This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
In 2018, global privacy and data breach laws took control across Europe in the form of the General Data Protection Regulations (GDPR), in Canada, as the Canadian Breach of Security Safeguards Regulations of the Personal Information Protection and Electronic Documents Act (PIPEDA), and in the United States, with the California Consumer Privacy Act 2018 (CCPA). In 2019, each set of regulations and laws will continue to define how businesses collect and use consumer data, and their obligations to protect this data from misuse, theft or exposure to unauthorized parties.
There are subtle but important differences between compliance, privacy and security. All three are related and overlap to some extent, but each has a specific purpose. Compliance regulations are guard rails that serve to protect the public interest from unethical, negligent or illegal activity within a corporate function or given industry. Think Sarbanes-Oxley rules to oversee and standardize corporate financial reporting, or Security Exchange Commission (SEC) rules around trading on public markets. Privacy regulations, on the other hand, are about keeping non-public information from exposure and protecting assumed rights around an individual to purchase products and services without their information — be it financial, political or demographic — from misuse or exposure to criminal elements that can leverage this information to their financial gain at the expense of the affected consumer. Compliance and privacy are perhaps fraternal twins; whereas, security is their cousin. Security regulations are designed to detect misuse at the hands of insider practitioners, and to keep outsiders, such as criminals, from infiltrating business environments and stealing or manipulating privileged information.
There are of course the settlements issued by the Office of Civil Rights (OCR) for infractions of the Health Insurance Portability and Accountability Act (HIPAA) and other data breach violations, including Uber, that paid $148 million in a settlement to the state of New York. But let’s focus on a few of the marquee compliance, privacy and security regulations.
In early 2018, the SEC updated their regulations to include rules that define how funds disclose cybersecurity risks to investors. The new guidelines also include provisions for the notification of senior management to determine if a data breach is material, and whether investors should be notified. And perhaps more importantly, the new rules created a blackout window following the discovery of a cybersecurity event to prevent insider trading. These updates came on the heels of the Equifax data breach, and the discovery that three executives had traded large volumes of stock shortly before the public notification, but after the company was aware of the breach.
Also in the realm of financial services, the New York Department of Financial Services (DFS) continues to roll out their Cybersecurity Regulations (NYCRR500). Perhaps the gold standard in prescriptive security regulations, January 2018 introduced the first round of annual written compliance notification to the DFS superintendent and the 72-hour cybersecurity event notification requirement. Both rules are designed to create transparency in the event of a material data breach, and through legal attestation, to hold officers of the company legally accountable for the security posture of the firm, and for reporting security events that could harm their clients. The rules go further and tighten board reporting mechanisms, annual security testing and other security protocols designed to harden financial cyber defenses. The last traunch of DFS cybersecurity rules green light this year.
The greatest tectonic shift in compliance and privacy rules came in May when the European Union General Data Protection Regulations (GDPR) came into effect. GDPR imposes strict obligations on data controllers (those that collect and determine the use of data) and data processors (those that store or manipulate data on behalf of data controllers), while simultaneously offering more guidance on appropriate security standards. GDPR also mandates a 72-hour breach notification guideline, which is more stringent than most state-level notification clauses that use terms like “reasonable and timely.” Moreover, these rules provide rights to consumers to know what information is collected, for what purpose and the right to be forgotten. Failure to comply with GDPR regulations brings the heftiest fines of up to 4% of a non-compliant firm’s worldwide revenue.
Commitment to compliance in Europe and other countries that control European citizen data is questionable with no census and is yet to be tested in the courts. Perhaps the recent Marriott breach discovered in September yet not reported until the end of November, will surely test these rules and EU privacy commissioners’ resolve to enforce the 72-hour notification articles.
In November, the Canadian Breach of Security Safeguards Regulations of the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force, mandating notification requirements triggered by the discovery of a significant data breach. Under the new regulations, organizations that experience a data breach must conduct a risk assessment to determine if the breach poses a real risk of significant harm to any individuals whose information was exposed, and then notify “as soon as feasible” the Privacy Commissioner, affected individuals and any other agency (think law enforcement) that might mitigate harm to those affected. Violations of the Act can yield fines of up to $100,000.
While not in effect until January of 2020, but voted into law in 2018, the California Consumer Privacy Act (CCPA) is the Plymouth Rock of privacy in the United States. The law cites the tens of millions of people whose personal data was misused by the data mining firm Cambridge Analytica, a greater desire to heighten data privacy controls and transparency of data practices and the people’s desire for privacy and more control over their information. The Act provides specific provisions around full disclosure regarding the collection of personal information (including sources, the purpose and whether the data is disclosed or sold to another party). It also provides the right to be deleted (like the GDPR right to be forgotten) and wraps these rights in protection of equal service and pricing, even if the individual exercises his or her rights under the Act (the net neutrality of privacy). The Act is enforced with penalties up to $100-$750 USD per consumer (per violation). That puts settlements in the sphere of GDPR penalties.
Study Warns of Major Cyber Attack
In a recent independent study of 1,250 global security and business leaders, CEOs, board members and technical executives unanimously predict a major cyber attack in the next two to five years. Over 60% of respondents assume a major event will occur. Business leaders now fear consequences of a major cyber attack more so than regulatory retaliation. Operation disruption and reputational damage are of greater concern than potential financial losses and regulatory penalties. This trend reflects a shift from a compliance-centric security approach (avoiding punishment) to a more self-actualized mindset determined to reduce the risk of business-altering outcomes to protect the organization, its investors and clients.
As a result, the idea that “the CISO is the least interesting person to the board, until they are the most important person” is a thing of the past. Most boards are now strongly familiar with security budgets, strategies and policies, technologies, and current security and privacy risks. Line of sight to the board is also direct. Almost half of the surveyed security officers report to the board of CEO, a third report to the CIO (which is problematic), and a small handful now report to a privacy or data officer.
Privacy in 2019
Perhaps the greatest innovation of the 21st century is turning the consumer into the product. In a connected world of Apple, Google, Amazon, Facebook and others, consumer preferences and behaviors are the raw materials for big data analytics that become a commodity for sale. As we’ve seen before, compliance and regulations often play catch up to technical innovation. And in 2018, compliance turned to focus more on privacy, perhaps the counterbalance to a new economy of “the consumer is the product.” 2018 is the year when privacy commissions and industry regulators moved their chess pieces into place. 2019 and beyond will see industry pawns sacrificed to send a message to the cardinals and royalty of the corporate world. The message: privacy and data responsibility must be as important to the officers of a business as profitability is to the investors. As such, privacy and compliance blur together, and security becomes the guardian, keeping the others in check.
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark’s role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves on the Board of Editors of Cybersecurity Law & Strategy and as a member of the LegalSec Council with the International Legal Technology Association (ILTA). He can be reached at firstname.lastname@example.org.