Photo credit: Thomas Reichhart/Shutterstock.com

Last year brought with it a number of high-profile breaches that garnered attention not just because of the number of consumers impacted or the type of information taken, but also because of the missteps that followed certain cybersecurity incidents. In addition to public perception issues, companies also face changing regulations around data security and litigation that may shift the way cybersecurity suits are handled.

With in-house counsel shouldering more responsibility when it comes to breaches, and even taking the fall in some cases, one certainty is that cybersecurity will be top of mind for companies and their in-house counsel in 2018.

Here are some the areas they'll be paying particularly close attention to.

Regulatory Changes (Hint: It's About More Than Just the GDPR)

A top priority for many in-house counsel has to be compliance with the General Data Protection Regulation, said Edward McNicholas, partner at Sidley Austin and co-leader of the firm's privacy, data security and information law practice. The GDPR extends existing regulations to any company that is processing data about Europeans and, violating the obligations may result in a fine of up to 4 percent of a company's annual global turnover, McNicholas said, so companies are understandably focusing a lot of attention on preparation.

As for what aspect of GDPR compliance creates the biggest headache, McNicholas said it's the notion of consent, adding that “there are still conflicting views within Europe as to how rigorous consent can be.”

Another major concern is the 72-hour data breach notification rule under the GDPR, according to Laura Jehl, a partner at Baker & Hostetler, who was formerly general counsel and chief privacy and security officer at Resolution Health Inc., a subsidiary of Anthem Inc., where she helped handle a January 2015 cyberattack affecting 80 million customer records.

“The fact that there will be this 72-hour breach notification obligation is, in a way, a game-changer,” she said. “Anybody who does this for a living will tell you that 72 hours is a ridiculous period of time to notify people in, because you usually don't know enough about the extent of the incident after 72 hours to report anything meaningful.”

What this means, she said, is that there will likely be an uptick in the number of forced disclosures that don't yet have anything meaningful to reveal. “I think it's just going to put more noise in the marketplace … because an incident at that point, after 72 hours, can be anything from something quite minor to hundreds of millions of people,” according to Jehl. “You just don't know, and so there are going to be a lot of these disclosures that aren't meaningful, that will have to later be supplemented by something that's more meaningful.”

But it's not just the GDPR that in-house counsel should be thinking about, McNicholas pointed out, noting that one of the “sleeper issues of 2018 is the Chinese cybersecurity rules.” China has been rolling out rigorous cybersecurity regulations, some of which take effect in 2018, McNicholas said. And some of these obligations include an analysis of cybersecurity programs, assessment of data transfers out of China and a requirement that certain companies share information about cybersecurity with the Chinese government, he explained.

“There's been so much attention focused on Europe and preparations for the GDPR,” McNicholas said, “that I don't know that people are putting as much emphasis and focus on the new regulations coming out of China.”

Future-Proofing the Business  

From wearables that track steps to pills that transmit whether patients are taking their medicine, there are a number of innovations that provide major benefits to consumers, McNicholas said. “But I think that the amount of collection of information will raise some very interesting privacy questions,” he added.

One example can be found in the increasingly blurred line between when a product is a fitness device versus a medical device, McNicholas pointed out. If, for instance, you have a device that was made for personal fitness, but that is also useful to physicians, McNicholas said, at what point does the fitness device look more like a medical device that would be governed by regulations designed to protect medical information?

“As company counsel internally approach their next generation products, these internet of things and the internet of bodies sorts of products are going to raise profound issues that the current laws don't deal with as robustly as they might [need to],” according to McNicholas. “It's going to be a real challenge for in-house counsel.”

Groundbreaking Lawsuits

In-house counsel may also see shifts in the cybersecurity landscape because of ongoing litigation.

One such case that may be heard by the U.S. Supreme Court questions when data breach victims have standing to sue. Health insurer CareFirst Inc. asked the Supreme Court in October of last year to reverse a decision from the U.S. Court of Appeals for the D.C. Circuit, which allowed a data breach class action against the company to move forward. In its petition to the Supreme Court, CareFirst said this case “presents an ideal vehicle” to resolve a question that courts of appeals are divided on by potentially clarifying when data breach victims meet Article III's injury requirement. 

“If the Supreme Court decides to grant review in CareFirst, it will be one of the most important privacy and cybersecurity cases in recent memory,” Alan Butler, senior counsel at the Electronic Privacy Information Center, said in an email. “The court would have to resolve the question of who can bring suit and when, and lower courts would then review these cases on the merits.”

Thousands of miles away, the European Court of Justice has been asked to consider the validity of model clauses for EU personal data transfer to the United States. This case could have massive implications for in-house counsel, said Sidley's McNicholas.

“A lot of companies have built their EU data transfer regime based upon model clauses,” he noted. “If the model clauses, themselves, were to be struck down, there would be a tremendous amount of work for in-house counsel in sometimes revamping their EU data transfer compliance regime.”