[Originally published as the May 2018 Cover Story: Data Privacy and the Law – American Privacy Laws in a Global Context: Predictions for 2018, by Lily Li, in Orange County Lawyer Magazine, May 2018, Vol. 60 No.5.]
Cybersecurity Attacks Are Inevitable
Cybersecurity attacks are on the rise. According to the non-profit organization, Identity Theft Resource Center, there were over 1,579 publicly reported data breaches in 2017, compared to 1,091 in 2016, and 780 in 2015. Not only are these cyberattacks happening at high-profile companies like Equifax, Uber, and Yahoo, they are increasingly happening to businesses of all sizes. Any entity able to pay a ransom is now a potential target.
Law firms are no exception. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous email hacks of Cravath and Weil Gotshal in 2016. Earlier this year, UK-based cybersecurity firm, RepKnight, reported that almost 800,000 UK law firm email addresses and affiliated passwords were available on the dark web, with over 50% of these credentials posted in the last six months. These law firms did not just include local UK firms, but global law firms with a UK presence.
Given these alarming statistics, what should legislators do?
In the EU, Canada, and China, legislators have decided to develop and implement national data privacy and cybersecurity frameworks: GDPR, PIPEDA, and CSL respectively. The United States, by contrast, still relies upon a patchwork of sectoral laws and inconsistent state rules. This article will take a brief look at developments in the EU, Canada, and China, discuss the current United States privacy framework, and predict likely developments in U.S. privacy law over the next year.
The International Response
The European Union has taken the most aggressive approach to data privacy and security, having passed the General Data Protection Regulation (GDPR) in April 2016, to take effect on May 25 this year. The GDPR is premised on two basic principles: data privacy as a fundamental right, and privacy by design. As discussed in more detail by other authors, the GDPR provides consistent rules addressing the retention, processing, and security for all personal data, by all non-governmental entities. EU subjects have the right to access, rectify, transfer, and in many cases, erase any of their personal data stored by businesses and other entities, while these businesses and entities have the obligation to report most data breaches to authorities within seventy-two hours. Finally, the GDPR imposes severe sanctions for failure to abide by its provisions, with up to €20 million or 4% of annual revenue in fines. In the European Union, dedicated regulatory authorities, called “Data Protection Authorities,” enforce these privacy and cybersecurity regulations.
Canada’s data privacy law is the Personal Information Protection and Electronic Documents Act (PIPEDA). Like the GDPR, it provides an expansive definition for personal data, and governs the retention, processing, and security for such data. Unlike the GDPR, however, PIPEDA excludes charitable organizations and other nonprofits that do not engage in commercial activities. The enforcement of PIPEDA is also less severe than in Europe—Canadians may make complaints to a central data protection authority, the Office of the Privacy Commissioner (OPC)—but the OPC can only make recommendations, which an individual must take to the courts to enforce. In response to the rise of data threats, the Canadian parliament passed the Data Privacy Act in 2015. The Data Privacy Act will provide consistent breach notification requirements, risk assessments, and breach record-keeping requirements across Canada. The implementing regulations for the Data Privacy Act are expected to go into effect in 2018, following a comment period that closed this past fall.
China does not have the best data privacy record and has implemented one of the most advanced domestic censorship and surveillance programs. Yet, even in this political climate, there is a growing push for comprehensive data privacy and cybersecurity laws. In November 2016, China passed the Cybersecurity Law (CSL), expected to be in full force by the end of 2018, following an initial implementation this past June. The CSL provides consistent requirements for the collection, use, and protection of personal information. In addition, industries in “critical sectors” such as communications, information services, energy, transport, water, financial services, public services, and electronic government services will be subject to mandatory testing and certification of their network security. Furthermore, and perhaps most troubling for foreign companies doing business in China, the law requires all business information and data on Chinese citizens to be placed on domestic servers in China. It remains to be seen how much Chinese authorities will focus on individual data privacy protections, as opposed to foreign cyberattacks (or domestic control of citizen data), and most firms are awaiting further guidance from Chinese authorities.
