Presentation on theme: "Data Security Laws and the Rising Cybersecurity Debate"— Presentation transcript:
1Data Security Laws and the Rising Cybersecurity Debate Corey M. Dennis, Governo Law Firm LLCEllen M. Giblin, Ashcroft Law FirmFebruary 7, 2013
2Overview State Data Security Laws Payment Card Industry Data Security StandardFederal Data Security LawsThe Cybersecurity Debate
3State Data Security Laws Data Breach Notification LawsEnacted in 46 states, District of Columbia, Puerto Rico, U.S. Virgin Islands, and GuamRequire notification of a data security breach to consumers “in the most expedient time possible” or “without unreasonable delay”
4State Data Security Laws Source: Imation Corp. (http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/-Resources-/Compliance-Heat-Map)
5State Data Security Laws Data Security StandardsEnacted in a minority of states (e.g., MA, CT, RI, CA, OR, MD, NV)Mandate data security standards to protection to safeguard state residents’ personal informationTypically require “reasonable security measures”MA data privacy regulations (201 CMR et seq.) among most burdensome and far-reaching
6Payment Card Industry Data Security Standard Established by credit card companies (VISA, Mastercard, American Express, Discover)Contractually requires merchants to safeguard cardholder dataSets forth extensive information security requirements, including:build and maintain a secure networkprotect cardholder data (e.g., through encryption)regularly monitor and test networksmaintain a written information security policytrain employees on compliance with data security policiesmaintain an incident response planmonitor service providers
7Federal Data Security Laws Fair Credit Reporting Act (“FCRA”)—imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agenciesGramm-Leach-Bliley Act (“GLBA”)—mandates data security requirements for “financial institutions” (broadly defined to include banks, mortgage companies, insurance companies, financial advisors, investment firms, etc.)Children’s Online Privacy Protection Act (“COPPA”)—requires covered website operators to maintain reasonable procedures to protect the personal information of children
8Federal Data Security Laws Health Insurance Portability and Accountability Act (“HIPAA”)—requires health care providers to maintain security standards for protected health informationHealth Information Technology for Economic and Clinical Health (HITECH) Act—strengthens penalties for HIPAA violations and extends HIPAA violation liability to “business associates” to whom protected health information is disclosedFTC’s Red Flags Rule—requires financial institutions and creditors holding consumer accounts to maintain a written identity theft prevention program
9FTC’s Authority Over Data Security Section 5 of the FTC Act (15 U.S.C. § 45) bars “unfair or deceptive acts or practices in or affecting commerce”Scope of FTC’s authority over data security unresolvedFTC v. Wyndham Worldwide Corporation—FTC’s authority to enforce data security standards
10Recent Proposed Legislation Data Security and Breach Notification Act of 2012—would require companies to maintain “reasonable” security measures to protect personal information and would establish a uniform breach notification lawCybersecurity Act of 2012—would create “cybersecurity performance requirements” and voluntary cyber threat information sharing standards among private sector companies operating critical infrastructure (e.g., energy, water, transportation)
11Recent Proposed Legislation Cyber Intelligence Sharing and Protection Act and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT)—would promote voluntary sharing of cyber threat information between private companies and the governmentPersonal Data Privacy and Security Act of 2011—would establish a uniform breach notification law and require businesses handling sensitive personal information of more than 10,000 individuals in the course of interstate commerce to maintain a comprehensive data privacy and security programData Security Act of 2011—would require businesses to maintain “reasonable policies and procedures” to protect the confidentiality and security of sensitive personal information that they maintain or communicate
12Cybersecurity Executive Order White House prepared draft Executive Order in Sept (revised Nov. 2012)Creates information sharing mechanisms between private industry and governmentFederal agencies must develop voluntary cybersecurity guidelines for critical infrastructure (e.g., energy, water, transportation)
14Senator Rockefeller Letter Source: U.S. Senate Committee on Commerce, Science, and Transportation (http://commerce.senate.gov/public/index.cfm?p=PressReleases&ContentRecord_id=18db690c-c d53f4762cc0&ContentType_id=77eb43da-aa94-497d-a73f-5c951ff72372&Group_id=4b f3e8-49da-a529-7b18e32fd69d&MonthDisplay=9&YearDisplay=2012).
15Senator Rockefeller Letter Has your company adopted a set of best practices to address its own cybersecurity needs?If so, how were these cybersecurity practices developed?Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?What are your concerns, if any, with the federal government conducting risk assessments in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?
16The Cybersecurity Debate Cybersecurity debate has intensified in recent monthsCybersecurity is a “top legislative priority” in 2013Should further federal data security legislation regulating the nation’s critical infrastructure be enacted?Should federal legislation be enacted establishing general data security requirements across all industries?What should those requirements be?
17The Cybersecurity Debate ProponentsThe “threat is real and must be stopped” (Senator Joseph Lieberman)The “cyber threat to our nation is one of the most serious economic and national security challenges we face” (President Obama)We are facing a potential “cyber Pearl Harbor” (Secretary of Defense Leon Panetta)OpponentsMore regulation is not the answerComplying with new legislation and Executive order would be costly and burdensomeExecutive Order wrongly circumvents Congress