Cybersecurity: The Law and Regulatory Framework
Cybersecurity law is a patchwork of global statutes and regulations. Unfortunately, Congress has failed to act in this area, leaving the EU and US States to “lead.” As a result, companies are often required to follow the lowest (or highest) common denominator, depending on your perspective.
At the US federal level, we have specific industries that have requirements for protecting sensitive personal information. The Health Insurance Portability and Accountability Act (“HIPAA”) imposes a number of detailed requirements on healthcare providers and related parties when handling personal healthcare information (“PHI”). The Fair Credit Reporting Act (“FCRA”) provides consumers with certain privacy rights governing their financial data. And the Gramm-Leach-Bliely Act gives banking customers certain privacy rights relating to banking data.
The Federal Trade Commission has sought to exercise authority over data privacy rights relying on its Section 5 powers. The FTC’s authority over data privacy requirements has been challenged by LabMD in a pending case in the US Court of Appeals for the 11th Circuit. Oral argument was heard in the appeal and the case is pending. (Audio recording here).
Cybersecurity, data privacy and breach notification requirements have fallen to the US States. The New York Department of Financial Services has imposed the most comprehensive set of cybersecurity requirements under its regulatory authority over covered entities. The regulations are fairly comprehensive and set a strong set of requirements for an organization to address cybersecurity issues. (See regulations here).
Going forward, the most significant development in the data privacy arena is the implementation date for the EU’s General Data Protection Regulations (“GDPR”). The EU’s leadership in this area will have a resounding impact on US global companies that collect EU citizen data. Other Asia-Pacific governments are quickly following the EU’s lead, including Australia, Japan and South Korea.
In 2018, the EU is likely to send an enforcement message by bringing one or more major enforcement actions to reinforce its authority to fine companies a maximum of 4 percent of worldwide annual revenues or $23.8 million. Of course, any enforcement action is likely to result in collateral consequences such as US-filed class action lawsuits.
Aside from these legal and regulatory requirements, companies should examine voluntary industry standards developed in public-private collaboration under the National Institute of Standards and Technology Cybersecurity Framework. (See here).
Congress’ failure to harmonize federal and state cybersecurity laws and regulations is a continuing problem. Until then, companies will continue to operate under a patchwork of requirements, leading to standards under the control and influence of the EU and New York State.
Even without any specific regulatory requirements, companies face mortal risks to their operations and reputation. Given this reality, companies will not ignore cybersecurity requirements because of the existing threat and stakeholder interests. Companies that fail to act, however, do so at their peril in today’s ever increasing risky environment.
Company compliance programs have to add this issue to the list of risks, elevate it to a top concern, and build out tools needed to mitigate risks.