What a CISO Needs to Know about Cybersecurity and the Law: Privacy, Trends, and the Vagaries of Cyber Law

One of the fiduciary responsibilities that CISOs and their fellow C-suite executives have is to ensure that their organization abides by all laws and government regulations pertaining to their business. Failure to follow the letter of the law – or a federal regulation, which operates with the same force and effect as a law passed by Congress, in many cases – puts the organization at an unacceptable risk.

When it comes to cyber laws, fulfilling that responsibility can be a challenging task for several reasons. First of all, we have 51 sets of laws in the United States, including federal laws and individual state laws. Beyond those 51, there are additional executive orders (from the President), plus regulations from administrative agencies such as the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC). This doesn’t even include international laws, which add another layer of complexity for global enterprises.

A second complicating factor is that many laws that are being applied to cyber scenarios (such as data breaches stemming from cyberattacks) weren’t written specifically for cybersecurity, but they are being interpreted in that viewpoint. That should be of some concern for senior executives, and I’ll talk about why in a moment.

It all starts with privacy

Where we are today with cyber laws in the U.S. all began with the notion of privacy, and it actually goes back to a law journal article written in the late 1800’s that defined privacy as the “right to be let alone.”^[i] Supreme Court decisions over the years have given us certain “penumbra” rights of privacy, implied rights through the First, Third, Fourth, and Fifth Amendments, but not explicitly stated by the Constitution as a definite right such as a right to privacy.

Since that time, the Federal government has enacted several civil-minded laws that pertain to privacy rights where information is concerned. Note that the laws cover information in all its forms, including digital, hard copy, and even verbal.

The first major federal legislation that has been applied to cyber is the Privacy Act of 1974^[ii], which gives certain rights to individuals pertaining to the collection, maintenance, use and dissemination of information about them. Building on that law, the Federal Education Rights and Privacy Act^[iii] (FERPA) came about in order to require protection of student education records. Continuing in the vein of privacy rights, the Health Insurance Portability and Accountability Act^[iv] (HIPAA) was enacted to assure the privacy of patient records and other health information.

These privacy laws drive an enormous amount of information security spending across a wide range of industries spanning financial, education, healthcare, and others. The ramifications of non-compliance with these laws center more around punitive fines than anything else. Nevertheless, fines can run into the millions of dollars^[v] for significant violations.

Book ‘em, Danno

Then there are the criminal statutes, where people can be prosecuted for their actions. One of the earliest applicable laws was Title III of the Omnibus Crime Control and Safe Streets Act of 1968^[vi], generally known as the Wiretap Act. This law regulates the collection of actual content of wire and electronic communications. While the original law covered only wire and oral communications, an amendment known as the Electronic Communications Privacy Act (ECPA) of 1986^[vii] extended coverage to electronic communications. The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to email, telephone conversations, and data stored electronically, and can be used when a criminal illegally accesses someone else’s electronic communications and the like.

The Computer Fraud and Abuse Act^[viii] (CFAA) also came along in 1986. It is a significant law that is applied today when someone accesses a computer system without authorization, or in excess of authorization. This law is used in cases of malicious hacking, but obviously it wasn’t written with today’s technology and types of attacks in mind. Thus, there is talk of amending it to allow the somewhat controversial act of “hacking back,”^[ix] or going on the offensive rather than being limited to the defensive in pursuing cyber attackers. This is being introduced in Congress as an amendment to the CFAA.

What hacking back means is that a company that is under cyberattack can respond with its own attack on the party that initiated the hacking. The controversy is that, one, it might not be possible to conclusively determine who initiated the hacking, and two, the attacker could be a nation-state, in which case it’s completely inappropriate for a company to attack such an entity. If an organization is being attacked by an individual or a company, it’s rules of law; if it’s being attacked by a nation-state, it’s basically military rules of engagement or war.

Trends of interest to the C-suite

Beyond that, and what should be of concern to CISOs and other C-suite occupants, are the Presidential Executive orders and Directives as well as what’s coming out from the FTC and SEC, especially pertaining to the SEC “Material Rule,” which is now being used in cyber. For instance, the SEC Material Rule regulation states that if something would materially affect the price of a company’s stock, it has to be disclosed to shareholders.

For example, the Target Corporation data breach of 2013 resulted in a significant drop in the value of Target stock.  Large institutional shareholders then sued Target, claiming that the merchant should have notified shareholders that the company didn’t have adequate information security. In another case, Morgan Stanley Smith Barney LLC agreed to pay a $1 million penalty^[xi] to settle charges related to its failures to protect customer information. The SEC ruled that Morgan Stanley failed to safeguard client data by allowing an employee to download that data onto a personal machine that was later hacked.

