Exclusive Q&A on Cyber Security Law with Bret Cohen

Who are the main regulators and what are the key legislations that apply to the cybersecurity in your jurisdiction?
 
In the United States, cybersecurity laws are tied to specific data types that are deemed to be particularly sensitive.  For example, there are laws regulating the security of health information, financial information, payment card information, student information, government identifiers, children’s online information, credit report information, and online account information. 
 
The regulators of these laws vary, depending on the type of data at issue, and include both federal sector-specific regulators as well as state regulators.  Perhaps the most prominent regulator of cybersecurity laws is the Federal Trade Commission (“FTC”), the primary consumer protection regulator in the United States.  Under Section 5 of the FTC Act, the FTC has the ability to prohibit “unfair” or “deceptive” trade practices.  The FTC considers the failure to maintain reasonable and appropriate measures to secure sensitive consumer data to be an “unfair” practice, and false promises of cybersecurity for such data (for example, in a privacy notice or in advertising) to be a “deceptive” practice.  States have enacted laws similar to the FTC Act, so state attorneys general have similar regulatory authority.
 
Another prominent set of cybersecurity laws in the United States are breach notification laws.  Forty-eight of the fifty states and a number of US territories have enacted these laws, which require entities to notify individuals, and in some cases state regulators, when they have experienced a breach of sensitive information.  Each state defines the information covered by its breach notification laws differently, and have different thresholds for reporting, so it is a complicated exercise to determine a company’s obligations if it has experienced a breach of the personal data of residents of multiple states.
 
A number of states have also enacted laws requiring entities to maintain certain minimum cybersecurity standards for categories of certain sensitive categories of information about residents of their states, including the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth.
 
Have there been any recent regulatory changes or interesting developments?
 
New Mexico recently became the forty-eighth state to enact a breach notification law.  Connecticut enacted a law requiring that stringent security measures be applied by companies who educational services to students in the state.
 
In 2015, Congress enacted the Cybersecurity Information Sharing Act (“CISA”), which facilitates the sharing of information about cybersecurity threats between private companies and the US government.  Among other things, CISA effectively provides private entities with immunity from liability for monitoring of their information systems for cybersecurity threats in accordance with CISA.
 
How can companies best prepare for compliance towards the recently signed General Data Protection Regulation (GDPR)? As the new rules do not enter into effect until 2018, is it too early to start taking action now?
 
It is not too early to start taking action now.  There is only a year left until the GDPR takes effect, and many companies in the United States will be newly subject to the GDPR due to its new jurisdictional provisions, which regulate any personal data collected in the provision of services to the EU regardless of the location of the company.   Fines under the GDPR are significant: for certain violations, up to 4% of a company’s global annual turnover, or €20,000,000, whichever is higher.
 
Cybersecurity is a key component of GDPR compliance.  Both controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of cybersecurity appropriate to the risks posed to personal data that they process.  And the GDPR introduces new breach notification requirements, obligating controllers to notify breaches of personal data to supervisory authorities without undue delay and, where feasible, not later than 72 hours after having become aware of a breach.  Notification of breaches to individuals is required in certain circumstances as well.
 
What are the key factors when building an information security strategic plan?
 
Information security starts with people.  So the first key factor when building an information security should be to identify the individual or individuals responsible for the design, implementation, and oversight of the program.  The organization should then take stock of the information it maintains, the sensitivity of that information, and the types and variety of systems and repositories where the information is stored. 
 
Armed with this information, the organization should conduct a security risk assessment, identifying the key risks to the security of the information.  It should then design and implement security controls, policies, and procedures tailored to mitigating those risks, taking into account the sensitivity of the information and a reasonable budget for those controls.   Significant new products, systems, or features should undergo a security review before they are implemented.  Once the security program is up and running, the organization should train its personnel responsible for implementing the program, and should audit for compliance with its security controls, policies, and procedures, and make sure that any gaps are remediated.
 
But that is not the end.  An organization will always be facing new cybersecurity risks, new laws and regulations will be enacted, and key personnel will turn over.  Therefore, the team responsible for running the security program should repeat this process on a regular basis.
 
How does implementing effective protective monitoring help mitigate risks?
 
Protective monitoring is a crucial component of an effective information security plan.  Three factors have increased this risk in recent years.  First, as technology has improved, more of it has become internet-connected, creating a greater attack surface for potential intruders or from which data may leak.  Second, as organizations have moved more of their data to the cloud for greater accessibility, cheaper cost, and to outsource security, systems have become more distributed, creating a greater attack surface.  Finally, attackers have gotten better at directing automated, remote attacks at networks, to the point where certain internet-connected systems are almost constantly being probed for vulnerabilities.  In this landscape, in order to mitigate risks it is almost necessary to proactively monitor for intrusions.
 
