Cybersecurity laws are a worldwide but evolving patchwork
Image from Shutterstock.
ABA Techshow panelist Martin Tully, a partner at Akerman in Chicago, opened his St. Patrick’s Day afternoon panel with a promise to keep it brief, noting that “we are the last thing standing between you and Guinness and corned beef and cabbage.”
But there was a lot to cover in the hour set aside for “Legal Survey: Cybersecurity and Data Protection Laws.” That’s because data protection laws are “all over the map,” Tully said.
For one thing, there’s no uniform federal law covering all aspects of cybersecurity. Instead, the United States has at least 30 laws covering it in specific sectors of the economy. These include the Health Insurance Portability and Accountability Act in health care; the Fair Debt Collection Practices Act and Fair Credit Reporting Act in consumer credit, and the Stored Communications Act for Internet service providers.
Tully added that regulatory agencies are also stepping up their involvement. One particularly active agency is the FTC, which has brought numerous actions over “insufficient security,” using its authority over “unfair and deceptive practices in or affecting commerce.”
Andrew Tannenbaum, chief cybersecurity attorney at IBM in New York, said Congress has considered numerous related bills over the past decade, but has only passed one: the Cybersecurity Information Sharing Act of 2015, signed in December. The law addresses corporations’ concerns about sharing data security information: Does sharing waive attorney-client privilege? Does it violate privacy laws? Does it expose the company to regulation? The new law addresses those concerns in order to encourage sharing, he said.
“It’s a pretty exciting time to practice in this area, because while computers have been around for a while, the laws are starting to form,” he said.
The same is true overseas. Germany, Japan and the Netherlands have all recently passed laws on data security or seen them go into effect. The EU agreed with the United States in February on data protections in the EU-US Privacy Shield, Tully said, but each EU member state will have to adopt its own law on the subject. The EU General Data Protection Regulation applies directly to member states and will go into effect soon.
There are also privacy laws in 47 U.S. states, Washington, D.C., Puerto Rico, Guam and the U.S. Virgin Islands. (States with no such laws are South Dakota, Alabama and New Mexico.) As with the EU General Data Protection Regulation, application of these laws will depend on the victim’s residency, not where the company is headquartered.
There’s pressure to pass a uniform federal law, Tannenbaum said, but “states want that to be a floor, not a ceiling.”
Tully added that civil liability is also an issue—but standing issues stop more lawsuits than you might expect. Thanks to a 2013 U.S. Supreme Court ruling in a non-data-breach case, Clapper v. Amnesty International USA, plaintiffs in most jurisdictions have to show more than just “possible future injury.”
Looking ahead, Tully said, he expects to see lots more regulator involvement, more state laws and continued interest in Congress on national standards.