5/12/2017
Cybersecurity Is The Next Frontier Of State Regulation ­ Law360
Portfolio Media. Inc. | 111 West 19th Street, 5th floor | New York, NY 10011 | www.law360.com
Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | [email protected]
Cybersecurity Is The Next Frontier Of State Regulation
By David Forscey, National Governors Association, and Steven Cash and Benjamin Nissim, Day Pitney LLP
Law360, New York (May 11, 2017, 1:26 PM EDT) ­­ Cybersecurity risk
pervades all sectors of the economy. Federal regulators have sought to
address this risk through guidance, rulemakings and enforcement actions
across multiple industries. A series of widely publicized data breaches, the
Trump administration’s ongoing regulatory review, and an impending
executive order on cybersecurity have redirected a spotlight on the merits,
disadvantages and pitfalls of regulation in this field. State legislatures and
regulators have also moved in this area. In some instances, state rules
apply to specific sectors; the New York Department of Financial Services’
(DFS) recently issued regulations targeting the financial and insurance
industries.[1] More than a dozen other states have enacted cybersecurity
requirements that sweep far broader, in some cases touching millions of
individuals and businesses.
David Forscey
Currently, no common policy or legal framework fully unifies these disparate
efforts. Members of the private sector have argued that inconsistencies
across state data breach notification laws affect business performance,
confuse consumers and generate perverse litigation incentives.[2]
Businesses large and small (as well as individuals in some cases) now
confront a similar regulatory paradigm in the context of enterprise­facing
requirements: a confusing patchwork of obligations to implement
cybersecurity programs.
States considering whether to enforce existing rules more aggressively, or
else pass cybersecurity standards of their own, should carefully consider the
policy rationale and potential pitfalls of existing frameworks and collaborate
with private experts to determine what works and what does not. This will
help avoid conflicting or duplicative regulation, support consistent cross­
border policy and obligations, and promote cybersecurity best practices
while maintaining a vibrant business environment.
Steven Cash
Customer Data Versus Operations
The federal government’s sector­specific approach to cybersecurity
regulation generally focuses on two security problems: customer data
security and operational security. The former typically receives the most
attention, in part because many data breaches are publicized and because
Benjamin Nissim
they involve data theft. In recent years, the Federal Trade Commission has
fined companies who have practiced “unreasonably poor cybersecurity” and misled consumers as
to the level of security they can expect, both of which it considers an “unfair or deceptive act[] or
practice[].”[3] The U.S. Department of Health and Human Service’s Health Insurance Portability
and Accountability Act security rule requires covered health providers to ensure the protection of
electronic personal health information through mandatory physical and administrative safeguards
and technical controls that are “reasonable and appropriate” under each provider’s individual
circumstances.[4] The Federal Communications Commission has issued regulations requiring
common carriers to take “reasonable measures” to protect customer personal information.[5]
https://www.law360.com/articles/922786/print?section=telecom
1/4
5/12/2017
Cybersecurity Is The Next Frontier Of State Regulation ­ Law360
These fact­based standards illustrate how federal regulators have, in some respects, taken a
relatively hands­off approach to defining security standards for personal data.
In contrast to regulatory regimes applied to the protection of personal data, federal agencies have
issued more stringent rules where sophisticated adversaries pose a more serious risk to the public
welfare. In the power generation and transmission sectors, the Nuclear Regulatory Commission,
and the Federal Energy Regulatory Commission mandate detailed, comprehensive security
measures to maximize system reliability and public safety.[6] Under the U.S. Department of
Homeland Security’s Chemical Facility Anti­Terrorism Standards (CFATS), owners and operators of
potentially dangerous chemical facilities must follow a detailed series of risk­based performance
standards to “deter cyber sabotage” of critical systems and any connected business networks.[7]
Financial institutions also face a regulatory regime designed to reduce overall system risk. Several
agencies enforce joint standards to ensure the “safety and soundness” of federally insured banks.
