A nationwide retailer recently unveiled its new mobile application, which combines geolocation data from consumers’ cell phones with Internet browsing preferences to alert customers to sales whenever they come within 10 miles of a brick-and-mortar store. The company is careful to collect and store only the data that is necessary to send the promotional “push” notifications. Customers have been informed of the data collection practices and either have given their informed consent or have opted out of the program. The general counsel has taken steps to safeguard sensitive consumer information but wants to know if there are any legal requirements to secure the newly acquired data or resources to guide the company’s efforts.
National Cyber Security Awareness Month
October is National Cyber Security Awareness Month (NCSAM), a presidentially designated campaign observed annually since 2004. NCSAM brings together government and industry leaders to increase cybersecurity awareness and to make the nation more resilient to cyber incidents. Of course, companies already are aware that electronic data is at risk of being compromised by hackers, foreign states, rogue employees and many less sensational causes, such as system malfunction and human error. “Awareness” in the cybersecurity context means being aware not only of the risks but also of existing legal obligations to mitigate those risks and of legal resources available to combat cyber threats.
Federal Cybersecurity Rules
There is no comprehensive cybersecurity legislation in the United States, but several laws impose data security requirements within specific industries.
Notably, the Gramm-Leach-Bliley Act (GLBA) requires that “financial institutions,” such as lenders and investment advisers, protect customers’ “nonpublic personal information.” Several regulators—the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and the Federal Reserve—implement this requirement and each has adopted its own “safeguards rule.” The FTC, for example, requires that financial institutions under its GLBA jurisdiction (e.g., mortgage brokers and payday lenders) adopt a written information security plan and other security measures.
Similarly, health care providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must comply with its “Security Rule,” which outlines physical, administrative and technical safeguards for electronic “protected health information” (similar to the HIPAA Privacy Rule for non-electronic PHI). The Federal Communications Commission (FCC), in like fashion, is considering changes to its broadband privacy rules that would require Internet service providers to take reasonable steps to protect consumer data from intrusion.
State Cybersecurity Laws
Although there is no comprehensive federal law, several states have enacted data security statutes that can function as de facto minimum requirements for companies operating nationally. States such as California and Rhode Island require “reasonable” security, while other states establish more specific safeguards for their citizens’ personal information. Nevada, for example, sets stringent standards for data encryption. Massachusetts, borrowing in part from the GLBA and HIPAA rules, requires certain “administrative, technical, and physical” safeguards, a “written information security policy,” and encryption of all data transmitted outside the company. In addition, many states have industry-specific cybersecurity requirements (e.g., health insurance in Connecticut and New Jersey).
Model Frameworks and Guidance
Even in the absence of specific data security rules, regulators such as the FTC, FCC, and the Consumer Financial Protection Bureau (CFPB) have seized on broader authority to prevent unreasonable, unfair and/or deceptive practices and have fined and investigated companies following data security incidents. Moreover, many existing rules merely require “reasonable” security measures, leaving companies to wonder how to stave off both cybersecurity threats and public enforcement actions. Even absent specific rules, however, legal resources are available to help companies confront cyber risks.
In 2013, for example, President Obama issued an executive order directing the National Institute of Standards and Technology (NIST) to establish a “framework to reduce cyber risks to critical infrastructure.” The end product, the NIST Cybersecurity Framework (“NIST Framework”), has been used by companies inside and outside the critical infrastructure sector to evaluate and address cybersecurity threats. Microsoft’s director of cybersecurity policy recently touted the Framework’s benefits, and the FTC—while not going so far as to say that complying with the Framework is the same as complying with the FTC Act—has described the Framework as “consistent” with the FTC’s long-standing approach to cybersecurity enforcement.
In California, where reasonable security is required, the attorney general has issued guidance documents and data breach reports to help companies protect against cyber threats, including detailed suggestions, such as considering the Center for Internet Security’s 20 Critical Security Controls. In industries subject to cybersecurity rules, regulators have published guidance documents and tools to aid with compliance, such as the Department of Health & Human Services’ recommendations for complying with the HIPAA Security Rule and the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool for financial institutions. But even in industries not subject to specific cybersecurity rules, regulators have authored guidance documents, such as the Food and Drug Administration’s draft cybersecurity guidance for medical device manufacturers (which incorporates elements of the NIST Framework).
Although there is no comprehensive cybersecurity statute in the United States, data security laws are on the books in certain states and sectors, including some very detailed enactments. Even in states and industries that require only “reasonable” security, guidance documents and model frameworks are available to assist companies handling electronic data. These resources are no guarantee against cyber incidents or legal action, but they provide businesses with valuable tools to assess and address cyber threats. Both the FTC and the NIST Framework have eschewed a “one-size-fits-all” model for cybersecurity preparedness, and companies should consider available resources in the context of their businesses, client bases and databases.