The law, including cyber law, changes slowly, and that's a good thing. We want a well thought out set of laws that are fair and understandable – and most importantly – are accessible to everyone. New technology, such as AI and drones, force us to ask tough questions. Who are we supposed to blame if something goes wrong? Who should pay for damages, and how do we balance the benefit to society versus the harm to an individual or a group of individuals?
In the area of privacy, we're dealing with equally thorny questions. In a connected world with social platforms such as Facebook, the police and other law enforcement agencies wanting to peer into our smartphones to investigate election fraud – we must ask ourselves: what does privacy mean today?
Cyber law is focused on bringing more clarity to these kinds of questions that new technology poses. It’s important for all security professionals to have a basic understanding of current and potential future cyber law concepts in order to stay compliant and ensure sensitive data stays safe.
The Current Basic Cyber Law Concepts
Of course, your level of required cyber law knowledge will vary based on your industry and role. But there are four basic cyber law concepts that every security professional should know at a base level.
- Ensure you’re aware of the laws that affect you. Based on the states or countries that your organization does business in, there are going to be specific regulations that will affect you. You must fully understand these laws and make sure you have the correct security infrastructure and practices in place to stay compliant.
- You must identify all your organization’s regulated critical data and assets. What kind of data and assets does your organization handle or store? Is it intellectual property or personally identifying information (PII), etc.? Your organization must be in constant and clear communication to identify which regulated data and assets are critical to secure. Is data missing or not being accounted for? It’s all too common that siloed teams don’t properly communicate that they possess data that fall under regulation.
- Examine client base location for regulations that might apply. Where is the organization doing business or conducting operations, and where are its customers located? If the organization is based in Texas but has customers in China, the EU, and California, the organization is responsible for complying with Texas, China, EU, US, and California data protection laws. An organization will likely need legal consultants in each of the various locations it does business in to understand how to comply and properly notify the regulatory bodies in the event of a data breach or security incident.
- Have a plan. The organization needs to have an action plan approved and in place so it can properly respond in the event of a data breach or a regulatory infraction. This plan should not only outline how the business will respond to its governing bodies and stakeholders in the event of a crisis but also how it will respond to its customers.
What the Future of Cyber Law Holds
With new innovative technology on the horizon, cyber law is primed to evolve in a few key areas. Here are my predictions.
What are organizations going to be liable for? Out of the gates, regulation may be tough on businesses as more and more individuals worry about their data being stolen out of the hands of the companies they trust. In the first few years of legislation development, legislators may respond to the public’s call for the burden to fall on organizations by going overboard and saying, "Okay, companies need to disclose everything, and they’re liable for everything." I think we will see the pendulum swing back after this initial wave of stringent liability laws. We’ll likely recognize that the balance is too far in one direction and that we need to allow businesses some space to operate.
Who Owns the Data
If the consumer owns the data, then businesses need to ask permission to do something with that data. But sometimes organizations are just observing usage patterns – which yes, is a form of data, but they’re just ‘watching’. If I were sitting in a park one day and just people-watching, I'm not sure that the law would say that all my observations about people belong to those people I was observing. This nature of who owns data is going to be vital for us to come to grips with because it will then determine what the liabilities are in terms of when that data is mishandled, or it escapes into the wild, or it's stolen.
InfoSec professionals will become more Involved in Business Decisions
Marriott had a rude awakening with their Starwood acquisition because they weren’t aware of the poor security profile of the company they were acquiring. It’s critical for organizations to understand the security posture of the businesses they are acquiring, going into partnerships with, or share data with. How cyber law will address these kinds of responsibilities issues will be interesting to see in the future.
I am excited to see how cyber law evolves as technology gets more advanced and integrated with our daily lives, and companies collect and share more of our data on a regular basis. It will be critical for InfoSec professionals to partner closely with legislators, regulatory bodies and internal auditors to understand where the gaps are between data security and cyber law. Together, we can work towards an even better future for user data and privacy.
To hear more from Steve Black, visit the highly-anticipated InfoSec World Conference & Expo in Orlando, Florida which kicks off next week! There, he'll be presenting on Cyberlaw Year in Review.
Photo by Patrick Tomasso on Unsplash