“The US is developing a law of cybersecurity that is incoherent and unduly complex,” says Ed McNicholas, one of the foremost experts on cybersecurity law.
McNicholas is a partner at Sidley Austin LLP and co-editor of the newly-published treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan). The treatise is a superb guide to this rapidly-growing body of law, and it is nicely succinct as treatises go. It is an extremely useful volume that I’m delighted I have on my desk. If you practice in this field, get this book.
I recently conducted a brief interview with Ed McNicholas about cybersecurity law.
SOLOVE: The law of cybersecurity is quite extensive and unwieldy. What common themes do you see running throughout the law? Since you’re so involved in dealing with all these laws and have synthesized them in your book, are there some general takeaways about the law that you can provide?
MCNICHOLAS: The treatise highlights the real burdens placed on companies that are trying to be diligent in addressing cyber risk. The U.S. sector-based model does not function well in this area, particularly as nearly every state and federal regulator is promulgating slightly different cybersecurity guidance. A general counsel for a mid-sized company would have no reasonable way of even reviewing all of this guidance. There is simply too much ground for lawyers to cover when issue spotting cybersecurity legal questions.
The US is developing a law of cybersecurity that it incoherent and unduly complex. The need for this treatise arises precisely because companies need help identifying the relevant set of practical considerations for their business. Cybersecurity preparedness requires a practical focus on dedicating resources to reduce the operational risk of cyber incident, but it also requires implementing – and living by – procedures and plans to respond when the inevitable occurs.
SOLOVE: What are your predictions for the future of the law and the field?
MCNICHOLAS: In the near future, the biggest movement may well be existing regulators flexing their muscles to require regulated entities to address cybersecurity proactively. We’re already seeing this from the SEC, which has already started investigating public companies after breaches and putting investment advisers and others on alert that the SEC views them as responsible for ensuring that their vendors have robust cybersecurity safeguards in place. Imposing these cybersecurity requirements by contract is going to have a ripple effect across industries, and lead to a practical business need to compare relative cyber risk between companies. We have already seen the requirements spread across the broader financial sector, resulting in a blizzard of contract addenda and audit requests.
In the short run, the need for companies to audit their vendors will quickly result in a cacophony of requests as companies audit, cross-audit and re-audit each other. In the long run, the necessity of comparing security across companies should lead to innovation – perhaps of widely-accepted cybersecurity standards, and these standards should support the development of risk modeling and insurance markets. Ultimately, the insurance companies and auditors will play a larger role in the field – as will the litigators once we see more of these cases get large enough to fight about. Once we have a few more very large attacks, such as at Target or Home Depot, we will see the law develop more fully so that the insurance companies and auditors have more clarity. In the meantime, the path of the law in this area will remain uncertain, but its rapid expansion is a good bet.
SOLOVE: To what extent do privacy issues and laws come into play in the cybersecurity field?
MCNICHOLAS: Cybersecurity encompasses the protection of so much more than personal information. Trade secrets, IP, physical infrastructure are all part of cybersecurity, but not part of privacy.
At present, the two fields overlap in complex ways. Without adequate cybersecurity, privacy protections are illusory; privacy laws certainly form a base for the current law of cybersecurity’ and data breach laws have had a big impact on privacy practices. That being said, cybersecurity law can develop on its own – apart from privacy law. Cybersecurity done right should not necessarily infringe upon privacy interests, but cybersecurity will need to remain mindful of minimizing intrusions into private spheres.
SOLOVE: Are you noticing any changes in the state of data breach litigation? Some courts are starting to recognize harm. Is this changing the landscape at all?
MCNICHOLAS: A few cases are indeed starting to recognize harm without financial consequences. I think we have essentially seen that in some cases, although those courts have to contort themselves into finding that consumers who are not out-of-pocket still have some harm.
The Supreme Court’s upcoming Spokeo decision may announce a rule that legislatures can define harms that create standing even in the absence of financial injury. In the long-run, we may move towards notions of recognizing a harm to dignity that exists without financial harm. This sort of dignitary harm is as old as Peeping Tom cases, and certainly echoes today with the protections for information about medical conditions and other matters deemed inherently sensitive.
Ultimately the notion that only out-of-pocket financial harm is the only real harm may well fade; until then, courts will continue to use a requirement for tangible financial as a way of excluding frivolous complaints that only seek to exact settlements from companies that have suffered from cybercrime.
SOLOVE: Imagine you were king for a day and could rework any cybersecurity law. What are a few of the greatest shortcomings in cybersecurity law that you would want to address? Which types of regulation are most effective?
MCNICHOLAS: If I were king of cybersecurity for a day, I would have two goals.
First, I would require that the regulators work from one clear set of preemptive procedural regulations. They could tweak them for their sectors, but the core would remain consistent — and it would focus on process and assigning rights and liability, not dictating particular technical controls. At present, the cacophony of voices makes it too hard to focus on the message of risk-based cybersecurity protections. Once we get clear rights and liability, private party negotiation will be much more efficient and should optimally apportion risk.
Second, I would overhaul ECPA. We need clear protections for 21st century electronic communications that give consumers and workers real confidence in using new technologies without a fear of unfettered surveillance. At the same time, we need clear procedures for law enforcement and other governmental agencies to be able to conduct reasonable searches when they have probable cause to suspect someone of committing a crime.
SOLOVE: What role should the government play in cybersecurity?
MCNICHOLAS: One of the treatise co-authors, Paul Rosenzweig, and I had an interesting discussion on this point during the recent Privacy+Security Forum conference. For many, the takeaway was that the government should view cybersecurity as a public good that will not be produced in optimal quantities without governmental support. The government itself needs to work to get malware and black hats off the Internet – and it should avoid the impulse to “blame the victim” when companies with reasonable security are hacked. The state police do not fine a bank when it gets robbed because they see eliminating bank robbers as a public duty; likewise state law enforcement should not fine victims of hacking – unless they engaged in irresponsibly reckless conduct.
Even if you do not agree with the robust “cybersecurity is a public good” argument, government certainly has a role in ensuring the parties have accurate information about the scope and types of cyber risks. Currently, some parties have significant information advantages and are able to shift risk at prices that are lower than a fully-informed market would set.
On a practical level, promulgating the NIST Framework is a great example of “third way” or “quasi-regulatory” approach of the government using its convening power and authority to develop a useful tool for companies to evaluate their cybersecurity preparedness and work to improve it. It will likely become effectively mandatory for many, but it should not be unduly burdensome because of its practicable, flexible character.
SOLOVE: What are the most notable new developments in the field over the past year?
MCNICHOLAS: Cybersecurity seems to be coming of age. Companies are no longer seeing cybersecurity as a one-time project; many now see it as an ongoing operational necessity.
The continued rise of the NIST cybersecurity framework seems to herald a flexible, but uniform, method of assessing and comparing cybersecurity across companies. The framework, combined with the continued deployment of corporate-government cybersecurity information sharing environments may point to a new paradigm for interaction between corporations and the government.
On the policy front, President Obama’s decision to end bulk surveillance programs consistent with the USA Freedom Act should alleviate some concerns of privacy advocates and allow the establishment of the trust necessary to have effective corporate-governmental cybersecurity information sharing. Likewise, it should help to speed resolution of EU concerns with US national security surveillance.
SOLOVE: Thanks, Ed, for your thoughtful insights. Ed’s new book is Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan).
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.