Coping with Evolving Cybersecurity Rules

Regardless of whether cybersecurity laws are enforced on a federal or state level, or both, e-commerce counsel, who are on the front lines of data security compliance, should be aware of their legal obligations in order to mitigate risk for his or her clients and its customers. The primary jurisdictional questions that should be on corporate counsel's radar during this time of change in cybersecurity law are: 1) What is the federal government's role in cybersecurity compliance, and will it change in the near future? 2) Will a federal disclosure law increase a corporation's obligations or streamline them?

The Federal Government's Role

At present, there are more than 50 federal laws that govern some aspect of cybersecurity law. In addition, many federal agencies have jurisdiction to enforce these laws in sectors such as finance, energy and health care. Recent attempts at passing comprehensive legislation have failed, resulting in a piecemeal approach. This began with the 2013 Cybersecurity Executive Order, which created a voluntary best practices model for organizations of all sizes, with a focus on organizations considered “critical infrastructure.” See, “Executive Order ' Improving Critical Infrastructure Cybersecurity.”'

The National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS), which have led this initiative, plan to continue implementation efforts in coming years to incentivize organizations to improve their cybersecurity on a voluntary basis led by the private sector. At the same time, mandatory statutory measures are being formulated. The FTC has been actively advocating for Congress to pass legislation that would increase its enforcement authority and ability to fine organizations that do not adequately protect their data. Congress has drafted bills that would create such a compliance model, but, to date, no consensus has been reached and no new laws passed.

Notwithstanding the absence of new legislation, the FTC's authority to enforce data privacy standards for consumers was affirmed by the judicial branch in a decision in April. In FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), a federal district court in New Jersey denied Wyndham Worldwide Corporation's motion to dismiss an FTC complaint alleging that Wyndham engaged in unfair and deceptive data security practices by failing to maintain “reasonable and appropriate data security” for its customers. In doing so, the court affirmed that the FTC's authority to redress “unfair” or “deceptive” trade practices extends to data security. See, “Fed. Judge Says FTC Can Sue over Poor Data Security,” in the May 2014 issue of e-Commerce Law & Strategy.

The practical reach of the Wyndham decision is unsettled because the court expressly recognized limits to the FTC's authority in future cases. The court stated that the FTC does not have “a blank check to sustain a lawsuit against every business that has been hacked.” That said, Wyndham involves claims of deceptive practices relating to online privacy policies. In the short term, corporations should take from the court's holding that accurate descriptions of their online privacy policies (and their effectiveness) must be a priority in order to minimize legal vulnerabilities, such as a possible lawsuit from the FTC. Corporations should also understand that the FTC's jurisdictional reach and enforcement in the area of cybersecurity will likely continue to expand given the growing support for such jurisdiction in the courts and in Congress.

With increasing FTC authority, it is unclear what will happen to state cybersecurity laws. For example, California and Massachusetts have implemented robust cybersecurity enforcement initiatives. Whether these state initiatives will be curtailed in light of increased federal authority will likely be answered in coming years. For now, corporations should be prepared to comply with both federal and state initiatives until compliance models are finalized.

The Effect of a Disclosure Law

Most states require organizations to disclose breaches of their citizens' data. Kentucky is the most recent state to enact a disclosure law. See, KY H.R. 232 (April 2014). The problem for disclosing entities is that state laws have different requirements and thus lack uniformity. In response, one of the proposed federal bills establishes a federal data breach disclosure law. The purpose is to clarify and simplify the onerous requirements of inconsistent state laws. A federal law would also aim to resolve potential jurisdictional obstacles in state court actions where a state is trying to enforce its disclosure statute on an out-of-state organization.

In reality, it is unlikely that states will take a “back seat” to the federal government on data breach issues, particularly because of the state's interest in protecting the personal and financial data of its citizens. While it is possible that a federal-state cybersecurity disclosure model may evolve similar to that which is in place under existing laws (like the Health Insurance Portability and Accountability Act (HIPAA)), a federal disclosure law would likely not supplant state efforts, especially given the limited enforcement capabilities and budget of both.

The ever-evolving nature of data breach disclosure obligations necessitates corporate counsel to monitor proposed bills that require federal disclosure in the event of a breach. Depending on the specifics of an enacted federal disclosure law, corporations should also be prepared, at least in the short term, for the federal disclosure law to add to breach disclosure obligations, rather than streamline them. Additionally, when a breach occurs that affects citizens in a state where the corporation is not domiciled, companies should seek guidance on the jurisdictional reach of state statutes in order to ensure that they are following best practices and fulfilling notification obligations.

Jonathan S. Feld is a partner at Dykema Gossett in Chicago who focuses on business litigation and compliance matters. Susan E. Asam is an associate at Dykema's Detroit office who also focuses on business litigation with a specialty in cybersecurity. Leyton Nelson is an associate at Dykema's Chicago office who focuses on business litigation.

Cybersecurity and data protection, more than ever, are priority items for the government and private sector. The government's interest is to protect the country from a cyberattack that will cripple the economy or critical infrastructure. The private sector's interest is to protect its products as well as the safety of its customers' financial and private data. Recent high-profile data breaches exposed vulnerabilities in the safety of our country's consumer data, which is the bedrock of the rebounding economy, resulting in millions of dollars in damages.

