Cybersecurity may be a top concern for legal counsel, but the shifting waters of global cybersecurity law are becoming increasingly difficult to navigate. With recent changes in cybersecurity law across the globe, the cybersecurity legal realm is no longer as uniform as it once was, while rules are becoming tougher across the board.
Take, for instance, the differences between Europe, Asia and the U.S. trial attorneys. Thomas Mahlum and Melissa Goodman of Robins, Kaplan, Miller & Ciresi L.L.P. wrote on InsideCounsel in August, the European Union (EU) has one completely codified set of rules for what counts as personally identifiable information (PII), with the EU Data Protection Directive and the Organization for Economic Cooperation and Development Guidelines. The Asian-Pacific Economic Cooperation, however, takes a less strict view of PII in the APEC Framework. The U.S., meanwhile, has a number of guidelines to abide by, including the Video Privacy Protection Act, the Cable Television Protection and Competition Act, the Children's Online Privacy Protection Act, and the Stored Communications Act.
“Businesses need to also adhere to the clearer guidelines on corporate data preservation duties developed as part of e-discovery’s emerging jurisprudence,” Mahlum and Goodman wrote. “Balancing these data-driven issues requires an understanding of the ever-evolving landscape of each competing concern.”
Now, even those laws may be changing. According to an article in the Wall Street Journal, both the EU and Japan are set to institute new privacy laws that tighten existing data breach legislation, much like the U.S. has done in recent years. In Japan, the government is targeting specifically financial firms, raising the penalty for not disclosing when an individual user’s data has been breached from 500 yen to 10,000 yen ($75) per user. Olivier Piou, chief executive of data-security firm Gemalto, told the WSJ that 500 yen was simply “not enough of a deterrent.”
The EU, meanwhile, looks to institute widespread data breach notification rules. The discussion is in the early stages, and the proposed legislation is controversial due to its stringent nature — companies would be required to disclose any data breach within 24 hours. However, the fact that the EU is even having this discussion is noteworthy.
The way the litigation is going, in-house counsel should beware that the rules are only going to become stricter within the next couple of years. As Piou said, “In the next few years it will be an obligation, whether by law or reputation. Banks still hesitate to communicate a lot on their penetration and their events. Why? I think we are past the question of ‘should we do something,’ it’s ‘let’s do something.’”