Patchwork Privacy in America
In contrast to the legislation described above, the United States lacks an omnibus legislative approach to data privacy and cybersecurity. Privacy laws are piecemeal and sectoral, covering only specific industries and types of personal data, like health and financial information. As a result, inconsistent rules abound concerning business’ obligations towards different types of personal data, depending on their industry and jurisdiction.
For example, the Health Insurance Portability and Accountability Act (HIPAA) is the United States’ primary health privacy and security law. HIPAA requires written consent for non-treatment related disclosures of health data, minimum security safeguards, and data breach notification. HIPAA only applies to “covered entities,” however, defined as health care providers, insurers, clearinghouses, and employer-sponsored health plans, and their “business associates” (parties that contract with “covered entities”). Entities that process sensitive personal health information, but do not fall under the limited definition of “covered entities” or their “business associates,” are not bound by HIPAA rules. Consequently, an individual’s health data may be strictly protected by his or her doctor, but at risk of disclosure from wellness trackers, fitness devices, and a whole host of “internet of things” (IoT) health-monitoring apps.
These same inconsistencies appear in the regulation of financial data. The Gramm-Leach-Bliley Act (GLBA), for instance, requires privacy disclosures and information security plans to safeguard data. The GLBA only applies to financial institutions, however, such as banks, lenders, and insurers. As a result, most retail transactions fall outside the scope of the GLBA privacy and security rules.
Given these gaps in data protection, the states have stepped in. In 2003, California was the first state to implement a data breach notification law: the California Data Protection Act. Since then, forty-seven other states have enacted data breach legislation. This state-by-state approach to data privacy regulation, though protective of consumers, has compounded the inconsistency of U.S. privacy laws. Each state has slightly differing rules concerning the definition of personal information, the standard for what constitutes a breach, the timeline for breach notification, and the contents of a data breach notification. As just one example, California law requires data breach notices to describe the nature of a breach to California residents, while Massachusetts law expressly forbids such a disclosure to its residents.
State unfair competition laws, state statutes involving stricter medical or financial regulations (like California’s SB-1 and Confidentiality of Medical Information Act), and various invasion-of-privacy tort claims further add to the confusion. Most of these state statutory and common law remedies are not preempted by federal privacy regulations. Consequently, in the wake of a cross-border breach, U.S. businesses often find themselves in a compliance nightmare as they attempt to respond to various federal agencies, state attorney generals, and plaintiffs’ class action suits.
National Legislation on Hold
Despite the growing specter of cybersecurity attacks, and the inconsistent patchwork of current rules, the United States has so far resisted comprehensive privacy or cybersecurity legislation.
In 2012, the Obama administration put forward a blueprint for a Consumer Privacy Bill of Rights, which called for general standards on the collection, retention, and security of personal data. This blueprint immediately faced strong opposition. The burgeoning mobile application and internet communications industries all argued that the proposed rules would stifle industry innovation—instead proposing an approach whereby the tech industry would develop its own self-regulatory models. Following a year-long talk between the Obama administration and the tech industry, no progress was made, and the Consumer Privacy Bill lost momentum.
The Trump administration appears to have even less of an appetite for privacy and cybersecurity rules. In April of last year, Trump repealed FCC rules that governed broadband companies’ use of customer browsing history, geolocation, and financial and medical information for targeted advertising. Earlier this year, Trump strongly objected to language in the 2018 National Defense Authorization Act (NDAA), that required the administration to set forth a national cyber policy to respond to attacks in cyberspace. Though Trump eventually signed the NDAA with this provision, he has (so far) resisted bipartisan attempts to move forward on a national cyber policy.