The government has reacted by proposing legislative “fixes” that would require organizations to satisfy basic levels of cybersecurity protection and disclose breaches or face fines. Whether a mandatory compliance model for cybersecurity will be effective given the rapid pace by which technology advances is unclear. It may be unrealistic to expect the government's legislative pace to keep up with hackers.

Another complication that affects the efficiency of solutions is the question of who should regulate and enforce cyber law. To date, federal and state governments have been able to share jurisdiction over cybersecurity and data protection without much controversy, albeit with some inefficiency. However, this shared jurisdiction may be getting more complicated as federal agencies, such as the Federal Trade Commission (FTC), try to take a bigger role.

Regardless of whether cybersecurity laws are enforced on a federal or state level, or both, e-commerce counsel, who are on the front lines of data security compliance, should be aware of their legal obligations in order to mitigate risk for his or her clients and its customers. The primary jurisdictional questions that should be on corporate counsel's radar during this time of change in cybersecurity law are: 1) What is the federal government's role in cybersecurity compliance, and will it change in the near future? 2) Will a federal disclosure law increase a corporation's obligations or streamline them?

The Federal Government's Role

At present, there are more than 50 federal laws that govern some aspect of cybersecurity law. In addition, many federal agencies have jurisdiction to enforce these laws in sectors such as finance, energy and health care. Recent attempts at passing comprehensive legislation have failed, resulting in a piecemeal approach. This began with the 2013 Cybersecurity Executive Order, which created a voluntary best practices model for organizations of all sizes, with a focus on organizations considered “critical infrastructure.” See, “Executive Order ' Improving Critical Infrastructure Cybersecurity.”'

The National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS), which have led this initiative, plan to continue implementation efforts in coming years to incentivize organizations to improve their cybersecurity on a voluntary basis led by the private sector. At the same time, mandatory statutory measures are being formulated. The FTC has been actively advocating for Congress to pass legislation that would increase its enforcement authority and ability to fine organizations that do not adequately protect their data. Congress has drafted bills that would create such a compliance model, but, to date, no consensus has been reached and no new laws passed.

Notwithstanding the absence of new legislation, the FTC's authority to enforce data privacy standards for consumers was affirmed by the judicial branch in a decision in April. In FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), a federal district court in New Jersey denied Wyndham Worldwide Corporation's motion to dismiss an FTC complaint alleging that Wyndham engaged in unfair and deceptive data security practices by failing to maintain “reasonable and appropriate data security” for its customers. In doing so, the court affirmed that the FTC's authority to redress “unfair” or “deceptive” trade practices extends to data security. See, “Fed. Judge Says FTC Can Sue over Poor Data Security,” in the May 2014 issue of e-Commerce Law & Strategy.

The practical reach of the Wyndham decision is unsettled because the court expressly recognized limits to the FTC's authority in future cases. The court stated that the FTC does not have “a blank check to sustain a lawsuit against every business that has been hacked.” That said, Wyndham involves claims of deceptive practices relating to online privacy policies. In the short term, corporations should take from the court's holding that accurate descriptions of their online privacy policies (and their effectiveness) must be a priority in order to minimize legal vulnerabilities, such as a possible lawsuit from the FTC. Corporations should also understand that the FTC's jurisdictional reach and enforcement in the area of cybersecurity will likely continue to expand given the growing support for such jurisdiction in the courts and in Congress.

With increasing FTC authority, it is unclear what will happen to state cybersecurity laws. For example, California and Massachusetts have implemented robust cybersecurity enforcement initiatives. Whether these state initiatives will be curtailed in light of increased federal authority will likely be answered in coming years. For now, corporations should be prepared to comply with both federal and state initiatives until compliance models are finalized.

The Effect of a Disclosure Law

Most states require organizations to disclose breaches of their citizens' data. Kentucky is the most recent state to enact a disclosure law. See, KY H.R. 232 (April 2014). The problem for disclosing entities is that state laws have different requirements and thus lack uniformity. In response, one of the proposed federal bills establishes a federal data breach disclosure law. The purpose is to clarify and simplify the onerous requirements of inconsistent state laws. A federal law would also aim to resolve potential jurisdictional obstacles in state court actions where a state is trying to enforce its disclosure statute on an out-of-state organization.

In reality, it is unlikely that states will take a “back seat” to the federal government on data breach issues, particularly because of the state's interest in protecting the personal and financial data of its citizens. While it is possible that a federal-state cybersecurity disclosure model may evolve similar to that which is in place under existing laws (like the Health Insurance Portability and Accountability Act (HIPAA)), a federal disclosure law would likely not supplant state efforts, especially given the limited enforcement capabilities and budget of both.

The ever-evolving nature of data breach disclosure obligations necessitates corporate counsel to monitor proposed bills that require federal disclosure in the event of a breach. Depending on the specifics of an enacted federal disclosure law, corporations should also be prepared, at least in the short term, for the federal disclosure law to add to breach disclosure obligations, rather than streamline them. Additionally, when a breach occurs that affects citizens in a state where the corporation is not domiciled, companies should seek guidance on the jurisdictional reach of state statutes in order to ensure that they are following best practices and fulfilling notification obligations.

Jonathan S. Feld is a partner at Dykema Gossett in Chicago who focuses on business litigation and compliance matters. Susan E. Asam is an associate at Dykema's Detroit office who also focuses on business litigation with a specialty in cybersecurity. Leyton Nelson is an associate at Dykema's Chicago office who focuses on business litigation.