December is the month for predictions. During this month, commentators of all sorts and in all areas predict the trends and actions that will impact us during the coming year. While speculating the future is a questionable pursuit, we at the Cybersecurity Lawyer Forum would hate to be left out of the fun. With that in mind, a few thoughts on what we might expect in the year to come.
National Cybersecurity Legislation
Legislation in the United States is less an exercise in establishing comprehensive systems than in reacting to events; much legislation tends to be anecdotal and designed to fit the day’s headlines. Moreover, legislation is a curious process, and even with the Congress and White House held by the same party, legislation is hard to pass.
Cybersecurity legislation faces additional hurdles. It is not always the highest priority for lawmakers, especially during a year when an entirely new administration must be established, and when the campaign promises of the last year did not include cybersecurity as a priority.
Thus, in the absence of an event that would force action – something along the lines of a national disaster – we would continue to expect the introduction of legislation to react to specific events (such as the bill that Representatives Eric Swalwell (D-CA) and Elijah Cummings (D-MD) introduced about Russian interference and possible hacking in the last election). And we would also expect that the legislation will not be passed.
In that regard, for those who would hope for a national breach notification law – something that would be beneficial for virtually all involved, we would anticipate multiple proposals, but no action, which has been the experience of the last several years.
At the same time, state and local governments are not bound by the same constraints as Congress. States have proved themselves to be a laboratory for legislation, and because cybersecurity has been a key concern, we would expect more action on that level. Thus, while one could safely assume that Congress will not take up broad cybersecurity legislation, the states might.
With that in mind, probably the most significant step the states are likely to take would be the move from focusing on breach notification to the imposition of security standards. Existing legislation takes the approach that requiring companies to disclose a breach is the most effective way of protecting consumers, and has the effect of forcing companies to become data secure because of the cost and business impact of publicizing a breach. However, data breaches are so common – literally, a daily event – that announcing a breach does not have the impact it once had. Moreover, it is increasingly apparent that advance prevention is preferable to after-the-fact notification. Thus, states are beginning to require companies to evaluate their security profile, and to take appropriate measures to ensure meaningful levels of security.
The Regulators Step In
While the incoming Trump administration has expressed their intention to reduce regulation, which would presumably include cybersecurity regulation, federal regulators, particularly the FTC and the SEC, have the tools to enforce existing regulations and, effectively, impose security requirements. The FTC in particular has been active in using its authority under Section 5 of the Federal Trade Commission Act and effectively created new rules by holding companies accountable for the failure to meet consumer expectations or making unwarranted claims that it maintained a cybersecure environment.
What Should You Do?
In a time of uncertainty, it makes sense to go back to the basics:
- Focus on actual security – compliance requirements will change, but achieving actual security is a goal that will transcend legislative and regulatory changes.
- Analyze your risk – the key element in any risk reduction program is to understand your risk profile. Your risk profile is unique; there is no one-size-fits-all analysis.
- Develop the “Human Firewall” – time and time again, it’s been shown that technical solutions address only part of the cybersecurity challenge; each individual in an organization has a role in achieving a cybersecure environment.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.