Electric Fences And Cybersecurity

Despite the impending tidal wave of both state and federal cybersecurity regulations heading toward us, I keep getting push back from naysayers who claim that following the GDPR is a bridge too far for most states and that the Fed will be cautious about pushing any additional handcuffs on American business.

I say that is nonsense. Already New York has implemented some of the toughest regs in the country with more in the pipeline and those regs will be followed soon by California and Massachusetts.  In fact, California just collected 625,000 signatures (more than enough) for a ballot measure that would mimic GDPR restrictions on businesses across the state. This new California Consumer Privacy Act mirrors most of the GDPR rules related to data privacy rights for individuals and it will pass easily.

The impact, not unlike the one that GDPR imposes on businesses will be huge here, largely because most businesses are so far removed from even knowing what data they have and where it’s stored, let alone understanding how it’s secured, just responding to requests from privacy activists will be a nightmare. And an expensive nightmare at that. California’s ballot initiative will quickly be followed by copy-cat legislation throughout the country. Interstate cybersecurity-related business transactions will likely become a new practice for many law firms now focused on GDPR and data privacy rights. Ka-Ching.

In addition, there has recently been a surge of class-action suits based on Circuit court split rulings on the old Article III defense where plaintiffs had been able to bring a case to court only if they could prove harm was suffered and they are the actual party that suffered harm (referred to as having “legal standing”).

CareFirst has petitioned the Supreme Court to review a DC Circuit’s ruling in CareFirst Inc. v. Attias on future harm and informational injury following a 2014 data breach which held that the plaintiffs were justified in their claim that they were harmed by having their data stolen in a security incident because they faced the risk of future harm that may (or may not) occur due to the breach. With the steady rise of cyberattacks and data breaches, this case will have wide-ranging ramifications for any business that holds personal data as well as for all cyber insurers.

And you know what? It’s about time. U.S. businesses of all stripes have had plenty of opportunity over the last five years to put in place the most simple-minded forms of data and cybersecurity protections and defenses, yet despite repeated warnings, and hard evidence of the consequences of data breaches (Yahoo, Equifax, Uber, etc.), they have steadfastly refused to do so.

Even the Federal Trade Commission has jumped into the regulatory fray seeking to expand its role in data security and privacy enforcement, particularly now in relation to the Internet of Things products and their vulnerabilities, and you can bet that their stance on potential future harm will reflect those lower circuit court rulings. To support that theory, I suggest you look at the class action suit that was filed in 50 states against Equifax, now accompanied by another suit brought by the Independent Community Bankers of America, on behalf of thousands of community banks in the District Court for the Northern District of Georgia. This case also focuses on the issue of whether the simple threat of future harm as opposed to alleging that actual harm has already been suffered, is sufficient to establish Article III standing. Guess who will prevail there?

Even Ohio, despite having been swept in 4 games by the Golden State Warriors, has managed to write cybersecurity legislation that freely copies from the NYDFS regulations but additionally provides a safe harbor for businesses who are found in violation of the regs but can demonstrate that they comply with the NIST Cybersecurity Framework or other standards. The bill specifically mentions NIST 800-171, 800-53, the ISO 27000 family, the Center for Internet Security (CIS) critical security controls, Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Modernization Act (FISMA).

That is an ironic twist, because while it may appear to be business-friendly in that it offers some protection in the exhaust following a cyber-attack, it only does so if the business bothered to do what many of us have been telling them to do for years. So, the reality is that it won’t provide that shield because those ‘victimized’ businesses didn’t embrace any risk framework. And, by the way, in the shadow of a national data privacy regulation, that shield will not stand against countervailing federal laws. And since, unlike Marijuana law conflicts between states and the Fed, the political marbles will all be in the individual data privacy rights camp.

In addition, law maker scrutiny is (finally) rotating more and more toward senior executives and the Board with an expectation for stewardship in cybersecurity defense and data protection. In the modern era, customers, clients, employees and shareholders have a reasonable expectation that data privacy and cybersecurity will be a major consideration for every company, big or small, regardless of the sector they are in. It should be obvious to even the most casual observer that when the conversation shifted away from ‘corporate information assets’ to ‘individual data privacy’ any lawmaker worth his or her political bacon came flying out of the woodwork.

No, this tidal wave of regulation is not going to recede. In fact, it is just now beginning to gain some real momentum and you can either credit or blame GDPR for that.

The Cybersecurity Disclosure Act of 2017 crawling through the senate (introduced over a year ago) targets transparency in the oversight of cybersecurity risks of publicly traded companies. The bill would require publicly traded companies to disclose the cybersecurity expertise of any members of the Board or general partner "in such detail as necessary to fully describe the nature of the expertise or experience". If none have such experience as designated by NIST or the Securities and Exchange Commission, the company would have to describe the cybersecurity measures they have taken for identifying and nominating future nominees to the Board. That might equate to 5,734 new board seats for (gasp) cybersecurity professionals.

In addition, the SEC has just last month issued new guidance requiring public companies to be more forthcoming when disclosing cybersecurity risks, even before a breach or attack happens. The statement, which expands on previous guidance issued in 2011, also warns that corporate insiders must not trade shares when they have information about cybersecurity issues that isn’t public yet.

But lawmakers are not even satisfied with that change in policy. SEC commissioner Kara Stein said many public companies still provide disclosures about cybersecurity risks that are “far from robust” and that she is disappointed with the Commission’s limited action. “In effect, we could have helped companies formulate more meaningful disclosure for investors. Instead, yesterday’s guidance provides only modest changes to the 2011 staff guidance,” she wrote. Instead of just issuing guidance, Stein believes that the SEC needs to consider issuing rules that would require companies to develop and implement stronger cybersecurity-related policies and procedures.

And, SEC commissioner Robert J. Jackson, wrote, “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy. The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.” And you can bet the mortgage that with political and investor pressure, much more will in fact be done.

And how about one of my favorites? The Data Security and Breach Notification Act was recently introduced in congress and calls for the Federal Trade Commission to develop security standards and procedures for businesses and would criminalize all failures to report data breaches, holding C-suite executives and the Board of Directors specifically responsible. And oh yeah, criminally liable.

There should be no doubt that these regulations are coming and once they are in effect and become enforceable, they will create a tsunami of compliance activity in all the usual places.

While I’ve said many times that I am the last guy who thinks that government intervention or regulation is a good idea, I have spent the last decade working with organizations of all sizes to implement even just the fundamental cybersecurity and data protections that are called for by virtually every available cybersecurity and risk framework and resulting in varying degrees of success.

After all that, I have difficulty conjuring up much sympathy for anyone caught in the wake of these new laws. As will Rogers famously said, “There are three kinds of men in the world. The one that learns by reading. The few who learn by observation. The rest of them have to pee on the electric fence for themselves.”