Part two of this series continues exploring cybersecurity regulations and breach notification requirements. [Read Part One here].
The first installment of this post mentioned some of the cyber security regulations in New York, which has been noted as leading the pack in this area.1 Part two follows up with a few additional regulations and calls to action that address cyber issues.
Other Industry Specific Regulations
In October 2017, the National Association of Insurance Commissioners (NAIC) approved its model cyber security law to provide guidance for insurance carriers, agents, brokers and their business partners on data security, investigation and breach notification. The model law is specific to the insurance industry but based largely on the New York DFS regulation, discussed in our prior post, which is setting a nationwide standard. It is anticipated that state legislatures throughout the U.S. will adopt the model law.
The model law is intended to protect against both data loss negatively affecting individual insureds, policyholders and other consumers, and loss that would cause a material adverse impact to the business, operations or security of the company (e.g., trade secrets). Each company is required to develop, implement and maintain a comprehensive written information security program based on a risk assessment and containing administrative, technical and physical safeguards for protecting non-public information and the company’s information system. The risk assessment protocol must identify both internal threats from employees, vendors, and external hacking threats.
The model law also recognizes the increasing trend toward cloud-based services by requiring that the program address the security of non-public information held by third-party service providers.
Federal Cybersecurity Initiatives
On August 1, 2017, a bipartisan group of U.S. senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act to address vulnerabilities in computing devices embedded in the growing network of everyday Internet-aware devices, like printers, webcams and digital recorders—which experts warn pose a threat to global cyber security.2 Companion legislation in the House is expected soon.
The proposed bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
Government officials and private organizations alike should pay attention to IoT vulnerabilities since the nature of attack is evolving from theft of personal information to highly disruptive events intended to cause major damage. For instance, in 2016, hackers took control of IoT devices and brought down a significant portion of the internet on the East Coast.
Between 20 billion and 30 billion devices are expected to be connected to the internet by 2020, researchers estimate, with a large percentage of them insecure.
Businesses that operate internationally (like Uber) should be aware that enforcement actions under EU’s General Data Protection Regulation (GDPR) go into effect on May 25, 2018. Adopted in 2016, GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they have no business presence within the EU. The scope of the GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. Moreover, companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.
Monetary penalties for non-compliance can reach 20 million Euros or 4 percent of annual revenue, whichever is higher, or companies may be banned from handling certain kinds of data entirely, which can disrupt entire businesses.
The list of regulations discussed in this two-part series is non-exhaustive but highlights two major points related to disclosure.
First, data breaches and cyber threats have critical implications for our economic well-being, government security, and public safety. To make data more difficult to steal, it must be protected from unauthorized access through diligent internal and external oversight.
Second, when a breach occurs, prompt disclosure to the public and regulators is paramount. Businesses profit from personally identifiable information that belongs to consumers and customers, but should be responsible stewards of these valuable assets.
As one commentator recently noted: “How un-cool would it be to get fined for non-compliance and get breached at the same time?”3 Uber thought it could hide a massive breach with a pay-off, but apparently forgot the adage about cover-ups. While ignoring notification obligations, they also ignored another critical point: even after the payoff, how could they be sure the hackers deleted the stolen data.
1 Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.