By Jami Mills Vibbert with Venable LLP
Until recently, state oversight of cybersecurity has been relatively limited. Indeed, although 48 of 50 states have laws related to data breach notification, those laws govern only a small part of cybersecurity practice—the time following a security incident. Those breach notification laws form a complicated morass requiring notification of a security breach under certain, different circumstances, depending on the type and amount of data involved. That is, the who, what, when, where, why, and how to vary from state to state, often requiring an in-depth analysis by a breached company to determine what its notification obligations are while also trying to handle the crisis situation that arises post-breach.
The Health Insurance Portability and Accountability Act (HIPAA) has a breach notification provision that applies nationwide, but applies only to protected health information, and does not preempt any state law notification requirements. Attempts at an overarching federal breach notification law have stalled in the past couple of years, and thus companies must continue to spend time and resources following a security incident dealing with analysis under these separate laws.
On the other hand, states have remained relatively silent on specific cybersecurity requirements for companies doing business in that state. A handful of states have attempted to force companies to focus on cybersecurity by requiring companies to implement “reasonable” or “adequate” data security measures (including Arkansas, California, Florida, Indiana, Kansas, Maryland, Minnesota, Rhode Island, Texas, and Utah). These general requirements typically impose no more on companies than the companies impose on themselves through contracts with third parties. Only a couple of states have implemented regulations requiring specific cybersecurity controls. For example, Massachusetts law 201 CMR 17.00 sets forth specific cybersecurity requirements, including with respect to encryption, monitoring, patches, firewalls, training, and other controls.
Nevada law NRS 603A.215 requires encryption of personal information transmitted “outside of the secure system of the data collector.” And a couple of other states require cybersecurity controls with respect to specific data elements, such as Social Security Numbers or personal health information. As with breach notification, some federal laws contain requirements for certain industries or types of sensitive information, including HIPAA with respect to protected health information and the Gramm-Leach-Bliley Act, which governs some financial institutions. These are also not preemptive of different or more stringent state laws. Companies subject to multiple cybersecurity regimes must, as with breach notification, expend resources in understanding the different requirements of the different federal and state laws to ensure compliance with each.
This state-specific quilt of cybersecurity controls is growing, which will likely lead to an even more time-consuming process of ensuring compliance with different and potentially conflicting cybersecurity controls for companies operating in multiple states. The legislation of specific cybersecurity controls is often similar to existing state standards, but with key differences. On March 1, 2017, the New York State Department of Financial Services (DFS) mandatory cybersecurity requirements for financial services became effective. The requirements broadly cover all DFS-regulated entities, including, by extension, unregulated third-party service providers to regulated entities.
This not only includes state-chartered banks, licensed lenders, private bankers, service contract providers, trust companies, and mortgage companies, but also foreign banks licensed to operate in New York and any insurance company doing business in New York. This regulation delineates various minimum standards and requires a risk-based cybersecurity program tailored to each company’s specific risk profile. Significantly, the regulation requires covered entities to file an annual certification of compliance with the regulation and potentially significant changes to the cybersecurity program for many institutions. Unlike existing state laws with specific provisions, the DFS regulation requires annual cybersecurity risk assessments and specific steps that must be undertaken with respect to all third-party service providers. It also contains minimum standards similar to other laws, including with respect to multifactor authentication and encryption.
Other states have recently become active as well. This may be a reaction to a perceived lack of adequate federal legislation, weakened enforcement by federal regulatory bodies, or the prevalence and high-profile nature of major security incidents. We have seen states step in to fill such perceived gaps, including with the introduction (and passage) of legislation in several states following the repeal of the Federal Communications Commission regulation expanding privacy rules to broadband providers. Similarly, states have introduced legislation attempting to place parameters on what a reasonable cybersecurity program must have, including what minimum standards would be required (focusing on risk assessments, training, policies, ensuring appropriate responsibility, and third-party service provider management).
One pending bill in California attempts to place some parameters (with respect to both privacy and security) on connected devices. The bill, SB-327, defines connected devices as any device, sensor, or another physical object that can connect to the Internet or another connected device, directly or indirectly. In addition to data collection and consent requirements, the provisions of the bill may inhibit the growth of the Internet of Things (IoT) market or make the manufacture of IoT devices subject to the California bill difficult. The bill requires all manufacturers of connected devices to detail the process by which a connected device consumer can obtain security patches and feature updates for the IoT device. It is unclear how manufacturers will be able to implement this requirement should it pass, but shows the desire of states to regulate cybersecurity.
State legislatures are not the only state parties that have shown an increased focus on regulating cybersecurity. For several years, the Federal Trade Commission (FTC) has been the most active regulatory body concerning data security, investigating and entering into consent orders with companies for failing to maintain reasonable data security practices or for misrepresenting data security practices. Prior to this year, state attorneys general limited their activity in the cybersecurity space to bringing actions against companies that had suffered a data breach. The settlements of those actions often resulted in large fines and comprehensive requirements for implementing a more secure information security program. As of last month, however, states have ventured into new territory. The New York Attorney General brought an action against a wireless lock company, Safetech Products LLC. Safetech is a Utah-based company selling its locks online via Amazon and its own retail website. Interestingly, Safetech had not suffered a data breach; rather, security researchers reported that Safetech did not encrypt user passwords in transmission between a user’s mobile device and the locks. Upon hearing of the security researchers’ report, the New York Attorney General launched an investigation. The investigation confirmed the security researchers’ report and determined that Safetech also did not require users to change default passwords. Because these practices could have potentially led to a data breach, the Attorney General alleged that Safetech had failed to reasonably protect its customer’s information. Safetech and the Attorney General entered into a comprehensive settlement agreement that requires Safetech to implement and establish a comprehensive data security program with several parts. Particularly given the oversight by the Attorney General, the security program may be onerous and expensive to implement.
Now that the states have shown an increased interest in regulating, through legislation or enforcement action, the cybersecurity practices of companies, many companies will be faced with complying with several states’ laws and requirements. In practice, companies may attempt not to do business in states with restrictive cybersecurity laws or may apply the most restrictive standard to the entire organization nationwide.
This, of course, assumes that none of the regulations will conflict, which, in an area as complex and ever-changing as cybersecurity, is not a given. It may also lead to a compliance state, where companies are focused on ensuring legal compliance, rather than on ensuring a robust cybersecurity program, which comes from a healthy risk management process that includes appropriate risk assessments. Given the high-profile nature and number of data breaches, however, it is unlikely that states will engage in less legislation and enforcement, and the patchwork of state laws will continue to grow.
About the Author
Jami Mills Vibbert is a Counsel in Venable’s Privacy and Data Security practice who advises and counsels clients on matters related to data security, data protection, and data risk management. Jami is based in the firm’s New York office. For more information, visit www.venable.com.