'Cybersecurity' and 'privacy' aren't the same thing
A more consistent, uniform regulatory environment is essential.
Absent a national regulatory framework, cybersecurity and consumer privacy issues and their associated threats will continue to grow at an accelerating pace.
The terms “cybersecurity” and “privacy” are often used as if they were interchangeable. They are not.
Cybersecurity: Protecting sensitive data from 3rd parties
Cybersecurity refers to protecting secure, critical and sensitive data and preventing it from falling into the hands of malicious third parties, be they nation-state actors, business competitors, disgruntled employees or alleged white hat “ethical” researchers. Extensive data breaches, oftentimes facilitated by phishing operations, are now the norm rather than the exception.
The Internet of Things, big data, smart applications and cloud computing are all currently operating in an environment mired in regulations, which includes an already complicated security landscape and the recent emergence of activist state attorneys general. A more consistent, uniform regulatory environment — one regulated exclusively by the Federal Trade Commission — is essential.
Privacy: Personal info & how data is collected, used, shared
Privacy generally relates to consumers’ personal information and their ability to fully understand their rights regarding how data about them is collected, used and shared. Such personal information must be well-protected and its uses explained to the consumer in clear and simple language; transparency is paramount. But presently, there is no recognized legal standard on data management, with each state having its own security regime.
The Internet Association, a U.S.-based industry trade group based in Washington, D.C., has released policy principles for a federal privacy law to provide consumers the right to assess, correct, delete and download their personal data.
As with any government action, a balanced approach that does not inflict unnecessary and unduly burdensome regulations should be taken with respect to the protection of personal data. Also, while under normal circumstances personal information should not be disclosed to third parties without express consent, federal legislation should consider a small carve-out allowing law enforcement in life-threatening situations to access decrypted data commonly found in smart devices.
Waiting for a national standard
Until a national standard has been established, there is the Gold Dome to provide a legislative backstop. A bill modeled after Ohio’s Data Protection Act would be a welcome addition. Ohio’s law encourages companies, through the “carrot” of a good faith defense limiting liability, to create and implement a cybersecurity program modeled after industry-recognized frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework, a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect and respond to cyberattacks.
In other words, the Ohio law does not rely on punitive measures as a means of enforcement. Unlike consumer privacy legislation recently passed in California and Colorado, it explicitly does not set minimum data security standards or impose liability on businesses that fail to maintain cybersecurity programs in compliance with the law, encouraging private lawsuits. Instead, the law seeks the adoption of best practices and encourages institutional cooperation (“voluntary action”) by offering breach litigation safe harbor to covered entities that meet the law’s cybersecurity standards.
Enactment of such a law, coupled with a requirement to provide notice of the breach to the state attorney general rather than just affected persons, would be a huge improvement.
Sam Olens, (samuel.olens@dentons.com) a counsel at Dentons, was attorney general of Georgia from 2010 to 2016. Opinions expressed are the author’s own.