Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security Laws and the Rising Cybersecurity Debate

Similar presentations

Presentation on theme: "Data Security Laws and the Rising Cybersecurity Debate"— Presentation transcript:

1 Data Security Laws and the Rising Cybersecurity Debate
Corey M. Dennis, Governo Law Firm LLC Ellen M. Giblin, Ashcroft Law Firm February 7, 2013

2 Overview State Data Security Laws
Payment Card Industry Data Security Standard Federal Data Security Laws The Cybersecurity Debate

3 State Data Security Laws
Data Breach Notification Laws Enacted in 46 states, District of Columbia, Puerto Rico, U.S. Virgin Islands, and Guam Require notification of a data security breach to consumers “in the most expedient time possible” or “without unreasonable delay”

4 State Data Security Laws
Source: Imation Corp. (

5 State Data Security Laws
Data Security Standards Enacted in a minority of states (e.g., MA, CT, RI, CA, OR, MD, NV) Mandate data security standards to protection to safeguard state residents’ personal information Typically require “reasonable security measures” MA data privacy regulations (201 CMR et seq.) among most burdensome and far-reaching

6 Payment Card Industry Data Security Standard
Established by credit card companies (VISA, Mastercard, American Express, Discover) Contractually requires merchants to safeguard cardholder data Sets forth extensive information security requirements, including: build and maintain a secure network protect cardholder data (e.g., through encryption) regularly monitor and test networks maintain a written information security policy train employees on compliance with data security policies maintain an incident response plan monitor service providers

7 Federal Data Security Laws
Fair Credit Reporting Act (“FCRA”)—imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies Gramm-Leach-Bliley Act (“GLBA”)—mandates data security requirements for “financial institutions” (broadly defined to include banks, mortgage companies, insurance companies, financial advisors, investment firms, etc.) Children’s Online Privacy Protection Act (“COPPA”)—requires covered website operators to maintain reasonable procedures to protect the personal information of children

8 Federal Data Security Laws
Health Insurance Portability and Accountability Act (“HIPAA”)—requires health care providers to maintain security standards for protected health information Health Information Technology for Economic and Clinical Health (HITECH) Act—strengthens penalties for HIPAA violations and extends HIPAA violation liability to “business associates” to whom protected health information is disclosed FTC’s Red Flags Rule—requires financial institutions and creditors holding consumer accounts to maintain a written identity theft prevention program

9 FTC’s Authority Over Data Security
Section 5 of the FTC Act (15 U.S.C. § 45) bars “unfair or deceptive acts or practices in or affecting commerce” Scope of FTC’s authority over data security unresolved FTC v. Wyndham Worldwide Corporation—FTC’s authority to enforce data security standards

10 Recent Proposed Legislation
Data Security and Breach Notification Act of 2012—would require companies to maintain “reasonable” security measures to protect personal information and would establish a uniform breach notification law Cybersecurity Act of 2012—would create “cybersecurity performance requirements” and voluntary cyber threat information sharing standards among private sector companies operating critical infrastructure (e.g., energy, water, transportation)

11 Recent Proposed Legislation
Cyber Intelligence Sharing and Protection Act and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT)—would promote voluntary sharing of cyber threat information between private companies and the government Personal Data Privacy and Security Act of 2011—would establish a uniform breach notification law and require businesses handling sensitive personal information of more than 10,000 individuals in the course of interstate commerce to maintain a comprehensive data privacy and security program Data Security Act of 2011—would require businesses to maintain “reasonable policies and procedures” to protect the confidentiality and security of sensitive personal information that they maintain or communicate

12 Cybersecurity Executive Order
White House prepared draft Executive Order in Sept (revised Nov. 2012) Creates information sharing mechanisms between private industry and government Federal agencies must develop voluntary cybersecurity guidelines for critical infrastructure (e.g., energy, water, transportation)

13 Cybersecurity Executive Order

14 Senator Rockefeller Letter
Source: U.S. Senate Committee on Commerce, Science, and Transportation ( d53f4762cc0&ContentType_id=77eb43da-aa94-497d-a73f-5c951ff72372&Group_id=4b f3e8-49da-a529-7b18e32fd69d&MonthDisplay=9&YearDisplay=2012).

15 Senator Rockefeller Letter
Has your company adopted a set of best practices to address its own cybersecurity needs? If so, how were these cybersecurity practices developed? Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them. When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices? Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices? What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012? What are your concerns, if any, with the federal government conducting risk assessments in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012? What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

16 The Cybersecurity Debate
Cybersecurity debate has intensified in recent months Cybersecurity is a “top legislative priority” in 2013 Should further federal data security legislation regulating the nation’s critical infrastructure be enacted? Should federal legislation be enacted establishing general data security requirements across all industries? What should those requirements be?

17 The Cybersecurity Debate
Proponents The “threat is real and must be stopped” (Senator Joseph Lieberman) The “cyber threat to our nation is one of the most serious economic and national security challenges we face” (President Obama) We are facing a potential “cyber Pearl Harbor” (Secretary of Defense Leon Panetta) Opponents More regulation is not the answer Complying with new legislation and Executive order would be costly and burdensome Executive Order wrongly circumvents Congress

18 Questions Corey M. Dennis Ellen M. Giblin

Download ppt "Data Security Laws and the Rising Cybersecurity Debate"

Similar presentations

Ads by Google