Discussion with Justin Daniels of Baker Donelson on GDPR and cyber security legislation.
Justin Daniels provides corporate advice to growth-oriented and middle market domestic and international businesses. He is also a cybersecurity thought leader who believes cybersecurity is a strategic business enterprise risk. (Source)
Q: What policies should a company employ to ensure that they are protected against cyber breaches?
A: The answer depends on the company and the nature of its risk. Companies need to understand the risks associated with their type of business and the means by which they are delivering products and services.
An E-commerce company will likely experience the most risk via their website. A brick and mortar company will experience the most risk through their POS system. Every company needs to make sure to asses their cyber risks and create a cyber policy tailored to that risk.
Q: What should the limits on risk policies be?
A: Cyber policies need to cover things like hiring forensics and the means by which you can assess how the breach happened. A cyber policy also needs to be able to assess the scope of the breach quickly. Cyber policies will include things like the process by which you would hire a firm to handle legal fees or a PR crisis communication firm.
The policy will need to have the scope to cover how inquiries from the media will be handled as well. There is no single cyber policy that will handle all of these needs. An effective cyber policy will be comprised of many individual policies for each part of the breach.
Q: Can companies buy pre-built cyber policies?
A: There is no good way to buy a pre-made cyber policy. Companies need to understand what type of cyber policies they need to have in place for their unique needs. Companies need to know what a good cyber policy is and build one that is customized to their needs.
One of the primary things that each company needs to have in place is an incident response plan. This plan will need to actually be practiced so that it will work when it needs to be put to use. Rather like a fire-drill, a cyber policy needs to be put to the test and practiced so that it can be implemented effectively if a breach happens.
A good way to practice this type of cyber policy implementation is to simulate a breach and see how the policy works when it is actually put into use. Weaknesses related to response times are of primary concern. In the US reasonable response time is anywhere from 30-90 days but in the UK, due to GDPR, the response time for a breach is 72 hours.
Q: How do you implement a cyber policy simulation?
A: A team will need to be hired to simulate the breach and to stand in for the crisis communications firm and the forensics firm who would be hired in a live breach incident. The audience will serve the role of the C-Suite. The simulation should be run various times and at the conclusion of each cycle, questions need to be posed to the participants.
A good example of a simulation scenario is claiming to have documentation that the company did not adequately protect from risk and this person wants to be paid a ransom to give the documents back. The simulation should be run as a worst-case scenario for each situation. This will show where the cyber policy needs work and where it works best. It is not enough to assert that a company cares about cyber security without actually taking actions to ensure that this is true.
Q: Cybersecurity and computer legislation in general is pretty vague. As an example, the California Assembly bill leaves a lot of room for interpretation in its language. Will these type of policies be improved or is case law adequate to advise where the bills are not clear?
A: When the Securities Act of 1933 was put in place, a level of flexibility was built into the act. Now that technology evolves so quickly, this flexibility is helpful but sometimes leads to gaps in the information offered by the bills. Broad principles are necessary to refer to types of breaches with any authority so that what is allowed and what is not allowed is set forth for companies.
If an attempt is made to get too detailed, technology will constantly be too many steps ahead of the legislation for it to be applicable. As an example, the current wrangling over ride sharing laws has been going on for a while now and by the time a decision gets made, the ride sharing reality will have advanced so much farther that the decision that was made about the law will no longer be relevant.
Q: Who is responsible for the damage caused by a cyber breach?
A: The people responsible for the attack have the legal responsibility but what we have seen in recent cyber breaches is that they are not often held accountable. This will likely always be an issue since there are usually many people involved in a cyber breach and it is hard to decide who has the ultimate responsibility.
The question that the cyber security industry faces is whether there is a need to legislate certain standards that will have to be adhered to or not. If companies are not willing to adhere to standards, they should be held responsible for that lack of attention.
Q: It appears that legislation will just continue to be too slow to keep up with cyber policy then.
A: This might be true, but Europe has been able to pass the GDPR and it is an overarching cyber policy that everyone must adhere to. Nothing catastrophic led to its implementation so that makes it seem likely that other countries will eventually follow the UK’s lead.
Q: The GDPR has been quite effective. Will other countries create similar cyber policy legislation?
A: The GDPR gets people to look at these issues very differently and this is very productive. Speaking to American policy, the way Europe views cyber threats and how America views cyber threats is very different. It is not easy to change culture, and while it seems likely that other countries will have to create national data privacy and security legislation, the pressure to do seems not to have been great enough at this time to cause any change to happen.
Protecting data analytics from AI opens up a whole new world of potential mischief that will have to be addressed at some point. Currently, the United States has 50 breach notification laws because these laws are made by each state. This makes compliance very onerous for companies and slows the process of getting national legislation put in place.
Q: Will companies who do not implement data protection laws like GDPR be at a competitive disadvantage to those who do?
A: The answer to that is probably, yes. There are companies out there who will see that it is a good business practice to protect their data and their customer’s privacy and they will adhere to good cyber policies for that goal. The competing interest involved is the very real factor that users of technology desire convenience above security.
If privacy and cyber security become inconvenient, they will likely elect to avoid any steps that add complication to their user experience. This could mean that they will be part of a cyber breach through their own negligence because legislation does not currently require them to make that effort for security. Legislation has to overcome habit and the desire to resist change.
Q: Will it be feasible for laws like GDPR to be adopted globally?
A: The trouble with global law-making is that countries want to keep their sovereignty. There would always have to be various versions of a cyber security law due to this. The United States is not leading in this area and the European Union is really setting the example for the rest of the world.
Q: Will Brexit will affect any of this?
A: There were limited indications that Brexit would go through and a lot of the people who were saying that they wanted it were concerned with immigration issues in their communities. It does appear that people wanted out of the Union without considering how interconnected everything was.
From an economic perspective, the UK has a challenging privacy perspective. Now that Brexit has happened, it would seem logical that similar laws would be put in place since Europe feels that individual privacy is a fundamental right. In the United States, there are individual privacy laws but they are often overruled by businesses who have sway over the market in every aspect.
Q: It does seem that there is a disconnect between technology and cyber policy because technology is moving too quickly and the risk management side of business cannot keep up.
A: A good example of this is blockchain, or also AI. There are great advances like shipper commuting coming in the future, but they bring with them the handmaiden of cyber threat. Business people tend to think only about the possibilities of a technology for users without thinking of the inherent cyber risk.
This is why there are IOT devices that have no cyber security at all. Startup companies create new technology and only care about getting their product out to market. Once the product is on the market and the cyber risk is identified, the cyber security part is added clumsily after the fact because it was not considered during development.