Banks must establish internal controls and information systems for use in managing risk,
reporting, safeguarding assets and monitoring compliance.[8] The U.S. Securities and Exchange
Commission conducts oversight of cybersecurity standards intended to ensure the continuous
operation of the stock market. Trading firms, clearinghouses and data organizations who run
securities markets must maintain written policies and procedures “reasonably designed” to
maintain critical business operations and promote market stability.[9]
In some instances, agencies have not issued cyber­specific regulations, but instead have adapted
existing authority to new situations. The FDA utilizes its existing gatekeeper function — controlling
access to the medical device market — to shape cybersecurity standards in advanced medical
equipment. In approving medical devices for sale, the FDA considers several safety factors,
including the presence of security controls that align with five core cybersecurity functions
identified by the National Institute for Standards and Technology.
In aggregate, cyberattacks cause significant harm to the national economy, and more
sophisticated threats present risks aligned to the responsibilities of the federal government.
Federal regulations in this area have varied goals, from consumer protection to ensuring the
safety of critical infrastructure. But their efficacy remains unclear, and these standards may need
further alignment with relevant risks confronted by businesses in individual industries.
State Regulation: A Patchwork in the Making
State regulation of cybersecurity stands apart from federal standards in two respects. First,
relevant state laws focus exclusively on the customer data side of the coin, creating requirements
that are meant to protect personal information. Second, each statute uses some type of
reasonableness standard. In 2002, Minnesota enacted a statute requiring internet service providers
(ISPs) to take “reasonable steps to maintain the security and privacy of a consumer’s personally
identifiable information.” Since then, 13 other states have issued broader data security mandates
generally requiring any entity (with a few caveats, depending on the state) that manages
“personal information” to employ reasonable data security practices.
A quick glance might suggest that this “reasonableness” standard provides for a harmonized
approach across the states. This is far from the case. Each state statute applies to different
categories of data. For instance, the Florida, Oregon and Utah statutes exempt personal
information that is encrypted; Nevada and Texas do not. About half of these laws cover personal
information describing in­state residents, while the rest apply to any personal information. Kansas
law applies only to businesses (or personal information collected in the ordinary course of
business), whereas Connecticut, Rhode Island and Utah mandate compliance for any private entity
(including an individual). Finally, conformity with federal data security standards automatically
satisfies data security laws in Illinois, Indiana and Nevada; this is not the case in Texas.
Second, the vague term “reasonable data security” lends itself to a wide variety of interpretations.
While this offers flexibility to companies and individuals, it is likely to generate various (and
conflicting) interpretations as state officials and courts evolve their understanding of cybersecurity
best practices. Should even more states pass legislation in this arena, a growing set of divergent
standards, each applicable to different data, could impose a significant burden on companies —
especially small businesses — that manage personal information.
https://www.law360.com/articles/922786/print?section=telecom
2/4
5/12/2017
Cybersecurity Is The Next Frontier Of State Regulation ­ Law360
What Does the Future Hold?
The United States Congress recently decided to cancel a proposal by the FCC to limit when ISPs
can sell their subscribers’ internet browsing history. This decision provoked immediate criticism
from privacy advocates. At least 10 states are now considering legislation to enact a version of
the original FCC privacy rule. Yet the prospect of a patchwork of conflicting privacy standards
could pale in comparison to the potential legal tangle arising from more activist state regulation of
cybersecurity. The 13 states that have regulated in this area have already created the foundation
for such a patchwork. Should other states follow suit, a growing set of divergent standards, each
applicable to different data, could impose a significant burden on companies —especially small
businesses — that manage personal information.
Yet it is important that states can experiment based on their own individual policy preferences.
Diverse state rules do not necessarily cause an undue burden. The private sector has long raised
concerns that a patchwork of state data breach notification laws complicates and raises the cost of
cyberincident response. Negotiating compliance with a “patchwork” of security standards may in
some ways pose less of a challenge than in the context of data breach notification.
A key challenge for organizations that suffer a data breach is that they must, during a crisis,
ascertain legal exposure to potentially dozens of state laws. They must weigh the costs of
potential regulatory action in dozens of states against the business risk of disclosing a security
incident before it is verified or fully understood. By contrast, information­security programs are
rolled out slowly, over the course of weeks, months or years. Companies can dedicate time and
resources to mapping their data, understanding any potential conflicts across various state
security standards, and implementing risk­based security measures accordingly.
