DEFENSIBILITY: CHANGING THE WAY ORGANISATIONS APPROACH CYBERSECURITY AND DATA PRIVACY

• Author: Bridget MEAD BS (St Joseph's), MA (Rosemont), JD (Drexel); CIPP-US; Associate, Marshall Dennehey Warner Coleman & Goggin. James GOEPEL BSECE (Drexel), JD (George Mason), LLM (George Mason); Registered Attorney (USPTO, Virginia); Adjunct Professor, Drexel University Thomas R Kline School of Law and LeBow College of Business; CEO and General Counsel, Fathom Cyber LLC, USA; Co-founder, CMMC Information Institute Inc, USA. Jared Paul MILLER BA (Juniata), JD Candidate 2021 (Drexel); Research Assistant, Drexel University Thomas R Kline School of Law. Paul FLANAGAN BA (Catholic University of America), MS (Widner), JD (Creighton); CHC, CCEP, CIPM; Assistant Professor of Law and Director of the Privacy, Cybersecurity, & Compliance Program, Drexel University Thomas R Kline School of Law.
• Publication year: 2021
• Citation: (2021) 33 SAcLJ 10127
• Published date: 01 December 2021
• Date: 01 December 2021

I. Introduction

1 On 7 September 2017, Equifax announced that it had been the victim of a cybersecurity incident that resulted in a data breach which impacted consumers in the US, UK and Canada.1 Equifax is one of the largest consumer credit reporting agencies (“CRA”) in the world with annual revenue in excess of US$3bn. CRAs collect extensive information on consumers from various sources.

2 Criminals exploited a well-known vulnerability2 in a website Equifax provided for customers in the US and were thus able to gain unauthorised access to personally identifiable information. Initial reports indicated that the data of 143 million US consumers was impacted by the breach, along with as many as 100,000 Canadian consumers and almost 700,000 UK consumers.3 Subsequent investigation identified an additional 2.5 million US consumers who were potentially impacted but reduced the number of Canadian citizens impacted to approximately 8,000.4

3 To date, Equifax has agreed to pay US$700m in a settlement with portions of the US federal government and some state governments, and an additional US$380m to a consumer restitution fund.5 They have also

agreed to pay up to US$2bn more if all 147 million impacted persons sign up for credit monitoring.6 This brings Equifax's total incident response costs to at least US$1bn, and they may extend to beyond US$3bn.

4 However, the total financial impact of the breach is not limited solely to Equifax's direct incident response costs. As part of its settlement efforts the company has also committed to spending an additional US$1bn over the next five years on data security and related technology,7 and that is on top of over US$1bn it has already spent in technology and security investments.8 All told, the cybersecurity incident and resulting privacy breach could result in Equifax being forced to spend over US$5bn, or nearly twice its annual revenues, in a period of only a few years. Even for an organisation the size of Equifax, this represents a significant readjustment of spending priorities that will have a long-lasting impact on other programmes throughout the organisation and on the organisation's9 profitability. The Equifax breach illustrates the far-reaching impact a cybersecurity incident and privacy breach can have on an organisation.

5 This article discusses techniques that can be employed by organisations to reduce their likelihood of suffering losses and costs like those facing Equifax. Foundationally, Part II of this article will explore the current international data privacy and cybersecurity regulatory landscape by examining key regulations in the European Union (“EU”), the US and

Asia. Part III will present the principles of compliance and the importance of an effective compliance programme. Part IV will argue that the key to addressing risks and building a defensible cybersecurity and data privacy programme is a comprehensive enterprise risk management (“ERM”) programme. Finally, this article will conclude with an application of the principles of compliance and ERM to the Equifax incident, to illustrate how these concepts would have altered the outcome and saved billions of dollars.

II. International data privacy regulatory landscape and cybersecurity

6 The landscape of current data privacy and cybersecurity laws is varied. As such, solutions for corporate compliance and enterprise risk management are complex and require a comprehensive analysis of which of the varied international and domestic regulations are appropriate to consider. Coverage of every data privacy and cybersecurity regulation and law from across the globe would require an anthology of several hundred pages. However, highlighting a select few regulations will illustrate both the variety in provisional mandates and the consistency in purposes. Additionally, the international nature of Equifax's customers and the scope of their business requires a consideration of the international legal landscape. The General Data Protection Regulation10 (“GDPR”) from Europe, the California Consumer Protection Act, the New York SHIELD Act, several US federal industry specific regulations and the ASEAN Framework and related Asian regulations will be examined.

