180 likes | 305 Views
Data Security Laws and the Rising Cybersecurity Debate. Corey M. Dennis, Governo Law Firm LLC Ellen M. Giblin , Ashcroft Law Firm. February 7, 2013. Overview. State Data Security Laws Payment Card Industry Data Security Standard Federal Data Security Laws The Cybersecurity Debate.
E N D
Data Security Laws and the Rising Cybersecurity Debate Corey M. Dennis, Governo Law Firm LLC Ellen M. Giblin, Ashcroft Law Firm February 7, 2013
Overview • State Data Security Laws • Payment Card Industry Data Security Standard • Federal Data Security Laws • The Cybersecurity Debate
State Data Security Laws • Data Breach Notification Laws • Enacted in 46 states, District of Columbia, Puerto Rico, U.S. Virgin Islands, and Guam • Require notification of a data security breach to consumers “in the most expedient time possible” or “without unreasonable delay”
State Data Security Laws Source: Imation Corp. (http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/-Resources-/Compliance-Heat-Map)
State Data Security Laws • Data Security Standards • Enacted in a minority of states (e.g., MA, CT, RI, CA, OR, MD, NV) • Mandate data security standards to protection to safeguard state residents’ personal information • Typically require “reasonable security measures” • MA data privacy regulations (201 CMR 17.00 et seq.) among most burdensome and far-reaching
Payment Card IndustryData Security Standard • Established by credit card companies (VISA, Mastercard, American Express, Discover) • Contractually requires merchants to safeguard cardholder data • Sets forth extensive information security requirements, including: • build and maintain a secure network • protect cardholder data (e.g., through encryption) • regularly monitor and test networks • maintain a written information security policy • train employees on compliance with data security policies • maintain an incident response plan • monitor service providers
Federal Data Security Laws • Fair Credit Reporting Act (“FCRA”)—imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies • Gramm-Leach-Bliley Act (“GLBA”)—mandates data security requirements for “financial institutions” (broadly defined to include banks, mortgage companies, insurance companies, financial advisors, investment firms, etc.) • Children’s Online Privacy Protection Act (“COPPA”)—requires covered website operators to maintain reasonable procedures to protect the personal information of children
Federal Data Security Laws • Health Insurance Portability and Accountability Act (“HIPAA”)—requires health care providers to maintain security standards for protected health information • Health Information Technology for Economic and Clinical Health (HITECH) Act—strengthens penalties for HIPAA violations and extends HIPAA violation liability to “business associates” to whom protected health information is disclosed • FTC’s Red Flags Rule—requires financial institutions and creditors holding consumer accounts to maintain a written identity theft prevention program
FTC’s Authority Over Data Security • Section 5 of the FTC Act (15 U.S.C. § 45) bars “unfair or deceptive acts or practices in or affecting commerce” • Scope of FTC’s authority over data security unresolved • FTC v. Wyndham Worldwide Corporation—FTC’s authority to enforce data security standards
Recent Proposed Legislation • Data Security and Breach Notification Act of 2012—would require companies to maintain “reasonable” security measures to protect personal information and would establish a uniform breach notification law • Cybersecurity Act of 2012—would create “cybersecurity performance requirements” and voluntary cyber threat information sharing standards among private sector companies operating critical infrastructure (e.g., energy, water, transportation)
Recent Proposed Legislation • Cyber Intelligence Sharing and Protection Act and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT)—would promote voluntary sharing of cyber threat information between private companies and the government • Personal Data Privacy and Security Act of 2011—would establish a uniform breach notification law and require businesses handling sensitive personal information of more than 10,000 individuals in the course of interstate commerce to maintain a comprehensive data privacy and security program • Data Security Act of 2011—would require businesses to maintain “reasonable policies and procedures” to protect the confidentiality and security of sensitive personal information that they maintain or communicate
Cybersecurity Executive Order • White House prepared draft Executive Order in Sept. 2012 (revised Nov. 2012) • Creates information sharing mechanisms between private industry and government • Federal agencies must develop voluntary cybersecurity guidelines for critical infrastructure (e.g., energy, water, transportation)
Senator Rockefeller Letter Source: U.S. Senate Committee on Commerce, Science, and Transportation (http://commerce.senate.gov/public/index.cfm?p=PressReleases&ContentRecord_id=18db690c-c237-4358-9097-3d53f4762cc0&ContentType_id=77eb43da-aa94-497d-a73f-5c951ff72372&Group_id=4b968841-f3e8-49da-a529-7b18e32fd69d&MonthDisplay=9&YearDisplay=2012).
Senator Rockefeller Letter • Has your company adopted a set of best practices to address its own cybersecurity needs? • If so, how were these cybersecurity practices developed? • Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them. • When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices? • Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices? • What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012? • What are your concerns, if any, with the federal government conducting risk assessments in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012? • What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?
The Cybersecurity Debate • Cybersecurity debate has intensified in recent months • Cybersecurity is a “top legislative priority” in 2013 • Should further federal data security legislation regulating the nation’s critical infrastructure be enacted? • Should federal legislation be enacted establishing general data security requirements across all industries? • What should those requirements be?
The Cybersecurity Debate • Proponents • The “threat is real and must be stopped” (Senator Joseph Lieberman) • The “cyber threat to our nation is one of the most serious economic and national security challenges we face” (President Obama) • We are facing a potential “cyber Pearl Harbor” (Secretary of Defense Leon Panetta) • Opponents • More regulation is not the answer • Complying with new legislation and Executive order would be costly and burdensome • Executive Order wrongly circumvents Congress
Questions Corey M. Dennis (cdennis@governo.com) Ellen M. Giblin (egiblin@ashcroftlawfirm.com)