Regulators and courts have realized this, and proactive monitoring has been incorporated into the applicable standards of care.  For example, in one enforcement action, the FTC claimed that a business did not maintain reasonable security measures to protect sensitive consumer information in part by failing to maintain an intrusion detection system and by not monitoring system logs for suspicious activity.  In this respect, implementing effective protective monitoring both mitigates security risks and legal risks.
 
What measures can be implemented to help minimise risk following a security breach?
 
The best way to minimize risk following a security breach is to plan ahead:  by having an effective incident response and remediation plan, by designating a team to be responsible for leading the response, and by training the team on responding in accordance with the plan.
 
There are a number of components of an effective incident response plan.  The primary goal should be to contain and control the incident, in line with standard technological best practices.  Once the incident is controlled, the organization should preserve evidence and determine the cause, nature, and scope of the incident; analyze the legal implications of the incident; and develop a communications strategy for affected individuals, media, and regulators.  Once the dust has settled, the organization should conduct a post-breach review, assessing what changes should be made to security controls and incident response practices to mitigate future risks
 
There are a number of steps that an organization can take ahead of time to make this process go more smoothly.  For example, it can pre-negotiate deals with incident response vendors, call center vendors, and other organizations that can be on call in the event of an incident.  It can maintain a list of contractual incident notification requirements, so that it can navigate these more easily during an incident.  And importantly, organizations can develop a protocol on when to involve legal counsel in an incident investigation, so that communications about the incident can be subject to the attorney-client privilege.
 
Has the trend in outsourcing certain security functions and the increasing reliance upon cloud computing and storage made it more challenging to protect private data?
 
The trend toward cloud computing and storage has made more challenging to protect private data in some respects, and in some respects easier. 
 
Inherent in the cloud computing model is distributing control over organizational data, and relying on third parties to maintain the security of that data.  Adding additional access points for the data creates a greater attack surface for malicious actors.  Risks are also introduced in the transfer of data between the company and cloud provider.
 
That said, one of key drivers toward the use of cloud providers is the ability of those providers to provide better security, in many instances more cheaply than organizations would be able to secure the data themselves.  In that respect, some organizations may increase the security of their private data by utilizing a cloud provider or an outsourced security function.
 
How is technological innovation – such as drones, wearable devices, cognitive thinking and the Internet of Things – altering the cybersecurity landscape?
 
The key technological innovation impacting the cybersecurity landscape is the proliferation of Internet-connected devices in the the Internet of Things (“IoT”).  Consumers often prioritize convenience and speed over cybersecurity, so in many cases IoT products often go to market without basic security controls.  For example, the Mirai malware searches the internet for and compromises Internet-connected devices running outdated versions of certain operating systems – such as security cameras and DVD players – and uses those compromised devices to launch attacks on others.
 
In the near future, many of the electronic devices that we use on a daily basis – and that will be incorporated into the modern workplace – will be connected to the Internet.  If these devices are not appropriately secured, or can be used to penetrate corporate networks, they will lead to a weakness in cybersecurity protections overall, particularly if there are no non-Internet-connected options available.
 
Who or what is the main threat to a company’s security?
 
The main threat to a company’s security is its personnel; and not necessarily intentional, insider threats.  Even the best cybersecurity protections can be overcome if they are not set up properly, or if personnel do not comply with company policies and procedures. 
 
Cybersecurity threats are constantly evolving, and bad actors look to take advantage of unsuspecting or naïve employees.  For example, there has been an increase in phishing threats over the last few years, through which hackers seek to induce employees to click on a malicious link or open an infected attachment, which permits the hackers to compromise the network.  Cybersecurity controls are often circumvented or ignored for convenience.  For all of these reasons, it is imperative to train personnel on cybersecurity policies and procedures, and to refresh that training on a regular basis, in particular with respect to key threats.

Bret Cohen practices in the areas of privacy, cyber security and consumer protection. With a particular focus on the internet and e-commerce, Bret has advised extensively on legal issues related to cloud computing, social media, mobile applications, online tracking and analytics, and software development. He counsels and is a frequent speaker on strategic compliance with global privacy laws, including cross-border transfer restrictions, data localization requirements, and the impact of government surveillance on the digital economy.

Bret also spearheads efforts on cybersecurity incident preparedness and response, student privacy, marketing privacy, and workplace privacy.

Bret can be contacted on +1 202 637 8867 or by email at bret.cohen@hoganlovells.com