7 Although the terms “laws” and “legislatures” will be used throughout this article, they are used as general terms and should be understood to encompass both laws written by legislators who are members of legislatures, such as the US Congress, and also regulations written by regulators who work for governmental departments or agencies that are charged with enforcing the laws.

A. EU's GDPR

8 Just two years young, the GDPR is the most extensive and constantly evolving international legislation related to data privacy and cybersecurity. It has been used as a guide for other international

legislation and understanding it is critical to understanding other international legislation.

9 In 1995, the EU began their efforts towards comprehensive data protection for all EU citizens through the European Data Protection Directive.11 The Directive was an acknowledgment that the varying data protection legislation among member states of the EU was negatively affecting the free flow of data within the EU.12 Under EU law, directives are non-binding legislative acts that essentially set goals for EU member states to enact their own individual laws.13 A regulation is a binding act which is applied across the EU to every member state.14

10 In early 2012 the European Commission, acknowledging technological progress, globalisation, and how EU citizen data was being collected, processed and used, proposed an overhaul to the Data Protection Directive.15 Subsequently during 2012, several other EU committees, including the Article 29 Working Party, an advisory board made up of representatives of the data protection authorities from each EU member state,16 submitted opinions to the EU Commission regarding the Directive overhaul.17 In late 2015 the EU Parliament, EU Commission and EU Council reached an agreement on the provisions of the GDPR. One year later, in 2016, the GDPR was enacted, giving covered entities two years to comply. On 25 May 2018, all covered entities, including both EU and non-EU entities, were required to comply with the provisions set forth in the regulation or face severe penalties.18

11 Critical to understanding the scope of any data privacy or cybersecurity regulation is the definition of personal data. Long before the GDPR's Art 4 definition, the EU established the protection of personal

data in both the Charter of Fundamental Rights of the European Union19 and Treaty on the Functioning of the European Union.20 The fundamental right to the protection of personal data in the EU is longstanding, with the starting point being the EU Data Protection Directive. The GDPR expanded this right by using vague language with a broad scope to define personal data. Article 4(1) states that personal data means “any information relating to an identified or identifiable natural person (data subject)”. The inclusion of “identifiable” in the definition is prospective and broadens the definition to include future conduct. The provision clarifies “identifiable natural person” by stating that such person may be identified directly or indirectly and by reference to one or more listed factors such as name, online identifier and location data. Significantly, the GDPR's definition of personal data does not include any language requiring the personal data to be of a European Union citizen.

12 Coupled with the broad definition of personal data, the GDPR is equally broad in its language related to which entities are covered and must comply. Article 3 establishes the GDPR's territorial scope and the European Data Protection Board has made clear that there are two ways in which an entity falls within the GDPR's territorial scope.21

13 Article 3(1) sets forth the “Establishment Criterion” while Art 3(2) sets forth the “Targeting Criterion”.22 Under the “Establishment Criterion”, any entity established in the EU, regardless of whether their data processing activities occur in the EU or not, are considered a covered entity and must comply.23 Conversely, the “Targeting Criterion” expands the coverage of the regulation by mandating that even entities which are not established in the EU must comply with the GDPR if the processing of personal data is related to goods and services (regardless of payment) or if the processing of personal data is related to the monitoring of the behaviour of the data subject that takes place within the EU.24 Alternatively worded, if a non-EU entity is processing the personal data of a data subject, not necessarily an EU citizen, while that data subject is in the EU, they must comply. The entity need not be a business to be covered as the

GDPR specifies that a data controller or data processor may be a “natural or legal person, public authority, agency or other body”.25

14 As illustrated by the above select GDPR provisions, a wide range of entities would qualify as being required to comply with the regulation's provisions. There can be no assumptions on the part of a corporation that they are safe from risk of non-compliance. The safest approach to the GDPR would be to assume qualification as a covered entity and comply with its provisions. At the risk of doing a disservice to the extensive provisions and obligations placed on covered entities in the GDPR, when assessing compliance risks, corporations should understand the following five key points about the GDPR:

(a) Data processing needs to be lawful, fair and transparent. Consumers must have notice of processing and processors must collect affirmative consent to process.26

(b) Data subjects have explicit rights to deletion and rectification.27

(c) There are specific timelines for notification to data subjects and supervisory authorities after a data breach has occurred.28

(d)...