Additionally, data breach notification laws are focused on discrete procedures from which it is
difficult to divine a given regulatory “floor”, i.e., a safe harbor. This is precisely why no single
state data breach law has become a de facto standard. By contrast, because cybersecurity
mandates aim to reduce risk to below a certain threshold, a large state could indeed set the de
facto minimum standard, leading all businesses to comply regardless of their geographic location.
Finally, it is also possible that the flexible “reasonableness” standards already implemented in 13
states could develop into a roughly similar cross­jurisdiction rule. This is already happening among
federal agencies, where different regulators are beginning to coalesce around similar definitions of
what constitutes prudent cybersecurity (e.g., adherence to the NIST Cybersecurity Framework).
Conclusion
Both the federal government and many states have moved, and continue to move, to regulate in
this sector. These regulations take different shapes and have different goals. As a result, a
patchwork system of state and federal regulation continues to develop, particularly in the field of
customer data protection. Such piecemeal regulation can create unnecessary confusion, costs and
compliance problems. But this does not have to be the case.
Should state policymakers decide to institute cybersecurity mandates, or enforce existing ones
more aggressively, they should examine the variety of approaches taken by both federal agencies
and sister states. For example, current state laws addressing cybersecurity in the private sector —
save for New York’s DFS rule — do not address operational security, nor do any of the state
regulators that oversee electricity distribution. Should states broaden their focus beyond the
protection of personal information, federal rules applicable to the energy, chemical and financial
sectors offer a potential guide. Policymakers should also engage private­sector partners, whose
input and experience is critical to fashioning effective incentives for reducing cyber risk.
There is no one­size­fits­all approach to cybersecurity regulation. Working with the private sector,
states that are interested in regulation should identify regulatory gaps, determine whether those
gaps require state action, define what they hope to achieve by filling those gaps, and model any
subsequent regulatory action accordingly.
https://www.law360.com/articles/922786/print?section=telecom
3/4
5/12/2017
Cybersecurity Is The Next Frontier Of State Regulation ­ Law360
David Forscey is a policy analyst for the Homeland Security & Public Safety Division of the
National Governors Association in Washington, D.C. Steven A. Cash is a counsel in Day Pitney LLP’s Washington, D.C., and New York offices and
Benjamin H. Nissim is an associate at Day Pitney in Hartford, Connecticut. Both are members of
the firm’s cybersecurity and data protection practice. Cash previously served as chief counsel and
staff director (minority) to the U.S. Senate's Judiciary Committee, Subcommittee on Terrorism,
Technology, and Homeland Security, and Chief Counsel to Senator Dianne Feinstein.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the
firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is
for general information purposes and is not intended to be and should not be taken as legal
advice. [1] The DFS’ new cybersecurity rules went into effect in March 2017. See Tiffany Quach, New York
Department of Financial Services Finalizes Cybersecurity Proposal, Privacy Law Blog (March 1,
2017). Though these regulations are sector­specific, they are demanding and will impact a broad
swath of the economy.
[2] See, e.g., Kenneth Corbin, National Data Breach Notifications Would Replace “Patchwork” of
State Statutes, CIO (July 18, 2013); Mike Tsikoudakis, Patchwork of data breach notification laws
poses challenge, Business Insurance (June 3, 2011); Thomas M. Lenard & Paul H. Rubin, Much Ado
about Notification, 29 Regulation 44 (2006).
[3] 15 U.S.C. § 45(a)(1).
[4] See, e.g., 45 C.F.R. § 164.306.
[5] 47 C.F.R. 64.2005(a).
[6] 10 CFR 73.1 et seq.
[7] 6 C.F.R. § 27.230(8).
[8] 12 U.S.C. § 1831p­1; 12 C.F.R. § 364.101, appendix A.II.
[9] 17 C.F.R. § 242.1001.
All Content © 2003­2017, Portfolio Media, Inc.
https://www.law360.com/articles/922786/print?section=telecom
4/4