In terms of the trends that we’ve seen in cybersecurity, this interpretation of the SEC Material Rule should be a concern to corporate executives, as it is more responsibility put on them. Equifax is going to be an interesting case to watch for a lot of reasons, not the least of which is the question, at what point do government regulators start holding corporate executives more personally accountable? Some lawyers are already arguing that under Sarbanes-Oxley, CEOs are held liable for financial malfeasance, so when will they be held liable for cyber malfeasance? The potential is there for Sarbanes-Oxley to be used for cybersecurity as well as financial accountability.

Go ahead, share your threats

The U.S. Federal government highly encourages companies to work together to defeat cyber threats. This is the impetus behind the creation of the industry-specific Information Sharing and Analysis Centers (ISACs). The Cybersecurity Information Sharing Act^[xii] (CISA) was passed by the U.S. Congress in October 2015 to allow companies to trade information about hacks without violating anti-trust, and having that information protected.

This law caused response from the European Union (EU) in the belief that the formal information sharing doesn’t adequately protect people’s privacy. However, CISA specifically protects personally identifiable information (PII) by requiring entities to remove PII from any information that is shared with the federal government. It requires that any federal agency that receives cyber information containing PII to protect the PII from unauthorized use or disclosure.

Think globally

This controversy over CISA is a good reminder that cyber laws don’t necessarily stop at the border. Though not a U.S. law, the EU’s General Data Protection Regulation^[xiii] (GDPR) has a profound impact on all organizations that hold or process personal information about any EU citizen or resident—regardless of where those organizations are based. This new law, which goes into full effect in May 2018, goes much further than U.S. laws to protect individuals’ privacy rights, and it may pertain to any citizen or resident of an EU country, no matter where they’re living.

The GDPR basically treats an individual’s right to privacy as sacrosanct. The law specifies that individuals have to opt in to allow companies to hold and process their personal information. What’s more, the individual can revoke that permission at any time, and can request to be forgotten; that is, to have every bit of personal information be removed from a particular application or system. U.S. companies treat personal information in the opposite manner, where individuals have to opt out from having their data collected and stored.

The GDPR will supersede U.S. procedures in the cases where data is collected on an EU citizen living within the EU, or when a US company has a hub in the EU and stores data on domestic and abroad EU citizens. This means that even U.S.-based companies need to consider their processes and how they will accommodate the law for EU individuals.

The traditional notions of law don’t hold up in the cyber world

Breaches like OPM and Equifax that result in loss of personal identity information bring about some interesting lawsuits. In the case of Equifax, not only have shareholders and consumers already filed lawsuits, but a Wisconsin credit union has filed suit in an attempt to preemptively recoup losses caused by alleged fraud the data theft could cause.^[xiv]

In the traditional notions of law, the plaintiffs in these suits must establish their standing to sue. That is, they must show they’ve suffered concrete actual or imminent injury, not just hypothetical future harm. They also need to be able to trace their injury back to the target of their suit – Equifax, in this case – and show that a favorable decision would redress that harm.

The courts are divided on this issue of standing when it comes to cyber law. One federal court has said if you have your identity stolen, you don’t have to prove damages; you can sue.^[xv] Another federal court recently ruled the opposite, saying that in the OPM breach, nobody could prove damages so the lawsuit couldn’t go forward.^[xvi] There also may be legal issues if victims are customers versus employees. But in cyber law, it’s very difficult to prove damages because, quite often, we don’t know where the data has gone, who has it, or what they plan to do with it. The damage can occur many months or years later when people discover their digital identities have been misused. At that point, who is to blame?

What about ethics and standards?

When it comes to cybersecurity, there are laws, and then there are ethics. The fact is, there are no ethical standards when it comes to cybersecurity. I’m a licensed engineer, a licensed attorney, and a licensed patent attorney. Every one of those professions has ethics that I must abide by, lest I lose my license to practice that profession. There are no such licenses for cyber professionals. There are certifications to validate skills, but there’s no definitive code of conduct of which a violation could prevent the person from working in cybersecurity.

The United States is a common law country whereby judges can make laws and legal precedent. In addition to court cases that establish this legal precedent, as well we have regulations from government agencies including the SEC and the FTC. Beyond laws passed by legislature, established as legal precedent by courts and regulated by government agencies, we have an issue of cyber ethics. Technology has just disrupted all that, because the ethical practices we have don’t explicitly define who is responsible, who is liable, and how to assess risk and protect yourself. In terms of law, this ambiguity doesn’t work.

This has ramifications for cyber insurance, too. The challenge with cyber insurance is that there are no definitive standards for what is considered a “secure computing posture.” There are security frameworks, but they generally lack specific requirements of corporate behavior. There are court cases where the insurance company has claimed that its client did not use reasonable practices to protect the data that was stolen, and the issuer of the policy would not pay the claim against the cyber insurance policy—and the court has upheld the insurance company’s position.^[xvii]

This gets into this whole notion of defining a reasonable security practice. Is it reasonable to somebody who works in this area? Is it reasonable to the common citizen who has lost count of the number of times he’s had his personal information stolen?

