DEFENSIBILITY: CHANGING THE WAY ORGANISATIONS APPROACH CYBERSECURITY AND DATA PRIVACY
Author | Bridget MEAD BS (St Joseph's), MA (Rosemont), JD (Drexel); CIPP-US; Associate, Marshall Dennehey Warner Coleman & Goggin. James GOEPEL BSECE (Drexel), JD (George Mason), LLM (George Mason); Registered Attorney (USPTO, Virginia); Adjunct Professor, Drexel University Thomas R Kline School of Law and LeBow College of Business; CEO and General Counsel, Fathom Cyber LLC, USA; Co-founder, CMMC Information Institute Inc, USA. Jared Paul MILLER BA (Juniata), JD Candidate 2021 (Drexel); Research Assistant, Drexel University Thomas R Kline School of Law. Paul FLANAGAN BA (Catholic University of America), MS (Widner), JD (Creighton); CHC, CCEP, CIPM; Assistant Professor of Law and Director of the Privacy, Cybersecurity, & Compliance Program, Drexel University Thomas R Kline School of Law. |
Publication year | 2021 |
Citation | (2021) 33 SAcLJ 10127 |
Published date | 01 December 2021 |
Date | 01 December 2021 |
1 On 7 September 2017, Equifax announced that it had been the victim of a cybersecurity incident that resulted in a data breach which impacted consumers in the US, UK and Canada.1 Equifax is one of the largest consumer credit reporting agencies (“CRA”) in the world with annual revenue in excess of US$3bn. CRAs collect extensive information on consumers from various sources.
2 Criminals exploited a well-known vulnerability2 in a website Equifax provided for customers in the US and were thus able to gain unauthorised access to personally identifiable information. Initial reports indicated that the data of 143 million US consumers was impacted by the breach, along with as many as 100,000 Canadian consumers and almost 700,000 UK consumers.3 Subsequent investigation identified an additional 2.5 million US consumers who were potentially impacted but reduced the number of Canadian citizens impacted to approximately 8,000.4
3 To date, Equifax has agreed to pay US$700m in a settlement with portions of the US federal government and some state governments, and an additional US$380m to a consumer restitution fund.5 They have also
4 However, the total financial impact of the breach is not limited solely to Equifax's direct incident response costs. As part of its settlement efforts the company has also committed to spending an additional US$1bn over the next five years on data security and related technology,7 and that is on top of over US$1bn it has already spent in technology and security investments.8 All told, the cybersecurity incident and resulting privacy breach could result in Equifax being forced to spend over US$5bn, or nearly twice its annual revenues, in a period of only a few years. Even for an organisation the size of Equifax, this represents a significant readjustment of spending priorities that will have a long-lasting impact on other programmes throughout the organisation and on the organisation's9 profitability. The Equifax breach illustrates the far-reaching impact a cybersecurity incident and privacy breach can have on an organisation.
5 This article discusses techniques that can be employed by organisations to reduce their likelihood of suffering losses and costs like those facing Equifax. Foundationally, Part II of this article will explore the current international data privacy and cybersecurity regulatory landscape by examining key regulations in the European Union (“EU”), the US and
6 The landscape of current data privacy and cybersecurity laws is varied. As such, solutions for corporate compliance and enterprise risk management are complex and require a comprehensive analysis of which of the varied international and domestic regulations are appropriate to consider. Coverage of every data privacy and cybersecurity regulation and law from across the globe would require an anthology of several hundred pages. However, highlighting a select few regulations will illustrate both the variety in provisional mandates and the consistency in purposes. Additionally, the international nature of Equifax's customers and the scope of their business requires a consideration of the international legal landscape. The General Data Protection Regulation10 (“GDPR”) from Europe, the California Consumer Protection Act, the New York SHIELD Act, several US federal industry specific regulations and the ASEAN Framework and related Asian regulations will be examined.
7 Although the terms “laws” and “legislatures” will be used throughout this article, they are used as general terms and should be understood to encompass both laws written by legislators who are members of legislatures, such as the US Congress, and also regulations written by regulators who work for governmental departments or agencies that are charged with enforcing the laws.
8 Just two years young, the GDPR is the most extensive and constantly evolving international legislation related to data privacy and cybersecurity. It has been used as a guide for other international
9 In 1995, the EU began their efforts towards comprehensive data protection for all EU citizens through the European Data Protection Directive.11 The Directive was an acknowledgment that the varying data protection legislation among member states of the EU was negatively affecting the free flow of data within the EU.12 Under EU law, directives are non-binding legislative acts that essentially set goals for EU member states to enact their own individual laws.13 A regulation is a binding act which is applied across the EU to every member state.14
10 In early 2012 the European Commission, acknowledging technological progress, globalisation, and how EU citizen data was being collected, processed and used, proposed an overhaul to the Data Protection Directive.15 Subsequently during 2012, several other EU committees, including the Article 29 Working Party, an advisory board made up of representatives of the data protection authorities from each EU member state,16 submitted opinions to the EU Commission regarding the Directive overhaul.17 In late 2015 the EU Parliament, EU Commission and EU Council reached an agreement on the provisions of the GDPR. One year later, in 2016, the GDPR was enacted, giving covered entities two years to comply. On 25 May 2018, all covered entities, including both EU and non-EU entities, were required to comply with the provisions set forth in the regulation or face severe penalties.18
11 Critical to understanding the scope of any data privacy or cybersecurity regulation is the definition of personal data. Long before the GDPR's Art 4 definition, the EU established the protection of personal
12 Coupled with the broad definition of personal data, the GDPR is equally broad in its language related to which entities are covered and must comply. Article 3 establishes the GDPR's territorial scope and the European Data Protection Board has made clear that there are two ways in which an entity falls within the GDPR's territorial scope.21
13 Article 3(1) sets forth the “Establishment Criterion” while Art 3(2) sets forth the “Targeting Criterion”.22 Under the “Establishment Criterion”, any entity established in the EU, regardless of whether their data processing activities occur in the EU or not, are considered a covered entity and must comply.23 Conversely, the “Targeting Criterion” expands the coverage of the regulation by mandating that even entities which are not established in the EU must comply with the GDPR if the processing of personal data is related to goods and services (regardless of payment) or if the processing of personal data is related to the monitoring of the behaviour of the data subject that takes place within the EU.24 Alternatively worded, if a non-EU entity is processing the personal data of a data subject, not necessarily an EU citizen, while that data subject is in the EU, they must comply. The entity need not be a business to be covered as the
14 As illustrated by the above select GDPR provisions, a wide range of entities would qualify as being required to comply with the regulation's provisions. There can be no assumptions on the part of a corporation that they are safe from risk of non-compliance. The safest approach to the GDPR would be to assume qualification as a covered entity and comply with its provisions. At the risk of doing a disservice to the extensive provisions and obligations placed on covered entities in the GDPR, when assessing compliance risks, corporations should understand the following five key points about the GDPR:
(a) Data processing needs to be lawful, fair and transparent. Consumers must have notice of processing and processors must collect affirmative consent to process.26
(b) Data subjects have explicit rights to deletion and rectification.27
(c) There are specific timelines for notification to data subjects and supervisory authorities after a data breach has occurred.28
(d)...
To continue reading
Request your trial