Privacy professionals have always needed to have one eye on data security. However, the obligation of data custodians to protect the confidentiality, integrity and availability of the personal information they hold is becoming increasingly complex with its own, sometimes overlapping, sometimes conflicting, body of rules. Increasing threats from cyber crooks, nation-states and terrorists are driving increasing state and federal lawmaking, regulatory measures and class-action litigation. Cybersecurity law is emerging as its own discipline.
To help both seasoned privacy practitioners and newcomers navigate this thicket, the IAPP has published a fully revised second edition of "Cybersecurity Law Fundamentals," in which we distill the onslaught of laws, regulations, class-action lawsuits and enforcement actions. Here we summarize some of the trends we have noted.
Privacy requires cybersecurity
The very first articulation of the Fair Information Practices by a federal advisory committee in 1973 included the principle that any organization creating, maintaining, using or disseminating identifiable personal data must take precautions to prevent its misuse. The 1980 Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data included a security safeguards principle.
The U.S. Privacy Act requires federal agencies to "establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity." The EU General Data Protection Regulation, like the Data Protection Directive before it, contains a data security obligation. The Health Insurance Portability and Accountability Act requires covered health care entities to maintain reasonable and appropriate administrative, technical and physical safeguards to protect personal health information. The Gramm-Leach-Bliley Act does the same for the financial services sector and financial data.
Since its Eli Lilly case in 2002, the Federal Trade Commission has asserted that data security falls under its Section 5 authority over unfair and deceptive practices. Moreover, in recent enforcement actions, the FTC has treated privacy and cybersecurity as coextensive. If it opens a privacy or consumer fraud investigation, the commission may also look at the respondent's data security practices, as it did with MoviePass. And if it opens a matter based on a data-security problem, it may also examine a company's privacy practices, as it did with CafePress.
Ensuing complaints and settlements may encompass the full range of issues the commission believes are within its purview.
As a further sign of its insistence on data security, in a May 2022 policy statement on education technology and the Children's Online Privacy Protection Act, the FTC said, "Even absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security." The courts' response to this pushing of jurisdictional boundaries remains to be seen.
Standing in data breach cases remains contested
In the 2021 case TransUnion v. Ramirez, the Supreme Court seemed to shut the courthouse door on data breach victims who could not allege actual misuse of data compromised in a breach. Under the Constitution, plaintiffs can sue in federal court only if they have standing, which means they must allege some concrete injury. Many data breach plaintiffs have claimed the risk of future identity theft or other data misuse was sufficient, but in the TransUnion case the high court held that the risk of future harm could not be the basis for standing in suits for damages. Despite that, at least four appellate courts have continued to let cases go forward for plaintiffs who have not experienced any ID theft or fraud.
In the 2023 case Bohnak v. Marsh & McLennan Companies, the U.S. Court of Appeals for the 2nd Circuit found standing based on the data breach itself, that is the exposure of Bohnak's private information to unauthorized third parties. Likewise, in 2023, the 11th Circuit ruled in Green-Cooper v. Brinker International that the posting of credit card data and personal information on the dark web was "misuse" sufficient to establish standing, even without any fraudulent charges.
Three circuit courts have adopted another theory, granting standing to plaintiffs who alleged they suffered current harms in the form of time spent and expenses incurred in monitoring their accounts to mitigate the risk of future identity theft: the 1st Circuit in Webb v. Injured Workers Pharmacy in 2023, the 2nd Circuit in Bohnak v. Marsh & McLennan in 2023 and the 3rd Circuit in Clemens v. ExecuPharm in 2022.
And in the Clemens case, the 3rd Circuit separately based standing on an allegation of emotional harm, relying on language from the TransUnion case in which the Supreme Court said, "a plaintiff's knowledge that he or she is exposed to a risk of future physical, monetary, or reputational harm could cause its own current emotional or psychological harm."
This is not to say defendants should not bring motions to dismiss for lack of standing. To the contrary: For each of these new theories on which courts have granted standing, many other courts have ruled the other way, dismissing claims. The cases turn on a close reading of the precise allegations in the complaint, including the type of data compromised — and on the courts' analysis of whether an asserted claim meets the Supreme Court's test of bearing a close relationship to the types of claims traditionally heard in American courts. The lesson to litigants on both sides? Pay close attention to the elements of the tort of public disclosure of private facts and other common law torts.
The SEC is now a major regulator of cybersecurity
For years, privacy pros have coped with the laws of all 50 states requiring notice to individuals whose data has been compromised in a breach. But now, the data breach response team needs to work with corporate counsel to decide if a breach must be disclosed to the general public through a filing at the Securities and Exchange Commission. In July 2023, the SEC adopted a rule requiring publicly traded companies to disclose any cybersecurity incident within four days of determining that it is "material," and then to file periodic updates as further material information becomes available. "Material" is a key term in the SEC's regulatory framework, which is based on the proposition that investors are entitled to all material information about a company's financial condition. The obligation applies not only to breaches of customer data, but to any cyber incident that could affect a company's operations.
