Bates Research - 04-12-18
Government Response (and Tension) in the Continuing Cyber War on Data
Part 2 of 2 – This is the second in a two-part series looking at the current state of cyber protections in light of recent hacks, data breaches, and cyberwarfare.
Congress has become increasingly sensitive to high-profile data breaches. The most recent legislative initiatives drawing attention in the House of Representatives are the “Data Acquisition and Technology Accountability and Security Act” (“DATAS Act”) and the “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017” (“PROTECT Act”). The proposals would establish general standards for data protection and create common notification requirements in the event of a breach. Originally proposed last year, they would also address a number of concerns regarding the security of consumers’ credit reports, inspired by the Equifax breach. (The House bills cover similar territory as a Senate bill introduced last year called the Data Security and Breach Notification Act –S.2179.)
Advocates supporting and opposing the legislation were both present at a hearing before the House Financial Services Committee in early March. The Financial Services Roundtable urged the adoption of nationwide breach standards “to better protect consumers and their sensitive financial information.” A majority of State Attorneys General, however, argued against the passage of the proposed rules, stating, “It would be greatly detrimental to have federal regulations that preempt state data security and state data breach laws.” The opposing viewpoints, based on a federal/state divide, raise the biggest obstacle to a common workable regime, suggesting that there is a long road to travel before a unifying cybersecurity framework can be established.
State Action and New York Leadership
At the House hearing, Subcommittee Chair Blaine Luetkemeyer, (R-Mo) reiterated the issue: “[f]orty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted differing laws requiring private companies to notify individuals of breaches of personal information.” He called for “a national solution to create data security safeguards and responsible notification processes.” The Director of Data Privacy & Security in the Massachusetts Attorney General's office, Sarah Cable, made clear that such a prescription was not shared by the states. Ms. Cable testified: "Congress should not expose American consumers to increased risks as a result of a new, less stringent national standard." She asserted that the proposed bill “strips the state Attorneys General of the authority they are presently and actively using to protect their consumers from breaches, and hamstrings efforts of the States to enact laws in response to future risks in an era of increasing and rapidly evolving technology.”
Whether the issue is framed as the states stepping into the cyber-vacuum of federal inaction, or that the states are creating so much confusion that the federal government must preempt with comprehensive legislation, the recent headlines demonstrate that the cybersecurity threat is growing.
Among the states, New York is taking the lead. At a press conference on March 28, New York Attorney General Eric Schneiderman asserted that “part of the need for New York to step up on such measures was because of the federal government’s retreat from aggressively investigating big companies.” He made the case that 1,583 data breaches were reported in 2017, up 23% from the year before. Of the 163 million people affected in the United States, he noted 9.2 million of them were New Yorkers.
Attorney General Schneiderman said his office is in the midst of investigations into Equifax and has joined the Massachusetts Attorney General in an investigation into Cambridge Analytica. He said he would support the introduction of state legislation “to require companies like Facebook and other social media sites to notify his office and New York consumers when they learn that users’ personal information was misused.”
Also recently, the New York Department of Financial Services (“NYDFS”) issued additional FAQs defining the scope of its 2017 cybersecurity regulations. (See here for the complete set of FAQs on NYDFS cybersecurity.) The regulations, which went into effect on March 1, 2017, apply to any person or entity licensed or otherwise operating under an authorization under the New York Banking, Insurance, or Financial Services Laws. The regulations are broad, and require covered entities to implement security safeguards, protect consumer data privacy, provide oversight of information technology operations, and assess cybersecurity vulnerabilities on an ongoing basis. The adoption of the regulations extended the NYDFS regulatory authority dramatically.
Last month, the SEC issued interpretive guidance intended to help public companies prepare disclosure statements about cybersecurity risks and incidents.
The new guidance emphasizes the importance to firms of developing and maintaining cybersecurity policies and procedures. The SEC advised that firms must maintain disclosure controls to ensure that information about cybersecurity risks and incidents are processed and reported quickly and accurately to senior management.
The Equifax breach gave impetus to state and federal regulatory and legislative initiatives that have yet to fully materialize. It is likely that recent events, the Facebook breach in particular, will have the same kind of effect. Senators and Representatives at televised hearings are already asking Facebook CEO Mark Zuckerberg to support new national legislation. As a result, the current environment requires firms to anticipate and prepare for changing circumstances that are themselves affected by high-profile breaches. Firms should regularly re-assess their cyber-related risks and develop an ongoing testing program as part of their cybersecurity protocols. Along with risk assessment and testing, firms should consider executing desktop exercises to further identify risks and opportunities to enhance their cybersecurity.
Bates Compliance Solutions Managing Director Robert Lavigne notes:“There is a presumption among some in the industry that the overwhelming attention given to these high-profile data breaches will eventually result in a coherent framework that will provide some certainty to firms on how to stave off a breach in the first instance, or how to deal with such a breach effectively, if and when it occurs. That is a mistake. It is getting harder to know exactly what to do in the event of a breach. It increasingly depends on accurately assessing the nature of it at an early stage. Not only do compliance and risk officers have to contend with the reality of a growing threat that is becoming more sophisticated and diversified, they also have to deal with the multiplicity of rules, reporting requirements and guidance coming from a slew of federal and state regulatory agencies.”
It may be that the evolution of the threat will always outpace regulators’ ability to contain it. Bates will continue to stay on top of developments as they occur.