The Top Cybersecurity Concerns for In-House Counsel in 2018
With in-house counsel shouldering more responsibility when it comes to breaches, and even taking the fall in some cases, one certainty is that cybersecurity will be top of mind for companies and their in-house counsel in 2018.
January 02, 2018 at 04:57 PM
6 minute read
Last year brought with it a number of high-profile breaches that garnered attention not just because of the number of consumers impacted or the type of information taken, but also because of the missteps that followed certain cybersecurity incidents. In addition to public perception issues, companies also face changing regulations around data security and litigation that may shift the way cybersecurity suits are handled.
With in-house counsel shouldering more responsibility when it comes to breaches, and even taking the fall in some cases, one certainty is that cybersecurity will be top of mind for companies and their in-house counsel in 2018.
Here are some the areas they'll be paying particularly close attention to.
Regulatory Changes (Hint: It's About More Than Just the GDPR)
A top priority for many in-house counsel has to be compliance with the General Data Protection Regulation, said Edward McNicholas, partner at Sidley Austin and co-leader of the firm's privacy, data security and information law practice. The GDPR extends existing regulations to any company that is processing data about Europeans and, violating the obligations may result in a fine of up to 4 percent of a company's annual global turnover, McNicholas said, so companies are understandably focusing a lot of attention on preparation.
As for what aspect of GDPR compliance creates the biggest headache, McNicholas said it's the notion of consent, adding that “there are still conflicting views within Europe as to how rigorous consent can be.”
Another major concern is the 72-hour data breach notification rule under the GDPR, according to Laura Jehl, a partner at Baker & Hostetler, who was formerly general counsel and chief privacy and security officer at Resolution Health Inc., a subsidiary of Anthem Inc., where she helped handle a January 2015 cyberattack affecting 80 million customer records.
“The fact that there will be this 72-hour breach notification obligation is, in a way, a game-changer,” she said. “Anybody who does this for a living will tell you that 72 hours is a ridiculous period of time to notify people in, because you usually don't know enough about the extent of the incident after 72 hours to report anything meaningful.”
What this means, she said, is that there will likely be an uptick in the number of forced disclosures that don't yet have anything meaningful to reveal. “I think it's just going to put more noise in the marketplace … because an incident at that point, after 72 hours, can be anything from something quite minor to hundreds of millions of people,” according to Jehl. “You just don't know, and so there are going to be a lot of these disclosures that aren't meaningful, that will have to later be supplemented by something that's more meaningful.”
But it's not just the GDPR that in-house counsel should be thinking about, McNicholas pointed out, noting that one of the “sleeper issues of 2018 is the Chinese cybersecurity rules.” China has been rolling out rigorous cybersecurity regulations, some of which take effect in 2018, McNicholas said. And some of these obligations include an analysis of cybersecurity programs, assessment of data transfers out of China and a requirement that certain companies share information about cybersecurity with the Chinese government, he explained.
“There's been so much attention focused on Europe and preparations for the GDPR,” McNicholas said, “that I don't know that people are putting as much emphasis and focus on the new regulations coming out of China.”
Future-Proofing the Business
From wearables that track steps to pills that transmit whether patients are taking their medicine, there are a number of innovations that provide major benefits to consumers, McNicholas said. “But I think that the amount of collection of information will raise some very interesting privacy questions,” he added.
One example can be found in the increasingly blurred line between when a product is a fitness device versus a medical device, McNicholas pointed out. If, for instance, you have a device that was made for personal fitness, but that is also useful to physicians, McNicholas said, at what point does the fitness device look more like a medical device that would be governed by regulations designed to protect medical information?
“As company counsel internally approach their next generation products, these internet of things and the internet of bodies sorts of products are going to raise profound issues that the current laws don't deal with as robustly as they might [need to],” according to McNicholas. “It's going to be a real challenge for in-house counsel.”
Groundbreaking Lawsuits
In-house counsel may also see shifts in the cybersecurity landscape because of ongoing litigation.
One such case that may be heard by the U.S. Supreme Court questions when data breach victims have standing to sue. Health insurer CareFirst Inc. asked the Supreme Court in October of last year to reverse a decision from the U.S. Court of Appeals for the D.C. Circuit, which allowed a data breach class action against the company to move forward. In its petition to the Supreme Court, CareFirst said this case “presents an ideal vehicle” to resolve a question that courts of appeals are divided on by potentially clarifying when data breach victims meet Article III's injury requirement.
“If the Supreme Court decides to grant review in CareFirst, it will be one of the most important privacy and cybersecurity cases in recent memory,” Alan Butler, senior counsel at the Electronic Privacy Information Center, said in an email. “The court would have to resolve the question of who can bring suit and when, and lower courts would then review these cases on the merits.”
Thousands of miles away, the European Court of Justice has been asked to consider the validity of model clauses for EU personal data transfer to the United States. This case could have massive implications for in-house counsel, said Sidley's McNicholas.
“A lot of companies have built their EU data transfer regime based upon model clauses,” he noted. “If the model clauses, themselves, were to be struck down, there would be a tremendous amount of work for in-house counsel in sometimes revamping their EU data transfer compliance regime.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFinancial Watchdog Alleges Walmart Forced Army of Gig-Worker Drivers to Receive Pay Through High-Fee Accounts
GC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
6 minute readGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250