While making statements to reassure corporations it is not playing "gotcha," the SEC brought unprecedented enforcement actions against companies even before the new rule went into effect. The actions included allegations about communications concerning a company's cybersecurity posture that were made even before any incident occurred.
The new state privacy laws include cybersecurity obligations
It is hard to keep up with the rapid adoption of comprehensive privacy laws by the states. If you count Florida, New Hampshire was the 15th state when its governor signed Senate Bill 255 on 6 March, and Kentucky became the 16th on 4 April. In addition to providing opt-out, deletion and other privacy rights, the laws typically provide that a data controller shall establish, implement and maintain reasonable administrative, technical and physical data-security practices to protect the confidentiality, integrity and accessibility of personal data. Generally, they state the data security practices shall be appropriate to the volume and nature of the personal data at issue, but give no further guidance.
These state laws also make it clear that data security is a shared responsibility of controllers and processors. They require processors, taking into account the nature of processing and the information available, to assist controllers in meeting their security obligations. As the New Jersey law provides, "the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures."
As most practitioners are well aware, these new comprehensive privacy laws contain sometimes extensive exclusions of certain categories of entities and certain categories of data, but the list varies from state to state. And the new laws come on top of free-standing data security laws that already exist in many states. Overall, there are now close to 30 states requiring businesses to maintain "reasonable" security measures for personal information.
A new and important feature of many of these laws is the requirement for controllers to conduct and document a data protection assessment of each of their processing activities that present a heightened risk of harm to a consumer. Generally, the laws provide that such data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards the controller can employ to reduce the risks.
Under all the laws except California's, private rights of action are precluded, with the enforcement of most in the hands of the state attorney general. It remains to be seen which attorneys general become active in opening investigations and bringing enforcement actions, but the number is unlikely to be zero.
Speaking of the Golden State, the California Privacy Protection Agency is working on a cybersecurity audit rule. The CPPA's draft, if pursued, would effectively impose major cybersecurity requirements on covered businesses. It would do so by requiring the annual audit to assess, document and summarize each applicable component of an entity's cybersecurity program, specifically identifying any gaps or weaknesses in that program and addressing the status of gaps or weaknesses identified in any prior audit.
Justice Department proposes a major regulatory scheme for sensitive data
On 28 Feb., President Joe Biden issued an executive order aimed at restricting access by countries of concern to Americans' bulk sensitive personal data. Simultaneously, the Department of Justice began the process of writing an implementing regulation. It would regulate not only transfers of data to specific countries — China, Russia, Iran, North Korea, Cuba and Venezuela — but also to entities and persons subject to the jurisdiction of those countries.
The order defines sensitive data as personal identifiers, geolocation and related sensor data, biometric identifiers, "human 'omic" data, personal health data, personal financial data, or any combination thereof that could be exploited by a country of concern to harm U.S. national security if it is linked or linkable to any identifiable U.S. individuals. The DOJ proposal contemplates a broad definition of "personal identifiers" to include cookies, IP addresses, call-detail data, Social Security numbers and SIM card numbers.
The proposed process would flatly prohibit "data-brokerage transactions" of sensitive data. This would include a sale, licensing of access or providing access through a subscription service. The proposal would also apply restrictions on any other transactions to the extent they involve bulk U.S. sensitive personal data through vendor agreements, employment agreements or investment agreements that provide a covered person with access to covered data. For such restricted transactions, companies will need to comply with security requirements to be issued by the Department of Homeland Security.
This is a significant regulatory development for companies that hold sensitive U.S. personal data. There will likely be a lengthy rulemaking process before the order can be implemented, and interested parties would be well advised to participate. The DOJ listed 114 questions that it is seeking public input on before it finalizes any rule. Nevertheless, the executive order and detailed rulemaking signal this is an area of significant regulatory scrutiny. And, since the initiative builds on a process begun by Donald Trump when he was president, the trajectory of the process probably does not depend on the outcome of November's election. Privacy pros have long recognized the foundational need to understand their company's or clients' data flows. This rulemaking will heighten the importance of knowing specifically what data is going to whom. And the provisions for restricted transactions will likely require a revisitation of all data-use agreements.
So much happening
This only scratches the surface of the legal and regulatory changes that are underway regarding data accountability. The FTC continues to bring cybersecurity enforcement actions, as exemplified by its February settlements with Blackbaud and Global Tel*Link. The Department of Commerce has begun an inquiry into data flows associated with connected cars. The Centers for Medicare and Medicaid Services are expected to issue a cybersecurity "condition of participation," applicable to all health care providers that accept Medicare or Medicaid, essentially all health care providers.
Privacy pros should be front and center in all aspects of this dynamic landscape: in compliance, enforcement proceedings and shaping ongoing rulemakings to mesh new data governance requirements with existing procedures.