These pieces of legislation point to areas where corporate boards should
already be advancing. The most recent edition of the National Association
of Corporate Directors’ Cyberrisk Handbook, which set out five core
cybersecurity principles for board members of public companies, private
companies, and nonprofit organizations in every industry sector, highlights
the importance of having cybersecurity expertise – both in-house and
externally. As a New Year’s resolution that businesses should keep, this
should be a top priority.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180111/73d21689/attachment.html>

More information about the BreachExchange mailing list