With interconnectivity and use of digital storage expanding, cyberthreats posed by nation states, commercial competitors, company insiders, transnational organised crime syndicates and ‘hacktivists’ have continued to grow on a global basis. Recent high-profile data intrusions in the United States have brought particular attention to cyber extortion and cyberattacks perpetrated by nation states, and to business email compromises aimed at financial fraud by criminal groups. In dealing with these topics, two important trends are emerging. First, many countries are looking to strengthen requirements around user consent and control over collection of personal data. Second, countries are grappling with how to protect against the compromise of intellectual property with potential national security concerns, with strategies ranging from restricting the export of critical IP to establishing minimum cybersecurity standards for critical providers.
For example, in Europe, the European Union General Data Protection Regulation (GDPR) became effective on 25 May 2018 and imposed new data security obligations on EU data controllers and processors. Following China’s Cybersecurity Law, which became effective in June 2017 and imposed data security requirements on computer network operators and ‘critical information infrastructure’ providers, China issued the Measures for the Administration of Scientific Data on 17 March 2018 (with immediate effect), which restrict the export of scientific data while calling for wider access to such data within the country. In June 2018, Vietnam approved a new cybersecurity law, set to take effect in January 2019, requiring global technology companies with users in Vietnam to set up local offices and store data locally. All this suggests that cybersecurity will remain a high-priority compliance issue for corporate counsel, senior executives and company boards. In this environment, maintaining an effective and global corporate cybersecurity programme is becoming the standard expectation for all businesses.
Organisations around the world regularly suffer data security incidents, ranging from nuisance intrusions and petty theft to criminal conspiracies. The past year has seen a particular spike in business email compromises aimed at generating fraudulent invoices and similar fraud schemes. The Ponemon Institute in the United States estimated in 2018 that the average cost of a data breach globally is US$3.86 million. Such losses are prompting more calls for reform and more emphasis on developing regulatory standards for minimum safeguards.
In response to these challenges, governments from around the world are implementing legal reforms and shifting enforcement priorities. In the European Union, the legal framework for cybersecurity among member states is evolving to deal with new threats. In 2016, the European Council adopted the Network and Information Security Directive, which imposes security obligations on ‘operators of essential services’ in certain important economic sectors, such as health, water supply, financial markets, banking and energy. Businesses in these sectors will be required to manage cyber risks and report significant cyber breaches. Similarly, the European Parliament adopted the GDPR in April 2016, which, as of May 2018, requires data processors to implement a variety of security provisions and appoint data protection officers. The European Commission issued a Joint Communication in September 2017, ‘Resilience, Deterrence and Defence: Building Strong Cybersecurity for the EU’, which focuses particular attention on the need to enhance cybersecurity protections as the internet of things continues to grow steadily in the developed world. In June 2018, the European Union reached a political agreement on the EU Cybersecurity Act, which would a establish framework for certification schemes to apply to a range of online services and connected consumer devices and establish an EU Cybersecurity Agency.
In the United States, dozens of federal and state statutes address cybersecurity issues, and state attorneys general and consumer regulators have substantial authority to police data security compliance with regard to consumer businesses (along with the Federal Trade Commission), but no overarching statutory framework governs cybersecurity. Businesses in the United States are encouraged by the government to cooperate with one another and with government authorities to share cybersecurity threat information, but such sharing is voluntary. In December 2016, the Commission on Enhancing National Cybersecurity, which was created by a presidential directive, issued more than 50 recommendations for improving cybersecurity in the United States. Notable recommendations included developing ways to incentivise companies to implement cybersecurity programmes, creating standards for security of the internet of things and creating a new ambassador position in the US government focused on cybersecurity. Although cybersecurity standards are largely a product of voluntary efforts in the United States, US regulatory agencies are expanding enforcement actions to address cybersecurity issues. For example, the US Securities and Exchange Commission has issued guidance requiring companies to disclose material information on the nature of any cyberthreats and has challenged numerous companies on the adequacy of their disclosures. Similar efforts to protect against cyber intrusions are taking place in other jurisdictions as well.
Following several high-profile cyber intrusion events in 2015 and 2016, the United States focused substantially on international action to enhance cybersecurity and data protection. President Obama issued an Executive Order authorising the imposition of economic sanctions against individuals or entities found to be engaged in malicious cyberactivity and agreed to a new cybersecurity framework with China intended to limit state-sponsored theft of corporate secrets. In May 2017, President Trump issued an Executive Order, entitled Cybersecurity of Federal Networks and Critical Infrastructure, that focuses on US government agencies assessing cyber-preparedness to respond to various threats to electrical supply, defence infrastructure and other critical government functions. In August 2018, the Trump administration announced a new national cyber strategy, which outlines efforts to increase the resiliency of US information systems and deter threat actors from launching malicious attacks against the United States, including authorising offensive cyber operations against foreign adversaries.
Many reforms are also taking place within industries and are customer-driven. Payment card companies in the US are now requiring chips to tokenise payment card data. In a relatively new development for many companies, commercial customers around the world are increasingly adding cybersecurity requirements to contracts and demanding controls on how information technology suppliers hold data in cloud centres or otherwise demand special obligations related to protecting data. Cybersecurity provisions are frequently a key part of negotiations involving outsourcing of data and the sharing of data between companies. In addition, companies may require audits and other rights and remedies to address cybersecurity challenges.
Around the globe, the cybersecurity legal landscape continues to shift rapidly as governments consider new laws, regulations and enforcement policies. In the years ahead, companies will be faced with an increasingly complex array of cybersecurity compliance challenges and risks. At the same time, governments are working to determine the appropriate regulatory policy to govern the changing information technology environment, and the best framework for working with the private sector to improve the security of digital assets.