A bird’s eye view of the legal landscape for cybersecurity

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/06/29/a-birds-eye-view-of-the-legal-landscape-for-cybers

Anyone tasked with responsibility for enterprise cybersecurity has to
consider a legal and compliance landscape that is evolving and growing in
complexity. Cybersecurity planning and implementation potentially
implicates a broad range of federal and state laws, regulatory rules and
guidelines, standards, and other forms of published guidance that could
impact legal risk. In this piece, we sketch out the topography of the legal
landscape for enterprise cybersecurity from a high altitude.

Businesses in certain industries, such as financial services or healthcare,
are governed by specific regulations pertaining to cybersecurity. These
regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health
Insurance Portability and Accountability Act (HIPAA), target categories of
data and prescribe required protections, at least in broad terms. However,
even outside of these industries and their specialized laws, e.g., GLBA or
HIPAA, regulators like the Federal Trade Commission (FTC) have asserted
broad authority to deal with “unfair” or “deceptive” trade practices.

The FTC has determined that insufficient cybersecurity, whether in relation
to specific claims about the nature of such security or not, can be a
matter within its jurisdiction, and has issued numerous opinions outlining
aspects of what it considers reasonable when it comes to cybersecurity. The
measures it has identified are not exactly revelatory, in that they do not
state new methods or technology hitherto unseen in cybersecurity
literature. Such measures include, for example, having written security
policies or using readily available technology such as firewalls or
software patches. However, the terminology the FTC deploys and the choices
in terms of the features of cybersecurity emphasized by the FTC mean that
businesses need to pay special attention to whether and how their
cybersecurity program fits with the FTC’s characterizations of adequate
cybersecurity.

Apart from what specific regulatory authorities like the FTC have to say,
there is the more nebulous issue of civil liability for breaches of common
law duties of care, express and implied contractual obligations, state
consumer protection laws, and other kinds of general legal obligations that
can be implicated by cybersecurity problems. Every time there is a publicly
reported data breach, an avalanche of class actions follow. The
jurisprudence in this realm is in an early developmental stage, but the
potential civil liability risk means that businesses need to try to
anticipate whether they are appropriately protecting their information
assets in the eyes of potential plaintiffs (anyone who could be harmed by a
data breach).

There are many sources to point to in looking for cybersecurity behavioral
standards that could be applied in such legal contexts and many of them
overlap, but they use different language and speak to different aspects of
cybersecurity in ways that lawyers will inevitably distinguish or compare
depending on what side they are representing in any particular case. An
emerging favorite is the National Institute of Standards and Technology
(NIST) cybersecurity framework. Even within this framework, there is
considerable room for flexibility in applying its concepts to a
cybersecurity program. Expect the NIST framework to be presented in court
in some fashion as a standard by which to measure the reasonableness of a
party’s cybersecurity efforts for legal liability purposes. Other examples
of standards bodies whose published guidance may end up proposed by
litigants as legal benchmarks include the International Organization of
Standarization (ISO) and ISACA.

States have generally enacted breach disclosure laws, consideration of
which should be integrated into incident response plans. While we are all
awaiting a federal law to make things in this regard more uniform, for the
time being we are stuck with the patchwork — and there are a lot of
patches. The capabilities and processes necessary to facilitate compliance
with each relevant state’s laws have to be part of the cybersecurity
compliance calculus as well.

Laws that protect data privacy are effectively laws about cybersecurity,
given that protection of data is what cybersecurity is all about. In other
words, there is no privacy without security; without security, privacy is
merely an abstraction. Data privacy laws take many forms in the U.S., both
federal and state, but outside the U.S. they have even greater primacy and
pervasiveness. A cybersecurity program takes all relevant data privacy laws
into account and provides for the protections necessary to appropriately
reduce the risk of non-compliance.

The idea of legal standards for cybersecurity behavior is gaining attention
as businesses try to figure out how and where to allocate resources for
cybersecurity. With each major data breach and inevitably following class
action lawsuit, the questions about how to measure cybersecurity behavior
in terms of legal compliance grow. The reality is that this is an area that
will develop gradually over time as the potential sources of standards and
guidance emerge, develop, and are applied in particular situations. For
those with responsibility for planning and implementing cybersecurity, a
big picture perspective on the legal compliance landscape can help organize
the effort and direct the flow of resources into appropriate implementation
of in-depth cyber-defense.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!