As we begin 2018, there are two key issues that are top of mind for legal professionals right now–cybersecurity and the General Data Protection Regulation (GDPR).
GDPR is a substantial new privacy and data security law. The rollout and interpretation of it will cause widespread legal uncertainty and controversy, and the controversy will be especially acute when a company suffers a data breach. GDPR applies to a surprisingly broad range of companies, including any that sells products or services to consumers in the EU, regardless of whether the company has a physical presence there.
Benjamin Wright, attorney and SANS Institute instructor of law of data security and investigations, recently sat down with Inside Counsel to discuss the steps organizations can take to help manage their legal risk as well as General Data Protection Regulation, which goes into effect May 25. In addition to his legal work, Wright is the LEG523: Law of Data Security and Investigations course author and instructor with the SANS Institute
“The law of cybersecurity is in turmoil,” he said. “Ransomware, data breaches and other cyber crises happen every day, but the legal implications of these events are confusing and hard to predict.”
Our society has become a digital society, so value is now stored and exchanged through digital networks. Criminals constantly try to break into those networks to steal money, private data and confidential information and they attack digital networks to prevent them from functioning. So government and private investigators now focus on digital information to uncover truth and resolve disputes. Cybersecurity has become central to the effective function of digital networks and the protection of data in them.
“The value in digital networks is growing ever greater in 2018,” Wright explained. “In 2017 we witnessed spectacular attacks and breaches, such as Equifax, WannaCry and NotPetya. Law firm networks have recently been breached for the purpose of stealing sensitive information. We have every reason to believe this rising trend in attacks and breaches will continue.”
Historically, cybersecurity law is new–many different authorities, federal, state, foreign and private sector, are stating different rules and standards for cybersecurity. But the rules that seemed to make sense a decade ago don’t seem to make so much sense today, according to Wright.
“For example, earlier laws requiring data breach notices said essentially you had to give notice if you had reason to believe security of consumer data was compromised,” he said. “But that standard turned out to be impractical. More recent breach notice laws say you have to give notice if a security incident presents a significant risk of harm to consumers.”
Unfortunately, computer security is very difficult to sustain in practice. In encryption, for instance, common belief is that if you just encrypt data it is secure. However, according to Wright, encryption is hard to sustain over time because encryption keys are hard to manage as months and years go by.
Additionally, computer security events are often governed by many different jurisdictions. A breach at Equifax, for example, can fall simultaneously under federal jurisdiction, plus the jurisdiction of all 50 states, and the jurisdiction of numerous foreign countries. And the authorities in these different jurisdictions rarely speak with a unified voice.
So, what are steps organizations should take to help manage legal risk? According to Wright, counsel should be trained in the topic as well as in how cybersecurity and digital forensics work and what their shortcomings are. To manage cyber legal risk, counsel should be familiar with the use of contracts, policies, terms of service and attorney confidentiality rules.
Today, the greatest impact of GDPR on cybersecurity will be the requirement for organizations to give notice of a data security breach. Until now, the requirements to give notice in Europe were few.
Wright added, “Now, when an organization in EU suffers a breach, it must give notice. This notice will trigger a cascade of hostile investigations, likely concluding with fines. This requirement to give notice motivates organizations to improve their security so they do not suffer a breach.”
Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation and more.