In this guest white paper and power point presentation, Tomu Johnson—Of Counsel at Parsons, Behle & Latimer, discusses why data privacy and cybersecurity law matters to Utah businesses and what steps companies can protect themselves, especially in the international market.
Johnson also discusses the new European Union General Data Protection Regulation (GDPR) and important steps Utah companies need to take to ensure they are in compliance with the new law that goes into effect in May 2018.
If You’re Worried about Cybersecurity, Call an Attorney
Each year brings a data breach that affects more and more people; each breach also brings larger fines for companies who failed to protect information. In an effort to evade regulatory fines and consumer wrath, companies have tried to address cybersecurity risks with varying results. Meanwhile, the $120 billion cybersecurity industry—eager to sow fear, uncertainty, and doubt—pushes an array of products to address cybersecurity risks both real and imagined. Instead of purchasing gizmos, executive leadership should rely on legal counsel to help define their legal risks and draft policies and procedures minimizing identified risks.
At first glance, it may seem odd to solve cybersecurity problems with lawyers, but regulators don’t care if a company spends thousands of dollars on cutting-edge cybersecurity technology. Regulators analyze whether the circumstances leading to a data breach violate state, national, or international law. Accordingly, companies should understand their legal obligations to minimize their cybersecurity risks.
By engaging legal counsel, companies can understand their legal obligations in the cybersecurity arena and draft policies addressing identified risks.
Cybersecurity legal obligations flow from corporate leadership’s fiduciary duty of care; state, national, and international law; and contractual obligations.
Executives and board members owe a fiduciary duty of care to the companies they serve. Failing to carry out those duties can impose personal—and potentially uninsurable—lawsuits against executives and board members. Under the duty of care, executives and board members must act on an informed basis, in good faith, and in the honest belief that their actions are in their company’s best interests. This means executives and board members must act reasonably when they assesses information so they can protect the interests of shareholders. The duty of care also requires executives and board members to address reasonable risks to a company. In other words, executives and board members cannot reduce their cybersecurity liability by ignoring the problem.
State, national, and international laws increasingly regulate how companies process information. On the state level, 48 states have data breach notification laws. Most of those laws simply explain how to notify individuals affected by a data breach. Some states go further. Utah, for example, requires “any person who conducts business in the state . . .
In the federal regulatory environment, organizations who work in industries such as health care, banking, insurance, finance, and telecommunications face a plethora of cybersecurity obligations. For example, in the health care environment, federal law requires health care entities to implement specific privacy and security policies. Failing to do so can incur millions in fines, consumer anger, and months of audits with disruptive regulators.
Internationally, most countries enforce strict privacy and security laws. Where the United States regulates privacy by sector, most countries outside the United States regulate privacy and security comprehensively. Accordingly, most countries: illegalize the international transfer of information without following certain processes; require a legal basis to process consumer information; and impose steep fines for failing to comply. For example, in 2018, the European Union can fine companies the greater of €20,000,000 or 4% of international revenues.
Another source of legal risk comes from contractual obligations. It’s a common business practice to draft service agreements insisting business partners comply with specific privacy and security laws. In the healthcare industry, health entities commonly require business partners to sign a Business Associate Agreement, which creates an obligation to comply with federal privacy and security laws.
Once executives and board members understand their privacy and security obligations, their legal counsel should draft appropriate policies and procedures. At minimum, the policies should explain how the company governs over privacy and security matters, the physical and technological security measures to prevent data breaches, and the incident response process.
With regard to governance, a designated executive should provide regular reports to the board about security assessment results, progress on addressing security matters, audits of the security system, privacy and security awareness campaigns, and data breach incidents. Executives and board members should have an opportunity to review these items, recommend solutions, and communicate regular privacy directives to employees. In line with the duty of care, executives and board members must reasonably address privacy and security issues raised during these meetings. If executives and board members fail to hold these meetings, they may breach their fiduciary obligations to the company.
Policies must set the company’s security framework for physical and technological security. There are numerous security frameworks to choose from but the most common are ISO’s 27001 standard, NIST Cybersecurity Framework, and the Center for Internet Security’s 20 Critical Controls. Of these standards, the Center for Internet Security’s 20 Critical Controls are the most approachable. They’re free, available online, and provide a reasonable level of protection without breaking the budget.
Finally, policies should flesh out an incident response process. Without it, companies can waste thousands of dollars without properly addressing incidents. The incident response process should designate an incident response coordinator who fills out an incident report, reports the incident to executives, and works with various departments to resolve the incident. Critically, the process should incorporate legal counsel so counsel can protect matters discussed during the incident with the attorney-client privilege.
No company wants to lose their customers’ information. No company wants to pay a fine or lose business because of a data breach. Instead of buying gadgets to solve obscure cybersecurity problems, companies should engage legal counsel who can define the legal problem and draft policies and procedures to minimize risks.
About the Author
Tomu Johnson is Of Counsel at Parsons Behle & Latimer and practices data privacy and cybersecurity law. His practice extends to state, national and international matters. He has handled data breach litigation, negotiated privacy and security matters in complex commercial contracts, and has guided clients through the incident response process. He has also helped clients gain Privacy Shield certification, sign cross-border data transfer agreements, and submit BCR-C and BCR-P applications. Finally, he has helped clients create policies, procedures and controls that comply with state, federal, and international privacy and security laws.