This article is a good summary of the challenges for cyber security law in the US market in 2018.
These cases and bills highlight the fact that the patchwork of old laws and regulations – across the United States and across every industry – are having a difficult time keeping up with rapidly developing technology, particularly when they have to balance privacy rights with law enforcement needs. This year, some of the biggest issues to watch will be data disclosures to law enforcement, civil liability for data breaches, and board-level responsibility for data security.
The proper balance with data disclosures
Already, technology, media and telecommunications companies that store personal information receive a large number of law enforcement requests to disclose individuals’ information every year. The question of the proper boundaries for an individual’s expectation of privacy in the digital age versus the burden of proof necessary by law enforcement before requesting personal data has been a contentious issue. Two cases before the Supreme Court may shed new light and provide practical guidance for companies.
The first case, Carpenter v. United States, will be another milestone in the evolving debate over whether existing Constitutional jurisprudence is sufficient or whether new law is needed to address this technology-induced tension. One of the main issues in this case is what burden of proof police need to obtain personal data from companies.
As background on the case, a 1979 Supreme Court case gave some structure to the process required under the Fourth Amendment for law enforcement to compel third parties to disclose information they possessed about an individual. At that time, these third parties would have included the likes of banks (with account information and transaction dates and amounts) and telephone companies (with the numbers dialed or phone numbers from which an individual received calls at what dates and times).
Under the Fourth Amendment, when an individual was willingly give her personal information to these third parties – such as by dialing a phone number and having it routed through a telecommunications company – the individual relinquished privacy rights to it (because individuals do not control what telecommunications operators do with that information). Law enforcement could obtain an individual’s information from the third party without asking the user through a legal process that is less rigorous than a search warrant, which requires approval from a magistrate judge. Under the Stored Communications Act of 1986, law enforcement could obtain such data by affirming that the information would be relevant or material to an ongoing case.
In the new digital era, third parties hold an exponentially larger amount of personal information relating to their users, from search engine data to geo-locating functions in smart phones or connected cars. A very legitimate tension therefore exists in the digital era where everyone stores a large amount of personal information in interconnected devices and apps instead of on paper records. While that information must be free from unreasonable searches and seizures by the government, law enforcement also must have the ability to carry out its obligation to investigate crimes, including to legally obtain digital data that criminals intentionally attempt to hide in mobile devices.
In Microsoft v. United States, the Government has asked the Supreme Court to overturn a Second Circuit ruling that barred law enforcement from being able to obtain user data stored overseas by using a U.S. search warrant. The Government argues that this restriction would be almost insurmountably detrimental to law enforcement investigations because criminals’ information stored by U.S. companies that happens to use cloud storage on servers outside the country. Microsoft, on the other hand, contends that the Government has no jurisdiction over data held in overseas data centers physically located in other sovereign nations even if that data relates solely to American users (in this case, the data in question is customer email content stored in Ireland as part of a drug investigation). While Microsoft points out that the U.S. government could use an international process for requesting the evidence from Ireland under a Mutual Legal Assistance Treaty (MLAT), the MLAT process is generally a drawn-out and sometimes inefficient process that does not meet more urgent needs of law enforcement investigations. Ireland, the UK and the European Commission have now all submitted amicus briefs in the case.
The decision in both cases will inform how companies should respond to data access requests. Businesses more than ever need a clear path forward that balances their need to prove to customers that they are keeping data private and secure, while also supporting the investigations of law enforcement agencies when it concerns valid concerns.
The next big cybersecurity issue to watch this year will be on civil liability for data breaches. We live in an era in which an increasing number of companies have been hit with cyberattacks while others have had employees lose a USB stick containing unencrypted customer data, for example. Because of this, the link between a certain data incident and fraudulent activity (which may or may not lead to concrete harm) is becoming murky. Enter the fray class actions in which plaintiffs allege that they were harmed by having their data stolen in a security incident because they now face the risk of future harm that may (or may not) occur due to the breach. According to Article III of the Constitution, plaintiffs can only bring a case to court if harm was suffered and they are the actual party that suffered harm (called having “standing” to sue).
