2013 Legislation: Breach NotificationAttorneys: Pay Attention to Uptick in Global Regulation
Although the U.S. has stalled when it comes to comprehensive federal breach notification legislation, countries around the globe are starting to develop their own requirements, says attorney David Navetta.
"The United States has been the leader in terms of breach notification legislation, the laws in the various states," says Navetta, co-founder of the Information Law Group, in an interview with Information Security Media Group [transcript below].
"[Now] we're seeing some countries, even some jurisdictions within countries, developing their own breach notification requirements," he says.
Navetta's comments come in the fifth and final installment of a series of interviews with leading information security and privacy attorneys on legal trends to watch in 2013.
The European Union is in the midst of developing a breach notification requirement for its 27 member states, Navetta explains. Such a trend could "pose a big challenge for organizations in the U.S. that are operating overseas or taking information from customers overseas," he says.
In a discussion about legislative trends for 2013, the attorneys discuss:
- State legislative activities;
- How cloud, data security will be focus of lawmakers;
- Consumer protection trends regarding data security.
About the participants:
David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.
Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.
Lisa Sotto is managing partner for New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.
The remaining installments of this series focus on:
- The legal merits of 'hack back';
- Regulators dictating privacy;
- Fraud litigation trends;
- Effective breach response.
Cloud and Mobile
TOM FIELD: Looking ahead Lisa, what legislative trends do you foresee in 2013, whether in the U.S. and globally? What are we going to be talking about next year?
LISA SOTTO: I think we're going to see a continued focus on a couple of issues, and I would identify the key issues as cloud computing, online behavioral advertising and also mobile. With respect to cloud computing, there's no question that businesses are moving their data into the cloud in droves. There's going to be a very significant effort to understand how the cloud computing environment fits with the existing legal framework all over the world.
In the online behavioral advertising space, there continues to be grumbling about the tracking of our movement across the web. We will certainly hear more in that area.
Then the mobile space also is a place to watch. It's a nascent area. We have not yet figured out how to do privacy well in the mobile arena, and of course there have been some recent FTC pronouncements with respect to app developers and their ability to provide privacy protections. That's a place to watch.
In addition, there's no question that we're going to see more countries around the world enact data protection laws and also put in place regulations where there's right now just a law but no regulations to implement that law. We'll be watching the global landscape very carefully. Cybersecurity will continue to be the talk of the town. We're anticipating a great deal of activity in that space, so this is something I think to keep high on the radar screen.
Developing Comprehensive Legislation
FIELD: Gentlemen, I want to ask you the same question I asked Lisa, and that's looking ahead: What legislative trends do you foresee in 2013, not just in the U.S. but globally as well? David, let me start out with you.
DAVID NAVETTA: In terms of trends, I still think we're in a quagmire back and forth from a federal legislative trend point-of-view. We have a new administration that has come in for a second term so we may see some additional activity, but I still think we have a divided Congress and the interest groups are so entrenched when it comes to basic security and privacy, business vs. consumer, that I don't see the gray area that we reach in order to get comprehensive legislation in the United States. We may say some activity on the state level, but again it's kind of stalled with breach notification trends. We had a couple of laws related to PCI that we're going to perhaps force out a trend, but nothing happened. I'm not sure we're going to see much in 2013. I'll be surprised if we do.
Global Trends: Breach Notification
Globally, I think we will see more activity. More and more countries are trying to modernize their economy environment and their legal system. I see more laws from the U.S. legal point-of-view for companies that are doing work overseas. That's going to be something you're going to have to pay more attention to. This is especially true when it comes to breach notification. The United States has been the leader in terms of breach notification legislation, the laws in the various states, and we're seeing some countries now, even some jurisdictions within countries, developing their own breach notification requirements. Lisa mentioned even on the European Union level a potential breach notification requirement. That could pose a big challenge for organizations in the U.S. that are operating overseas or taking information from customers overseas. That's one thing I would keep my eye out for in 2013.
RONALD RAETHER: David and Lisa have done a pretty good job of covering the fields of where we're likely to see progress in 2013, or activity in 2013. The only thing that I would add is that in the regulator space, I think the place to watch out is the Consumer Finance Protection Bureau and the FTC, and I think to a certain extent the cooperation between those two entities and Senator Rockefeller. I presume that a lot of us have worked on responding to letters from Senator Rockefeller and the committee that he chairs dealing with data security. I've had other clients that have received letters from Rockefeller dealing with big data issues, so there may be other letters that are floating out there still that are making general inquiries into how various e-commerce and e-transaction companies are engaging in their business. Those responses will filter to the FTC and the CFPB. I know that they're working together to try to tackle these issues. Whether anything subsequently comes out of them or not is yet to be seen. Also, I know that the CFPB is meeting with a number of companies informally, doing some data gathering, so I do suspect that we'll see activity from the CFPB, if not in 2013 than in 2014, depending on how much more data gathering they do.
Likewise, I think we'll see more statutes like those that came out of Maryland, Illinois and California dealing with the use of social media and the use of electronic information in employment background screenings or employment application screenings that they're talking about in each of those states. They passed legislation that dealt with whether an employer can require an employee or prospective employee to share their password to gain access to Facebook or other social media. The law says that employers are prohibited from doing so, and that was really in response to public surge and interest in that issue. I suspect there might be other types of issues and certainly other states that will follow on with what California, Maryland and Illinois did with respect to that privacy issue.