A second factor is proving that the enterprise actually did what it needed to do to get that insurance, which typically involves attesting to a secure computing environment. The CISO can attest to the security posture, but is the environment truly secure? And the reason that goes back to the law is because that ends up in court cases, and insurance is a regulated industry.

Laws change as a reaction to events

Many of the laws that are on the books now are decades old. I see them being rewritten only as a reaction to something. Laws are reactive. Bad things have to happen, and then our legislators put the laws in place in an attempt to prevent the bad things from happening again.

Technology is disruptive, and the law will always lag technology. That’s just the nature of it. You can’t get ahead of it. Who can anticipate where technology is headed five, ten years from now? Five years ago, who could have foreseen the disruptions caused by ransomware, or some of the things that are going on with nation-states? In the old days, the cyberattacks were mostly just inconvenient. Now we have the criminalization of it, or the hacktivist that might have political motives. And so, the laws are always reactive. I expect there will be new laws introduced stemming from the Equifax breach. But why weren’t those laws introduced after the Home Depot or the Target breaches? Well, you’ve got to get a momentum going to force changes in laws.

What’s more, in the case of a criminal cyberattack, the ability to go after a suspect and to prosecute him depends on where he’s located. If that person is outside the United States, say in China or North Korea, it might be impossible to go after him because he’s out of this country’s jurisdiction, and there are no agreements with certain countries. In cases like this, U.S. laws simply cannot be enforced.

In conclusion

CISOs have a fiduciary responsibility to reduce risk by upholding cyber laws and regulations. As I hope I have demonstrated, this can be a complex endeavor.

I started this article talking about privacy, and the way that companies treat data all circles back to privacy. What CISOs need to be concerned about, first and foremost, is protecting their employees’ and customers’ data—and that, for lack of a better word, is all about privacy. If this protection is provided in earnest, then the laws should take care of themselves.

 

^[i] “The Right to Privacy Samuel D. Warren; Louis D. Brandeis Harvard ….” 22 Jan. 2007, http://www.cs.cornell.edu/~shmat/courses/cs5436/warren-brandeis.pdf.

^[ii] “Privacy Act of 1974 – Department of Justice.” 17 Jul. 2015, https://www.justice.gov/opcl/privacy-act-1974.

^[iii] “FERPA – U.S. Department of Education.” 26 Jun. 2015, https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

^[iv] “Health Information Privacy | HHS.gov.” https://www.hhs.gov/hipaa/index.html.

^[v] “6 largest HIPAA settlement fines of 2016 – Becker’s Hospital Review.” 23 Dec. 2016, https://www.beckershospitalreview.com/healthcare-information-technology/6-largest-hipaa-settlement-fines-of-2016.html.

^[vi] “Title III of The Omnibus Crime Control and Safe Streets Act of 1968.” 19 Sep. 2013, https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1284.

^[vii] “Electronic Communications Privacy Act of 1986.” https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285.

^[viii] “18 U.S. Code § 1030 – Fraud and related activity in connection with ….” https://www.law.cornell.edu/uscode/text/18/1030.

^[ix] ““Active Cyber Defense Certainty Act” [PDF] – Tom Graves.” https://tomgraves.house.gov/uploadedfiles/discussion_draft_active_cyber_defense_certainty_act_2.0_rep._tom_graves_ga-14.pdf.

“Target Profit Falls 46% On Credit Card Breach And The Hits Could ….” 26 Feb. 2014, https://www.forbes.com/sites/maggiemcgrath/2014/02/26/target-profit-falls-46-on-credit-card-breach-and-says-the-hits-could-keep-on-coming/. Accessed 7 Nov. 2017.

^[xi] “SEC.gov | SEC: Morgan Stanley Failed to Safeguard Customer Data.” https://www.sec.gov/news/pressrelease/2016-112.html.

^[xii] “Cybersecurity Information Sharing Act of 2015.” https://www.cisecurity.org/newsletter/cybersecurity-information-sharing-act-of-2015/.

^[xiii] “EU GDPR.” http://www.eugdpr.org/.

^[xiv] “After the breach, Equifax now faces the lawsuits – The Washington Post.” 22 Sep. 2017, https://www.washingtonpost.com/news/business/wp/2017/09/22/after-the-breach-equifax-now-faces-the-lawsuits/.

^[xv] “Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015 ….” https://law.justia.com/cases/federal/appellate-courts/ca7/14-3122/14-3122-2015-07-20.html.

^[xvi] “OPM spared lawsuits over massive breach – POLITICO.” 20 Sep. 2017, https://www.politico.com/tipsheets/morning-cybersecurity/2017/09/20/opm-spared-lawsuits-over-massive-breach-222379.

^[xvii] “FILED: NEW YORK COUNTY CLERK 04/09/2014.” 9 Apr. 2014, https://law.ku.edu/sites/law.ku.edu/files/docs/media_law/2014/Zurich_v_Sony_Pre-Argument.pdf.