From cybersecurity breaches to compliance mishaps, 2017 proved a tough year for many of the biggest enterprises in the economy.
But organizations face an even more difficult situation in the months to come.
Cybersecurity laws are breaking new legal ground.
More unique types of personal data are being created, stored and increasingly regulated. And old risks are more prominent than ever.
For enterprise risk management programs, it’s all hands on deck. Here’s a look at the three biggest risks facing enterprises in 2018:
1. A new type of cyber regulation?
Sure, the New York State Department of Financial Services’ (NYS DFS) new data security regulation only affects certain financials companies within the state of New York. But it represents a new type of proactive state cybersecurity law that may become more prominent in the months to come.
“Of the newer laws, I do think the DFS one in New York is probably the most interesting, and possibly the most impactful,” said John F. Mullen, partner and co-founder of law firm Mullen Coughlin.
He explained that this was primarily due to the law’s proscriptive nature, something that was previously unseen among local cyber regulations. “Because of that, the NYS DFS law opens up a whole new area of risk for companies to make sure they are affirmatively complying with it, not just complying after a possible event.”
Though the regulation has only recently went into effect for enterprises in August 2017,and more of its mandates are still coming online in periodic stages, New York financial institutions are optimistic they can meet its cybersecurity requirements.
“I don’t think many have had a lot of trouble implementing multifactor authentication and other policies,” said Monique Ferraro, cyber counsel at Hartford Steam Boiler, at ALM’s December 2017 cyberSecure conference in New York.
Still, she noted there are some compliance issues that need to be addressed. “Encryption, however, is a little bit more difficult to interpret, but everyone has decided we’re going to interpret it this way. And if it’s good, it’s fine, if it’s not, it’s not.”
If and when the NYS DFS law spurs similar laws around the country remains to be seen. But following the Equifax Inc. breach, New York state has already proposed a new proscriptive cybersecurity law covering all companies within the state that handle “sensitive data.”
2. The ever-present pitfall: vendor risk
The need for third-party risk management is nothing new. But going in 2018, it’s still a difficult challenge for many enterprises, just ask Verizon. In late 2017, the company had the personal information of 6 million of its customers exposed due to a breach at one of its vendors.
But for some, including several legal experts speaking at ALM’s cyberSecure conference in December 2017, vendor risk may be an unavoidable reality. As the example of how hard it is to completely mitigate this risk, Noga Rosenthal, chief privacy officer at Epsilon, noted the 2013 breach at Target, which was caused when one of the company’s HVAC vendors was compromised by cyberattackers.
“What I struggled with was that the vendor that allowed the attackers in was the HVAC vendor,” she said. “How do we stop that? Would I have [classified] that HVAC vendor as a high-risk vendor that is touching my data?”
At the same session, Buck de Wolf, vice president, chief intellectual property counsel and general counsel at GE Global Research added that if a vendor is a critical supply chain partner in a company’s operations, vendor risk can sometimes be the inevitable cost of doing business.
“What if the vendor makes a critical component for what you’re selling?” He asked. “Do you stop selling that product because the vendor says we cannot comply with your contractual security requirements?”
But while vendor risk may be unavoidable, Nicole Eagan, CEO at Darktrace, who also spoke at the session, noted that there are ways to better manage it than just surveying third parties.
“If you’re just filling out a vendor survey once a year, it’s not enough, threats change hourly, they change daily,” she said. “The person answering that survey likely doesn’t know the answer, and they are doing the best to answer. But they lack visibility into what their own threats are.”
Instead, Eagan advised companies to deploy artificial intelligence-based cybersecurity technology that can monitor vendors networks, “because then you can see the inside of their network and detect what is going on.”
3. The growth of biometric data privacy laws
Enacted in 2008, Illinois’s Biometric Information Privacy Act (BIPA) was the first law in the nation to regulate how companies handle biometric data. But given the current legal climate, it may be far from the last.
While there have been efforts to weaken what some see as the BIPA’s broad scope, it is becoming increasingly clear that the Illinois law was the first in what may be numerous state statutes across the United States.
Though not as expansive as the BIPA, Texas and Washington state have come out with their own biometric data regulations, for example.gAnd there are more states moving to regulate biometrics on the horizon.
Hanley Chew, of counsel at Fenwick & West, wrote in Legaltech News that currently, “several state Legislatures are considering legislation that would regulate [biometric data] collection, use and retention,” including Alaska, Connecticut, Montana and New Hampshire.
But states may be not be the only ones looking to regulate this space. Given the potential security issues with biometrics data, federal agencies have also started to issue guidance on how biometric data should be used by corporations.
Both the Federal Trade Commission (FTC) and the Department of Commerce’s National Telecommunications and Information Administration (NTIA), for example, have come out with best practice recommendations for facial recognition technologies.
Rhys Dipshan is a New York-based legal tech reporter covering everything from in-house technology disruption to privacy trends, blockchain, AI, cybersecurity, and ghosts-in-the-machine. Contact him at firstname.lastname@example.org.
Originally published on LegalTech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.