Policy Predictions for 2018
Though comprehensive privacy legislation appears to have stalled, current developments domestically and abroad will still make 2018 a landmark year for cybersecurity policy. Based on current trends, here are several predictions for the rest of 2018:
The US-EU Privacy Shield will be tested, spurring calls for stronger domestic privacy policies.
Currently, over 2,000 companies in the United States have agreed to the US-EU Privacy Shield, a bilateral agreement that allows data transfers between the United States and Europe—transfers that amount to billions of dollars in trade. With the growing differences between American and European privacy laws, the viability of the Privacy Shield is in question. In 2015, the European Court of Justice struck down the Privacy Shield’s predecessor, the US-EU safe harbor, and the current Privacy Shield was implemented as a hasty stopgap. Major tech companies that conduct business in the EU—like Google, Microsoft, and Amazon—are already implementing GDPR-style rules across their organizations, instead of relying solely on the US-EU Privacy Shield. Thus, when EU data privacy watchdogs inevitably attack the US-EU Privacy Shield, these tech giants will be less likely to oppose stricter data regulations to strike a transatlantic deal.
China’s Cybersecurity Law will become a bargaining chip in the current trade disputes.
Last November, the Trump administration submitted a document for debate at the WTO Services Council, stating that the full implementation of China’s new Cybersecurity Law would “disrupt, deter, and in many cases, prohibit cross-border transfers of information that are routine in the ordinary course of business.” China has previously delayed implementation of the Cybersecurity Law based on the concerns of industry, and may choose to do so again if provided sufficient trade incentives by the United States.
State legislatures will introduce proactive cybersecurity legislation, not just data breach rules.
New York was the first state to implement a comprehensive cybersecurity regulation in September 2016, which went into effect on March 1, 2017 for banks, insurance companies, and other financial services firms. The regulation requires proactive risk assessments, written incident response plans, and monitoring and detection for cybersecurity threats. The National Association of Insurance Commissioners (NAIC) has largely adopted New York’s regulations in its model laws and is currently encouraging adoption by other states. Massachusetts is likely to be next—the state approved the creation of a cybersecurity committee last May, and it is due to provide recommendations at the end of March 2018. Given this trend, it is likely that other states will begin to incorporate the NAIC model rules.
State and national legislatures will push for increasing IoT rules.
The increasing popularity of Amazon Echo, Google Home, and other smart devices is making the “internet of things” more attractive, as consumers can easily connect different devices and apps to one central system. The ability of these devices to be “on” and collecting data at any time has concerned legislators. Currently, California is considering legislation (SB 327) that would require smart devices to indicate when they are collecting information, to obtain consent prior to collection and transmission of such information, and to provide necessary software updates and patches. At the federal level, senators introduced a bipartisan bill on August 1, 2017, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, which would provide minimal cybersecurity operational standards for internet-connected devices.
The economy continues to hurtle online, as we increasingly blend the digital world with our own business and private lives. In this interconnected and virtual space, boundaries between industry sectors and jurisdictions have less meaning. Though the United States privacy and cybersecurity rules have served well in the past, balancing consumer privacy interests against industry innovation, this patchwork of rules relies on outdated assumptions, i.e. healthcare entities manage healthcare data, financial industries manage financial data, and that data is stored locally.
The truth is, we entrust our most sensitive information across a whole range of applications and devices and trade our data abroad. Consequently, data vulnerabilities may exist anywhere in this digital food chain. Even though it may take some time, this author expects that comprehensive privacy and data security legislation will become just as inevitable in the United States as it has abroad, as further high-profile cyberattacks continue. Perhaps someday, strong, economy-wide cybersecurity laws will feel as natural to United States residents as locks on our doors, or seatbelts on our (soon to be driverless) cars.
*Disclaimer* This article is not legal advice or legal opinion, and the contents are intended for general informational purposes only. Circumstances may differ from situation to situation. All legal and other issues must be independently researched. The views expressed herein are those of the author and not of Orange County Lawyer or the Orange County Bar Association.