CareFirst has petitioned the Supreme Court to review a DC Circuit’s ruling in CareFirst Inc. v. Attias on future harm and informational injury following a 2014 data breach. A class action was brought against the health insurer claiming future harm that could result from the breach. Following the ruling in Spokeo v. Robins in 2016, which found that a plaintiff must affirmatively plead particularized and concrete injury to establish Article III standing, several Circuits have split on the issue of whether potential future harm was enough to constitute standing. With the rise of cyberattacks and data breaches, this case will have wide-ranging ramifications for any business that holds personal data as well as cyber insurers.
The Federal Trade Commission has recently held a public meeting on “consumer informational injury”. As the FTC seeks to expand its role in data security and privacy enforcement, particularly recently in relation to the Internet of Things products, onlookers will be watching closely to assess the Commission’s stance on potential future harm.
The legal fallout from the Equifax breach will also have important ramifications in this area. After a rare class action was filed in 50 states against the credit monitoring agency, the Independent Community Bankers of America, on behalf of thousands of community banks, has also filed a class action in November in the District Court for the Northern District of Georgia. This case again brings up the issue of whether the simple threat of future harm – as opposed to alleging that actual harm has already been suffered – is sufficient to establish Article III standing.
Potential relief from liability
On the bright side for data breach victim organizations, a proposed state bill in Ohio could pave the way for shielding businesses from law suits following data breaches if the organization can demonstrate that its cybersecurity program meets certain industry standards. Ohio Senate Bill 220 would create a ‘safe harbor’ for businesses if they comply with the NIST Cybersecurity Framework or certain other standards. The bill specifically mentions NIST 800-171, 800-53, the ISO 27000 family, the Center for Internet Security (CIS) critical security controls, Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Modernization Act (FISMA).
If other states start to follow suit, this could help to protect businesses that have legitimately taken reasonable steps to protect personal data appropriate for their particular situation, but who were ultimately still victims of an attack.
Lawmakers look to the board
In the wake of a large number of high-profile breaches last year, scrutiny is now turning more and more to senior executives and the Board. In the current day and age, customers or clients and shareholders have a reasonable expectation that data privacy and cybersecurity will be a major consideration for every company, big or small, regardless of the sector they are in. Lawmakers are also starting to scrutinize the company leaders with the expectation for stewardship in this area.
The Cybersecurity Disclosure Act of 2017 (S.536) aims to promote to promote transparency in the oversight of cybersecurity risks of publicly traded companies. The bill would require publicly traded companies to disclose the cybersecurity expertise of any members of the Board or general partner “in such detail as necessary to fully describe the nature of the expertise or experience”. If none have such experience as designated by NIST or the Securities and Exchange Commission, the company would have to describe the cybersecurity measures they have taken for identifying and nominating future nominees to the Board. Given the risk of not having such expertise on the Board in the current day and age, investors would no doubt read these types of reports closely. The same bill was introduced back in 2015 though, so while its passage is far from clear, it does point to the increasing scrutiny from lawmakers on corporate boards in relation to cybersecurity.
Another bill that could be keeping C-Suite executives up at night is the potential for criminal action. A U.S. Senate bill would criminalize failures to report data breaches. The Data Security and Breach Notification Act, filed by three Democratic Senators, was recently introduced and calls for the FTC to develop security standards and procedures for businesses. Some industries, such as healthcare providers and insurers under HIPAA, already have many of these responsibilities.
These pieces of legislation point to areas where corporate boards should already be advancing. The most recent edition of the National Association of Corporate Directors’ Cyberrisk Handbook, which set out five core cybersecurity principles for board members of public companies, private companies, and nonprofit organizations in every industry sector, highlights the importance of having cybersecurity expertise – both in-house and externally. As a New Year’s resolution that businesses should keep, this should be a top priority.