Goldilocks and the Three Laws

A recent Harris Poll surveyed adults on the topic of corporate social responsibility and found, not surprisingly, that a majority of those asked stated that companies should – or perhaps “ought” – to have a mission beyond profit. What was surprising is that data privacy surpassed healthcare or even supporting veterans as the social issue that people most want companies to address. This follows an April 2018 poll sponsored by IBM evidencing deep concern among consumers about data security. Specifically, 73% of respondents indicated that businesses are focused on profits over protecting their consumers’ data and 78% report that a company’s ability to keep consumer data secure is “extremely important.”

In this environment, then, it is obvious that federal and state lawmakers would seek to address these constituent concerns. One of these, proposed earlier this month by Senator Ron Wyden (D-OR), has adopted many of the consumer data access and opt-out rights contained within the recent California Consumer Privacy Act. The Senator’s “discussion draft” includes a Sarbanes-Oxley-like corporate certification of data privacy practices, and an accompanying threat of criminal penalties for those who submit a false certification. While the Wyden draft made instant headlines for its proposed criminal penalties for a company’s privacy violations, it is instructive for the tenor of the privacy and data security conversation these days. Which brings us to Goldilocks.

There is little genuine debate over an organization’s obligation to keep safe the personal data it manages, even if one argues that doing so is as much in the company’s interest (protecting its assets) as the consumer’s (protecting him/her from identity theft and other misuse). There remains great variation, though, in government’s efforts to encourage or enforce such behavior. These positions, mostly in state laws, hold accountable the organization for having lost the information. For those companies that have genuinely tried to do the right thing, this amounts to little more than punishing the victim. And, of course, there are other companies that might not have invested appropriate resources, and in their calculation have little incentive to do so. So what balance makes sense?

The CCPA: Yikes! A Class-Action Field Day

We’ve discussed components of the CCPA in an earlier post—in looking for a reasonably comfortable bed, those doing business with California residents had better keep moving. For all of the valuable consumer access and opt-out rights encompassed in the CCPA, it is a boon for the plaintiffs’ class-action bar. The CCPA includes statutory damages with a private right of action, thus hurdling many prior obstacles to litigation sought by those whose personal information was lost, albeit without any evidence of harm.

Without a doubt, there are some organizations for which nothing but a good spanking will get them to pay attention to genuine data security efforts. But under the current CCPA regime, there is no forgiveness or recognition that there is no such thing as perfect security, regardless of money spent or resources assigned. The CCPA is a poor example of how to protect individual information in the real world.

The New York Department of Financial Services Cybersecurity Requirements: Better, But Still All Stick, No Carrot

The Cybersecurity Requirements for Financial Services Companies apply detailed rigor in their identification of what financial firms licensed in New York State must do to protect both consumer information and the broader reputation of the financial services sector. Building upon the rudimentary cybersecurity requirements that Massachusetts imposed in 2010, the New York Department of Financial Services regulations mandate a roadmap of fundamental cybersecurity program requirements, while concurrently recognizing that “DFS appreciates that many firms have proactively increased their cybersecurity programs with great success.” Much like the HIPAA Security Rule, “[t]his regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.”

The financial services sector has significant experience and maturity in assessing what passes for reasonable security, appropriate business judgment as to risks, and how to address those risks. The NYDFS assigns enforcement responsibility to the superintendent, and requires the certification of corporate officers to the NYDFS. Contrary to Sen. Wyden’s suggestion that this apply to ordinary consumer data, such a certification makes more sense in the financial sector.

This leaves financial organizations with a relatively clear path for what is expected of them, as well as a supervisory agency that has greater maturity than most in recognizing that bad things can happen to good organizations.

The Ohio Cybersecurity Safe Harbor: Maybe Not “Just Right,” But a Compromise

So how to offer a carrot to those organizations that are doing, or trying to do, the right thing without letting the lazy or negligent off the hook? The Ohio legislature has enacted amendments to its existing data breach law that provide organizations the ability to present an affirmative defense to any claims that a firm had not protected personal information appropriately. Not perfect, but a significant positive step toward recognizing the challenges of cybersecurity today.

The Ohio “safe harbor” permits an organization that applies “an industry-recognized cybersecurity framework” (such as the NIST Cybersecurity Framework or the Security Rule for entities subject to HIPAA) to rapidly knock out any class-action claims based on tort law (negligence) and allegations that the failure to implement reasonable security resulted in a data breach. Compare that with the open door for the plaintiffs’ bar in the CCPA.

The strength of the Ohio law is that it permits organizations to deflect class action claims. Although it does not apply to consumer protection regulators, such as the state AG (which, presumably will be more judicious than class-action counsel), the Ohio law presents a model for consideration by other states and Congress as the activity to protect personal information continues.