BreachExchange mailing list archives
A bird’s eye view of the legal landscape for cybersecurity
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 29 Jun 2015 17:38:54 -0600
http://www.insidecounsel.com/2015/06/29/a-birds-eye-view-of-the-legal-landscape-for-cybers Anyone tasked with responsibility for enterprise cybersecurity has to consider a legal and compliance landscape that is evolving and growing in complexity. Cybersecurity planning and implementation potentially implicates a broad range of federal and state laws, regulatory rules and guidelines, standards, and other forms of published guidance that could impact legal risk. In this piece, we sketch out the topography of the legal landscape for enterprise cybersecurity from a high altitude. Businesses in certain industries, such as financial services or healthcare, are governed by specific regulations pertaining to cybersecurity. These regulations, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), target categories of data and prescribe required protections, at least in broad terms. However, even outside of these industries and their specialized laws, e.g., GLBA or HIPAA, regulators like the Federal Trade Commission (FTC) have asserted broad authority to deal with “unfair” or “deceptive” trade practices. The FTC has determined that insufficient cybersecurity, whether in relation to specific claims about the nature of such security or not, can be a matter within its jurisdiction, and has issued numerous opinions outlining aspects of what it considers reasonable when it comes to cybersecurity. The measures it has identified are not exactly revelatory, in that they do not state new methods or technology hitherto unseen in cybersecurity literature. Such measures include, for example, having written security policies or using readily available technology such as firewalls or software patches. However, the terminology the FTC deploys and the choices in terms of the features of cybersecurity emphasized by the FTC mean that businesses need to pay special attention to whether and how their cybersecurity program fits with the FTC’s characterizations of adequate cybersecurity. Apart from what specific regulatory authorities like the FTC have to say, there is the more nebulous issue of civil liability for breaches of common law duties of care, express and implied contractual obligations, state consumer protection laws, and other kinds of general legal obligations that can be implicated by cybersecurity problems. Every time there is a publicly reported data breach, an avalanche of class actions follow. The jurisprudence in this realm is in an early developmental stage, but the potential civil liability risk means that businesses need to try to anticipate whether they are appropriately protecting their information assets in the eyes of potential plaintiffs (anyone who could be harmed by a data breach). There are many sources to point to in looking for cybersecurity behavioral standards that could be applied in such legal contexts and many of them overlap, but they use different language and speak to different aspects of cybersecurity in ways that lawyers will inevitably distinguish or compare depending on what side they are representing in any particular case. An emerging favorite is the National Institute of Standards and Technology (NIST) cybersecurity framework. Even within this framework, there is considerable room for flexibility in applying its concepts to a cybersecurity program. Expect the NIST framework to be presented in court in some fashion as a standard by which to measure the reasonableness of a party’s cybersecurity efforts for legal liability purposes. Other examples of standards bodies whose published guidance may end up proposed by litigants as legal benchmarks include the International Organization of Standarization (ISO) and ISACA. States have generally enacted breach disclosure laws, consideration of which should be integrated into incident response plans. While we are all awaiting a federal law to make things in this regard more uniform, for the time being we are stuck with the patchwork — and there are a lot of patches. The capabilities and processes necessary to facilitate compliance with each relevant state’s laws have to be part of the cybersecurity compliance calculus as well. Laws that protect data privacy are effectively laws about cybersecurity, given that protection of data is what cybersecurity is all about. In other words, there is no privacy without security; without security, privacy is merely an abstraction. Data privacy laws take many forms in the U.S., both federal and state, but outside the U.S. they have even greater primacy and pervasiveness. A cybersecurity program takes all relevant data privacy laws into account and provides for the protections necessary to appropriately reduce the risk of non-compliance. The idea of legal standards for cybersecurity behavior is gaining attention as businesses try to figure out how and where to allocate resources for cybersecurity. With each major data breach and inevitably following class action lawsuit, the questions about how to measure cybersecurity behavior in terms of legal compliance grow. The reality is that this is an area that will develop gradually over time as the potential sources of standards and guidance emerge, develop, and are applied in particular situations. For those with responsibility for planning and implementing cybersecurity, a big picture perspective on the legal compliance landscape can help organize the effort and direct the flow of resources into appropriate implementation of in-depth cyber-defense.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- A bird’s eye view of the legal landscape for cybersecurity Audrey McNeil (Jul 06)